From some research online (because I wanted to thank the VM author!), it seems that the box designer loneferret has passed away – I hope he knew how well regarded his VMs were by the community.
Without further ado….
Absolutely tiny attack surface! SSH is closed (….??? IDS or firewall hiding the port?), and there are two web servers running on the box.
With such a minimal attack surface available, we use the usual tools (dirb, dirbuster, burpsuite, nikto) available to us to see what the webservers are providing.
Dirb and nikto don’t show anything of interest (other than a potential mod_ssl buffer overflow exploit, but we’ll save that as a last resort because the box appears to be running FreeBSD (shown by the nmap output) and the exploit may not be available for that platform.
Looking at the webservice on port 8080 yields a “Permission Denied” error, which implies that some kind of IP / session / cookie / user agent filtering is going on, so we’ll save that for later/
Looking at the service on port 80, there’s a nice big message saying “IT WORKS” but nothing else… Hrm… Burpsuite has the answer:
Navigating to that URL shows that the application is some kind of graphing tool, with pre-built examples etc. Running “searchsploit pchart” yields a result which looks useful, apparently there’s a path traversal vulnerability in pchart2.1.3 which can be leveraged to read arbitrary files on the box. Huzzah!
Let’s use it to read /etc/passwd:
Cool, that gives us an idea of the users on the box at least. Note the bottom 3 users, Googling that shows that there’s an IDS (intrusion detection system) running on the box. As long as we don’t try and brute force vulnerabilities on the box like skids we should be fine 😉
Now I’m not too proud to admit that I was stumped for a LONG time here. I couldn’t think of a way to go from path traversal to any kind of code execution… Whilst I was googling for extra pchart vulnerabilities I came across an article which mentioned that the server config could be read, which reminded me that port 8080 is there and blocking us..
Google says that the config lives in u/sr/local/etc/apache22/httpd.conf on FreeBSD! Nestled right at the very bottom was the magic information:
What this means is that unless your User Agent field starts with “Mozilla/4.0 Mozilla4_browser” you won’t be allowed access.. So let’s change our useragent using a Firefox addon (I’ll leave this as an exercise to the reader to find a good one.)
Navigating to port 8080 now takes to an installation of the “phptax” software. After a quick poke around and finding nothing particularly spicy I did a quick check on Searchsploit for some vulnerabilitys. Remote code execution! Yay!
After some poking around I couldn’t get that exact vulnerability working, so I took to Metasploit instead, which I had more luck with.
All that’s left now is to escalate privileges to root. I believe that there’s a vulnerability in the installed version of ossec to escalate privileges, but I couldn’t make it play ball so I fell back on a good old fashioned kernel exploit instead. I used this one for the installed FreeBSD kernel (version 9.0)
Another great, creative VM! The thing I like about this challenge is that it’s fairly realistic, it’s a simple webserver hosting a couple of real, in-production libraries which happen to be vulnerable in such a way that a total compromise can be achieved, just like a real penetration test. This box has the added twist of running on FreeBSD, which is a bit of a rarity on these VMs.
This concludes the Kioptrix series of VMs. Rumour has it that another VM is being designed by a different author – I really hope that this turns out to be true as this series has been great fun to compromise.