KIOPTRIX: 2014 (#5) Walkthrough

As usual, this vulnerable machine is targeted at the beginners. It’s not meant for seasoned pentesters or security geeks who have been at…

As usual, this vulnerable machine is targeted at the beginners. It’s not meant for seasoned pentesters or security geeks who have been at this sort of stuff for 10+ years. https://www.vulnhub.com/entry/kioptrix-2014-5,62/

Hacking is a mindset. Hence, i would like to reference some powerful quotes here:

So in war, the way is to avoid what is strong, and strike at what is weak.
Sun Tzu, The Art of War


Enumeration

Let’s start with enumeration.

sudo nmap -p- -T4 -A ‘192.168.103.187’
Brooding🤔:

SSH is filtered -> Some firewall🛡 mechanism is in Place.
Web Server on 80 and 8080. Only way to get into the system through web server. If the web server does not have any explicit exploits 💣. Then, it must be through SQLi, LFI, RFI -> RCE🛠🔧🔨.

More Enumeration…🎯
  1. Port 80
  • Manual Viewing + robots.txt + source code
Nothing Fancy here 😩
Found a lead…🔑

📌 URL=pChart2.1.3/index.php

No robots.txt

  • Nikto Scan
mod_ssl …🔑

📍 We do have the mod_ssl module but it it not exploitable for this version of apache on FreeBSD platform.

  • GoBuster
Nothing Interesting here.

2. Port 8080

Same as port 80 but it is refusing connections.

Finding POI (Point Of Intrusion)

We had only one lead.

Found a directory traversal vulnerability and started exploring.

Payload: hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

Using the same logic, had a look into the apache config file. Surprisingly found out the reason why it was not allowing us on port 8080. [/usr/local/etc/apache22/httpd.conf]

..
used a plugin to change my user-agent

Exploitation

Got the Reverse Shell❤️

Privilege Escalation

Using the kernel Exploit.
Used the kernel exploit to gain root🦠.