Kioptrix 2014
下载地址
https://download.vulnhub.com/kioptrix/kiop2014.tar.bz2实战操作
使用netdiscover命令查找靶机的IP。 靶机下载下来之后,直接运行是检测不到IP地址的,需要删除靶机原来的网卡,再重新添加网卡上去。
靶机IP地址:192.168.0.106。
扫描靶机端口
┌──(root💀kali)-[~]
└─# nmap -sV -p1-65535 192.168.0.106
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-19 02:02 EST
Nmap scan report for 192.168.0.12
Host is up (0.00032s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:08:07:00 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.09 seconds扫描80和8080端口,看看有啥东西。
┌──(root💀kali)-[~]
└─# nikto -h http://192.168.0.106/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.106
+ Target Hostname: 192.168.0.106
+ Target Port: 80
+ Start Time: 2021-12-19 02:05:06 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server may leak inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 8724 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2021-12-19 02:06:29 (GMT-5) (83 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root💀kali)-[~]
└─# nikto -h http://192.168.0.106:8080/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.106
+ Target Hostname: 192.168.0.106
+ Target Port: 8080
+ Start Time: 2021-12-19 02:07:31 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 26546 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2021-12-19 02:11:41 (GMT-5) (250 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
查看80端口
查看页面源代码,找到一个路径
访问这个目录
google一下,这个版本的系统存在目录遍历漏洞,EXP
由于这个系统是freebsd,所以可以知道apache的位置
In FreeBSD, the main Apache HTTP Server configuration file is installed as /usr/local/etc/apache2 x /httpd.conf , where x represents the version number. This ASCII text file begins comment lines with a # . The most frequently modified directives are: ServerRoot "/usr/local"看到配置文件,8080端口设置了一个环境变量,需要user-agent等于Mozilla/4.0,才可以访问。
正常访问8080端口,403
修改user-agent访问,找到了一个目录
访问phptax目录
curl -H "User-Agent:Mozilla/4.0" http://192.168.0.106:8080/phptax/ 好像没什么东西,搜搜这个目录有没有payload,找到了
没有python,设置不了交互式的终端
freeesd9.0存在提权的exp。用echo命令直接复制粘贴过来
`echo' exp code ' > /tmp/exp.c`找到flag
cd /root
ls
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log
cat congrats.txt最后更新于
