DC-7
1 資訊收集
慣例先找下靶機在哪,再掃一下全埠
開了http
和ssh
,linux(debian) + apache
{"ip":"192.168.68.228","port":80,"service":"http","Banner":"","url":"http://192.168.68.228:80"} {"ip":"192.168.68.228","port":22,"service":"ssh","Banner":"SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u6\\x0a","url":""} {"url":"http://192.168.68.228:80","StatusCode":200,"Title":"WelcometoDC-7|D7","HeaderDigest":"server:Apache/2.4.25 (Debian)","Length":8709,"KeywordFinger":"Drupal","HashFinger":""}
2 先看看web
和DC-1
一樣,用的Drupal
,提示說不是靠爆破,而且需要逃出盒子,指逃逸?頁面底部發現了DC7USER
,但說了靠爆破行不通,也不存在密碼重置的通用漏洞
掃目錄,發現了robots.txt
,看看Disallow
Disallow: /core/ Disallow: /profiles/ # Files Disallow: /README.txt Disallow: /web.config # Paths (clean URLs) Disallow: /admin/ Disallow: /comment/reply/ Disallow: /filter/tips Disallow: /node/add/ Disallow: /search/ Disallow: /user/register/ Disallow: /user/password/ Disallow: /user/login/ Disallow: /user/logout/ # Paths (no clean URLs) Disallow: /index.php/admin/ Disallow: /index.php/comment/reply/ Disallow: /index.php/filter/tips Disallow: /index.php/node/add/ Disallow: /index.php/search/ Disallow: /index.php/user/password/ Disallow: /index.php/user/register/ Disallow: /index.php/user/login/ Disallow: /index.php/user/logout/
資訊總結:
- PHP >= 5.5.9
Drupal
- apache禁掉了部分危險字尾
- 疑似使用者名稱:DC7USER
漏洞走不通,爆破也不行,今天剛好做了點趣味題,想到這個new concept
會不會和社工相關,搜了一下DC7USER
,發現排在最上面的就是github
和小藍鳥賬號
github
裡面有個庫staffdb
(員工資料庫)
下載到本地挨個看看
洩露了mysql
配置
<?php $servername = "localhost"; $username = "dc7user"; $password = "MdR3xOgB7#dW"; $dbname = "Staff"; $conn = mysqli_connect($servername, $username, $password, $dbname); ?>
洩露了幾條資料
$sql = "INSERT INTO StaffDetails (firstname, lastname, phone, email)
VALUES ('John', 'Doe', '048547896425', '[email protected]')";
$sql .= "INSERT INTO StaffDetails (firstname, lastname, position, phone, email)
VALUES ('Mary', 'Moe', 'CEO', '46478415155456', '[email protected]');";
$sql .= "INSERT INTO StaffDetails (firstname, lastname, position, phone, email)
VALUES ('Julie', 'Dooley', 'Human Resources', '46457131654', '[email protected]')";
檔案包含
<?php
$file = 'contact-info.php';
if(file_exists($file)) {
include($file);
} else {
echo "The file does not exist" . "<br />";
$file = $_GET['file'];
include('directory/' . $file);
}
?>
嘗試過發現這些檔案並不是80埠web應用的,那就只剩下mysql
配置檔案能用,測試發現mysql
也連不上去,只能試試ssh
3 提權
有mbox
,看了下是定時任務/opt/scripts/backups.sh
的提醒郵件,資料備份到了/home/dc7user/backups/website.sql
,
From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3F7H-0000G3-Nb
for root@dc-7; Thu, 29 Aug 2019 17:45:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
嘗試解密,但需要口令,按照邏輯,加密口令也應該在定時任務腳本里,找到了口令PickYourOwnPassword
解密拿回本地,notepad++
直接卡死,2億字元,換vscode
搜admin
一共有20w+
個結果,果斷放棄。。。去看看wp
原來使用drush
這個指令碼(drupal
的命令列管理工具)
一開始報錯了,搜了下了解到drush
還是需要呼叫drupal
cms本身的一些程式碼,所以需要到目錄下面
拿到密碼愣了一下,為啥要拿密碼呢,不該是提權嗎,回去看了下之前做的步驟,發現最直接的提權方法就是root
定時執行的備份指令碼,看了下許可權
www-data
是有許可權修改的,所以我們要做的是往腳本里寫點惡意程式碼,這需要藉助Drupal
的功能點,這部分過程比較麻煩
- 登入後臺
-
Extend
->Install new module
-
https://ftp.drupal.org/files/projects/php-8.x-1.x-dev.tar.gz
下載外掛,安裝,enable newly added modules
-
Extend
->FILTERS
類 ->在PHP FILTER
前打勾 -> 頁面底部INSTALL
這個外掛允許執行自定義程式碼(php),所以我們在Content
-> Create Basic Page
新建一個頁面,用system
函式反彈shell,同時在本地監聽對應埠
儲存,預覽,拿shell
慣例,python -c "import pty;pty.spawn('/bin/bash')"
拿pty模擬終端
向定時任務腳本里寫反彈shell命令
拿到flag
也不一定要反彈shell,也可以和前面teehee
的做法一樣,新增使用者,不過注意要用>>
而不是>