VulnHub Kioptix Level 1.1(#2)

Name: Kioptrix: Level 1.1 (#2)
Date release: 11 Feb 2011
Link: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Remote Host: 192.168.190.130
Local  Host: 192.168.190.128

老样子,先看端口情况

root@kali:~# nmap 192.168.190.130 -sV -p- --open
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-10 13:42 HKT
Nmap scan report for 192.168.190.130
Host is up (0.0016s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
631/tcp  open  ipp        CUPS 1.1
761/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:38:C3:0C (VMware)

通过Nmap得到服务器开放的SSH、Web、CUPS、MySQL等服务,先看Web

就一登录页面,’or”=’万能密码进入系统,里面是一个Ping的程序

应该是一个命令注入,试试ip=192.168.190.129|whoami,成功执行得到当前用户为apache

利用bash成功反弹shell

获取系统内核版本

bash-3.00$ cat /proc/version
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007

知道版本后searchsploit一下,找到提权脚本下载编译提权,结果一个可写的目录都没有。

看了下权限,包括/var/www/html在内的目录,apache账户都没有权限写入,最后尝试了下/tmp,可写

编译运行后成功获得root权限。

留下评论