Kioptrix 2014 Walkthrough
Time for the last of the Kioptrix challenges! The first step is to identify the IP address of our new target. The attacker uses netdiscover to reveal the ip of the new virtual machine.
The second step for the attacker is to identify what kind of vulnerabilities exists on the new target. A simple scan with nmap reveals 3 open ports on 80, 8080, and 22. Port 80 is typically used in hosting web sites so the attacker decides to enter the IP of the target into his web browser for further evaluation.
The virtual machine is hosting a website and the landing page is a typical “It works!” landing page, which is commonly seen on web pages that have not been set up yet.
Inspection of the source code for the landing page reveals a html comment which may point to another part of the website.
The attacker confirms this with a scan using OWASP.
OWASP and the html comment both reveal that the virtual machine has pChart2.1.3 hosted on the webserver. A quick search reveals that this particular version of pChart is vulnerable to a directory transversal attack.
The attacker was able to reveal the /etc/passwd file into his browser.
At this point the attacker could not do much more. However, the attacker knew there was something on port 8080 but he wasnt sure what. The attacker revealed the apache.conf file to look for more clues as to what might be running on port 8080 and he was surprised to see that there were very specific user agent handles.
The attacker spoofed his browser to Mozilla/4.0 and then attempted to go to port 8080 in his web browser. The attacker found another index to look further into!
Phptax was found on the page. The attacker was unfamiliar with phptax so the attacker did some research and found that it is vulnerable to a remote code execution vulnerability.
The attacker decided to see if the exploit was available in metasploit and it was!
The attacker easy obtained a shell and confirmed that the shell was inside of kioptrix 2014 by using the id command.
The attacker then assessed what his priveleges were with the command uname -a.
The attacker attempted to use wget to download a privelege escalation exploit but wget failed.
The attackers next step was to locate netcat in order to attempt to download some sort of privelege escalation.
The attacker was successfully able to download a privelege escalation exploit with netcat. The attacker then compiled and executed the exploit. The exploit was successful and a quick id command confirms that we are root.
Then the attacker reveals congrats.txt!!!!