vulnhub-Kioptrix Level 1 （考点：mod_ssl / smb139/smb版本探测）不用msf-优快云博客

本文链接：https://blog.youkuaiyun.com/weixin_45527786/article/details/105618838

本文介绍了在Kioptrix Level 1靶机中如何利用nmap扫描和arp-scan发现目标，接着通过nikto扫描服务器配置，找到apache1.3.20与mod_ssl 2.8.7以下版本的漏洞。利用mod_ssl的远程缓冲区溢出漏洞获取shell，并尝试通过smb139端口的版本探测寻找突破，最终利用smb 2.21a的远程执行漏洞拿到root权限。整个过程涉及漏洞利用、编译修复漏洞的代码以及wireshark抓包分析。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

先arp-scan -l 扫出靶机位置。多的那个就是

nmap

C:\root\Desktop> nmap -A 192.168.189.163
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-19 02:52 EDT
Nmap scan report for 192.168.189.163
Host is up (0.00025s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2020-03-23T04:55:10+00:00; -27d01h58m13s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5                                                                                                                                                                                
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5                                                                                                                                                                  
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5                                                                                                                                                                      
1024/tcp open  status      1 (RPC #100024)                                                                                                                                                                
MAC Address: 00:0C:29:7C:3A:16 (VMware)                                                                                                                                                                   
Device type: general purpose                                                                                                                                                                              
Running: Linux 2.4.X                                                                                                                                                                                      
OS CPE: cpe:/o:linux:linux_kernel:2.4                                                                                                                                                                     
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)                                                                                                                                                        
Network Distance: 1 hop

常规端口。进去网页看，找不到啥。用dirbuster扫，也扫不出啥。。。
这就让人很捉急。是不？？

有俩方法突破：

第一种：
用nikto继续扫服务器配置：出来两个重要信息。
是apache1.3.20
以及mod_ssl直接提示2.8.7版本以下有漏洞·，远程bof拿shell

C:\root\Desktop> nikto -h http://192.168.189.163
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.189.163
+ Target Hostname:    192.168.189.163
+ Target Port:        80
+ Start Time: