Kioptrix

Kioptrix 是一个易受攻击的虚拟机,您可以从 VulnHub 下载。有多个演练来攻击这个盒子。以下是我自己的 Kioptrix 活动的笔记:

1. 使用 nmap 扫描

kioptrix_nmap.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
sudo nmap -A -p- 10.0.3.5
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-05 18:15 EDT
Nmap scan report for 10.0.3.5
Host is up (0.00068s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 
|   1024 x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x (RSA1)
|   1024 x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x (DSA)
|_  1024 x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x (RSA)
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1          32768/tcp   status
|_  100024  1          32768/udp   status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5                                   
|     SSL2_RC2_128_CBC_WITH_MD5                                     
|     SSL2_DES_192_EDE3_CBC_WITH_MD5                                   
|     SSL2_RC4_64_WITH_MD5                                          
|_    SSL2_RC4_128_WITH_MD5                                           
|_http-title: 400 Bad Request                                          
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--            
| Not valid before: 2009-09-26T09:32:06                               
|_Not valid after:  2010-09-26T09:32:06                                
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b                                                                 
|_ssl-date: 2023-08-06T02:16:28+00:00; +3h59m59s from scanner time.    
32768/tcp open  status      1 (RPC #100024)
MAC Address: x:x:x:x:x:x (Oracle VirtualBox virtual NIC)          
Device type: general purpose                                           
Running: Linux 2.4.X                              
OS CPE: cpe:/o:linux:linux_kernel:2.4                               
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)                      
Network Distance: 1 hop

Host script results:                                                     
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                            
|_smb2-time: Protocol negotiation failed (SMB2)                  
|_clock-skew: 3h59m58s                                                           

TRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 10.0.3.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.16 seconds

调查结果(nmap):

网络架构:

通过这次扫描,我们了解了目标架构的一些信息:

  1. 服务器支持 OpenSSHv1,并且我们有一些公开的主机密钥(用于在 SSH 连接期间进行身份验证)
  2. 端口 80 和 443(HTTPHTTPS)正在运行 Apache 服务器 v1.3.20 以及 OpenSSL

注意: 有关目标所使用的软件及其版本的任何信息都被视为发现结果,因为攻击者可以使用它来查找与该软件及其版本相关的漏洞/CVE。

打开SSL

在端口 443 (HTTPS) 上,我们可以看到正在使用 OpenSSL(和旧版本)来验证和加密目标的 Web 数据/流量。

端口和服务映射:

RPC:

端口 111 正在运行 RPC(远程过程调用)。 nmap 还告诉我们使用 RPC 协议的程序的“程序编号”,以及它们所在的端口。

我们可以用它来探测这些端口并查看我们返回的信息类型。例如,使用带有端口 32768rpcinfo 命令,我们可以获得更多信息:

1
2
3
4
rpcinfo -s -n 32768 10.0.3.5
   program version(s) netid(s)                         service     owner
    100000  2         udp,tcp                          portmapper  unknown
    100024  1         tcp,udp                          status      unknown

2. 使用 Nikto 进行漏洞扫描

kioptrix_nikto.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.3.5
+ Target Hostname:    10.0.3.5
+ Target Port:        80
+ Start Time:         2023-08-05 18:39:31 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ /: Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Apache is vulnerable to XSS via the Expect header. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/0.9.6b appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.9.6) (may depend on server version).
+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0835
+ /manual/: Directory indexing found.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /test.php: This might be interesting.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.                                                 
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.                      
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found: 
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.                                                          
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2023-08-05 18:39:59 (GMT-4) (28 seconds)                   
---------------------------------------------------------------------------      
+ 1 host(s) tested

Nikto 调查结果:

注意: 一些具有良好安全性/防火墙的目标会阻止 nikto。

过时的软件/服务:

任何与 Nikto 返回为“过时”的内容都可以报告为发现。正在使用的版本比当前发布的版本越落后发现的情况就越严重

目录枚举:

Nikto 显示我们可以在端口 80 和 443 上枚举一些可能的子目录。要检查这些子目录,我们可以运行一些工具:

Feroxbuster

Feroxbuster 是一个类似于 gobuster 的工具,只不过它能够进行递归枚举。我们可以像这样尝试 feroxbuster 对抗 Kioptrix:

1
2
3
feroxbuster -u http://10.0.3.5
# or:
feroxbuster -u https://10.0.3.5

通过 Kioptrix,我们可以找到更多“信息泄露”的实例。例如,子目录 /manual/mod/mod_perl.html 是在服务器上使用 perl 的默认用户手册。

从该页面我们可以看到Apache HTTP Server 版本为 1.3b5。我们在 feroxbuser 中找到的另一个子目录是 manual/mod/mod_perl.html。从这个页面我们可以翻阅整个SSL相关的模块。从这里我们了解到服务器可能使用 Mod_SSL 版本 2.8.31

这些信息披露很好,但 feroxbuster 和 nikto 没有报告太多其他用途。事实上,nikto 识别的一些子目录是重定向或不再活动,我们无法对它们执行任何操作。

######### 尸检?#####

  • 元分析:
    • exploit/linux/samba/trans2open
      • 缓冲区溢出
      • 有效负载
      • linux/x86/shell/reverse_tcp
    • 一旦我们进入:
      • 瓦阿米

      • 坚持
        - 回来的路上

      • 历史
      • 用户
      • 网络
      • 团体
      • 密码
      • 服务
      • 软件
      • 设备
      • 文件
      • 目录
      • 美味的数据
  • 邮件命令
  • 中小企业
    • 反式开放
      -smbget
      -enum4linux
  • 开放式SSL
    • 开放性

  • 费罗克斯巴斯特

[!资源]

[!我以前的笔记(在文本中链接)]