Kioptrix Level 5

This is the last VM in the Kioptrix series and I had been holding back on attempting this assuming that it won’t be as easy as the earlier ones. I now feel that I’ve got enough practice and experience to attempt it, so here it goes….

Step 1 – Find out Kioptrix 2014 IP
Since all devices at my home are running on 192.168 range, I run a quick netdiscover scan and identify the machine to be present at 192.168.1.4

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 80 – Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
  • Port 8080 – Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
  • System Name –
  • OS – FreeBSD 9.0-RELEASE – 10.3-RELEASE

 

Step 3 – Enumerating web ports

Exploiting a directory traversal vulnerability in pChart 2.1.3

Besides the user root, another user toor with root privileges is present. Viewing apache config file

Used user agent switcher addon to modify the User Agent and found phptax software to be installed which is vulnerable to remote code execution

Enumerating the server

Adding a php file which allows command execution. I had to do this as I just couldn’t get the command execution working directly from the browser for all types of commands.

Transferred php reverse shell, executed using browser and obtained a reverse shell

Found an exploit for FreeBSD 9.0 platform, downloaded, compiled, executed and obtained root !!!!!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *