Kioptrix 2014 Walkthrough

Time for the last of the Kioptrix challenges! The first step is to identify the IP address of our new target. The attacker uses netdiscover to reveal the ip of the new virtual machine.

Image description

The second step for the attacker is to identify what kind of vulnerabilities exists on the new target. A simple scan with nmap reveals 3 open ports on 80, 8080, and 22. Port 80 is typically used in hosting web sites so the attacker decides to enter the IP of the target into his web browser for further evaluation.

Image description

The virtual machine is hosting a website and the landing page is a typical β€œIt works!” landing page, which is commonly seen on web pages that have not been set up yet.

Image description

Inspection of the source code for the landing page reveals a html comment which may point to another part of the website.

Image description

The attacker confirms this with a scan using OWASP.

Image description

OWASP and the html comment both reveal that the virtual machine has pChart2.1.3 hosted on the webserver. A quick search reveals that this particular version of pChart is vulnerable to a directory transversal attack.

Image description

The attacker was able to reveal the /etc/passwd file into his browser.

Image description

At this point the attacker could not do much more. However, the attacker knew there was something on port 8080 but he wasnt sure what. The attacker revealed the apache.conf file to look for more clues as to what might be running on port 8080 and he was surprised to see that there were very specific user agent handles.

Image description

The attacker spoofed his browser to Mozilla/4.0 and then attempted to go to port 8080 in his web browser. The attacker found another index to look further into!

Image description

Phptax was found on the page. The attacker was unfamiliar with phptax so the attacker did some research and found that it is vulnerable to a remote code execution vulnerability.

Image description

The attacker decided to see if the exploit was available in metasploit and it was! Image description

Image description

Image description

The attacker easy obtained a shell and confirmed that the shell was inside of kioptrix 2014 by using the id command.

Image description

The attacker then assessed what his priveleges were with the command uname -a.

Image description

The attacker attempted to use wget to download a privelege escalation exploit but wget failed.

Image description

The attackers next step was to locate netcat in order to attempt to download some sort of privelege escalation.

Image description

The attacker was successfully able to download a privelege escalation exploit with netcat. The attacker then compiled and executed the exploit. The exploit was successful and a quick id command confirms that we are root.

Image description

Then the attacker reveals congrats.txt!!!!

Image description

Written on February 15, 2016