[Vulnhub] Kioptrix 5 [1.4] Write-up
this article is kioptrix 5’s write-up.
Scanning
i found the IP using:
nmap -sn 192.168.1.0/24
which got me the IP:
then i scanned its network using nmap :
nmap -T4 -p- -A -n -sS -oN nmap.tcp 192.168.1.159Nmap scan report for 192.168.1.159
Host is up (0.00037s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
MAC Address: E4:A4:71:5B:71:E7 (Intel Corporate)
Aggressive OS guesses: FreeBSD 7.0-RELEASE - 9.0-RELEASE (93%), FreeBSD 7.0-RC1 (92%), FreeBSD 7.1-RELEASE (92%), FreeBSD 7.0-STABLE (91%), FreeBSD 9.3-RELEASE (86%), Vonage V-Portal VoIP adapter (86%), FreeBSD 11.0-STABLE or 11.0-RELEASE (86%), FreeBSD 7.0-RELEASE (85%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (85%), FreeBSD 7.2-RELEASE - 8.0-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
i found 2 services open and both of them are HTTP server.
HTTP: Port 80
looking at the information i searched for mod_ssl exploit and found openf*ck exploit but i couldn’t make it work as apache version was higher than expected. then i opened it in browser and didn’t find anything except ‘it works’. i checked the source code and there was something interesting:
i used this URL and came upon this web page:
i then searched for exploits for this service and found that it’s vulnerable both to XSS and directory traversal. the reference that i used was this article.
XSS
following the instructions from the reference that i found it was pretty straight forward to exploit the existing XSS vulnerability:
but i can’t do anything else with it as there is no one visiting the website.
Directory Traversal
now this exploit led me to more interesting stuff.
using the vulnerability i could access the configuration of the web server:
looking through it i came across this:
allow from env=Moilla4_browser seemed interesting and just above it was the variable:
basically i should set my user-agent to mozilla/4.0 to be able to access the web server on 8080 otherwise i’m denied. therefore i used burpsuite to intercept my requests and responses:
so the user-agent isn’t what it’s supposed to be and that’s why i can’t access the web server at port 8080. i tried changing it and then i could access it:
opening it in browser:
i opened phptax :
it seems to be generating stuff. looking for exploits i came across a RCE one for version 0.8 which was available in metasploit too so i used metasploit to exploit it.
Exploitation
after setting every setting that was needed i got a shell. but note that i also used burpsuite as my proxy to intercept the request that i’m sending and change the user-agent so that it can access the web server.
Privilege Escalation
privilege escalation was straight-forward as well. after gaining shell i used uname -a to check the OS version:
i searched for exploits and found this. downloaded it to my system and then transferred it into the target machine:
then i compiled it:
ran it and got root:
and that’s it for this machine and the whole series is pwned. happy hacking.