目录
0x00 环境准备
下载链接:http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar
介绍:
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
Source: http://www.kioptrix.com/blog/?page_id=135
Source: http://www.kioptrix.com/blog/?p=49
下载完成解压,记事本打开VMX文件,删除“ethernet0”开头的行内容:
导入虚拟机,编辑虚拟机设置 —> 添加 —> 网络适配器,并设置为NAT:
0x01 主机信息收集
kali的IP地址:192.168.119.128
探索目标主机的IP:netdiscover -i eth0 -r 192.168.119.0/24
目标主机的IP:192.168.119.137
探测目标主机的开放端口:nmap -sV -p 1-65535 -A 192.168.119.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 14:50 CST
Nmap scan report for 192.168.119.137
Host is up (0.00063s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2024-12-04T07:53:16+00:00; +1h01m50s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_http-title: 400 Bad Request
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_clock-skew: 1h01m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.63 ms 192.168.119.137
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.80 seconds
开放了22端口,ssh服务,OpenSSH 2.9p2版本;80端口,Apache httpd 1.3.20;111端口,rpcbind;139端口,Samba smbd;443端口,Apache/1.3.20 (Unix) (Red-Hat/Linux) ,OpenSSL/0.9.6b;1024端口。
0x02 站点信息收集
访问80端口,是一个apache的测试页面:
探测站点目录:dirsearch -u 192.168.119.137
访问test.php并抓包,没有什么特殊的地方:
访问manual,找到了这个页面,有个版本mod_ssl version2.8,其实前面nmap就扫描出来这个信息了:
在usage页面也有个版本信息,webalizer version 2.01:
0x03 漏洞查找与利用
1. 方法一:mod_ssl 2.8.4
先用nikto扫描一下是否有可用的漏洞:nikto -h 192.168.119.137
- Nikto v2.5.0
------------------------------------------------------
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
