Preface:
Vulnhub inside a range involving drupal7 cms remote code execution vulnerability (CVE-2018-7600) and bovine dirty mention the right.
Drone Download: https://mega.nz/#!aG4AAaDB!CBLRRYQsAhTOyPJqyjC0Blr-weMH9QMdYbPfMj0LGeM
0x01 Information Collection
Open the virtual machine is the first step to enter a user password to log in, so do not know the ip address;
So we need to get its ip, due to a network, you can use nmap scan, I was set up virtual machines in NAT mode, then take a look at NAT mode network segments
Is a segment 192.168.106.0/24, then use nmap scan segment were C
Clear ip is 192.168.106.130, then it scans the whole port
Visit 80 ports discover a useless static pages, then access port 1898, there web page
Access robots.txt
Php directory and found that many txt leak, you can directly read txt file
View source, any point in a image link
Is a catalog leaked, read any file in the directory, but found only leaked this directory, which is below and full css, js, png file, put it aside now.
Before sweeping and drain directory scan, I use the Google plug-wappalyzer know the web is written in the drupal7 cms
It also knows the operating system, web server, backend language.
Just take a look at the leaked txt file, find a file inside also broke cms version, but also more specific
So much imply, it is not afraid to take advantage of this loophole drupal7 cms
Baidu, drupal7 cms vulnerabilities found is there is a remote code execution vulnerability, then go look it up in this msf exp, and use.
0x02 drupal7 cms Remote Code Execution Vulnerability (CVE-2018-7600) use
Enter msf, then search Search CVE-2018-7600
Then a series of routine operations, before use, and then show option, then set, the last run
Here set about ip and port on it, the port is 1898
show targets发现有很多版本,不知道选哪一个,先默认吧,直接run
直接反弹了shell,发现是www-data权限,这个权限是相当于访客权限,getsystem不行。
如果不熟悉meterpreter命令交互,那么可以在根目录下写入一句话木马,然后,利用菜刀连接。
我们查看网站根目录下面的/sites/default/settings.php文件,看其设置的配置信息
我们看到了敏感信息,数据库的用户和密码
我们用mysql登录进去查一下这个数据库的user表
先从meterpreter进入shell交互命令,也就是目标机系统的操作命令。
但是mysql好像进不去,这个shell是简易版的
然后参照别人的方式用python获取标准shell
python -c 'import pty; pty.spawn("/bin/bash")'
成功进来了,查看users的用户和密码两个字段。
第一个用户就是tiago,密码拿去在线md5一下,解密不了。
最后试来试去,想到了还有个ssh没用到,这会不会是ssh的登录账号和密码,再去看看那个setting.php文件,发现里面就Virgulino一个密码,那么想到用户应该是用的这一个通用密码。
试了试,发现登录上去了,但是权限还不是system的。
0x03脏牛提权
查看一下内核版本,发现是ubuntu 16年的
在网上去搜索一下,试了很多17年的,但是不行,再看看,发现一个16年内核版本的通杀提权,叫做脏牛提权。
去搜索一下这个漏洞,这个提权方法叫做脏牛提权,那么他的提权脚本关键字是dirty。
再kali里面搜索,或者直接用github上面的脚本,然后复制到目标机中。
网上搜索得知是这一个cpp的脚本。
在目标机上创建一个40847.cpp脚本,然后将kali里面的脏牛cpp的脚本复制过来。
然后进行编译运行:
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o 40847 40847.cpp -lutil
执行成功,root用户需要用dirtyCowFun密码登录服务器。
ssh重新连接,用户为root,密码为dirtyCowFun
成功提权获得flag。