DC-7

admin
admin
admin
102737
文章
87
评论
2024年1月8日22:04:14评论15 views字数 9798阅读32分39秒阅读模式

前言

首先大家一定要记住,所有未经授权的渗透都是违法的,所以大家切勿一通乱黑,被关进橘子有的哭了。我们可以在本地搭建一些本地靶场,比如Dvwa

项目介绍

靶机:172.16.10.33
攻击机:172.16.10.13;172.16.10.33

一、信息收集

1.主机信息

DC-7

2.端口信息

DC-7

3.服务信息

DC-7

二、漏洞分析

1.访问80端口

打开后主页是一个搜索首页,在欢迎语中写到暴力破解或字典攻击可能不会成功,提示要跳出框框思考。如下图所示: DC-7

在上面发现都没有任何可以利用的,于是在搜索和登入处尝试找注入点,打了一通发现连sql注入点也没有。

2.社工

通过footer底部的联系人,搜索去搜索一下这个人的相关信息
DC-7

搜索结果如下所示: DC-7

点击进来后发现只有一个仓库,进入staffdb仓库刚开始以为是该服务器的源码,通过查看首页文件,发现与80端口首页显示文件不一致。可判断该源码为与现在打的服务器不一致,在感觉没办法是,想着去试一下config.php下的数据库配置文件中的用户名和密码。
DC-7

拿着这个用户名和密码去登入web发现不行,由于网站开放了22,80端口并没有3306端口,所以抱着侥幸的心理去尝试一下22端口,出乎意料的是居然登入进去了。 DC-7

3.查看邮件

登入系统后,看到有一条新的邮件,看一下该邮件信息

"/var/mail/dc7user": 15 messages 15 unread>U   1 Cron Daemon        Mon Jan  8 15:30  24/775   Cron/opt/scripts/backups.sh U   2 Cron Daemon        Mon Jan  8 15:45  23/749   Cron/opt/scripts/backups.sh U   3 Cron Daemon        Mon Jan  8 16:00  23/749   Cron/opt/scripts/backups.sh U   4 Cron Daemon        Mon Jan  8 16:15  23/749   Cron/opt/scripts/backups.sh U   5 Cron Daemon        Mon Jan  8 16:30  23/749   Cron/opt/scripts/backups.sh U   6 Cron Daemon        Mon Jan  8 16:45  23/749   Cron/opt/scripts/backups.sh U   7 Cron Daemon        Mon Jan  8 17:00  23/749   Cron/opt/scripts/backups.sh U   8 Cron Daemon        Mon Jan  8 17:15  23/749   Cron/opt/scripts/backups.sh U   9 Cron Daemon        Mon Jan  8 17:30  23/749   Cron/opt/scripts/backups.sh U  10 Cron Daemon        Mon Jan  8 17:45  23/749   Cron/opt/scripts/backups.sh U  11 Cron Daemon        Mon Jan  8 18:00  23/749   Cron/opt/scripts/backups.sh U  12 Cron Daemon        Mon Jan  8 18:15  23/749   Cron/opt/scripts/backups.sh     U  13 Cron Daemon        Mon Jan  8 18:30  23/749   Cron/opt/scripts/backups.sh U  14 Cron Daemon        Mon Jan  8 18:45  23/749   Cron/opt/scripts/backups.sh U  15 Cron Daemon        Mon Jan  8 19:00  23/749   Cron/opt/scripts/backups.sh? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 15:30:03 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMiD5-0000P6-VW        for root@dc-7; Mon, 08 Jan 2024 15:30:03 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 15:30:03 +1000X-IMAPbase: 1704704625 28Status: OX-UID: 13           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 15:45:07 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMiRf-0000Pi-KC        for root@dc-7; Mon, 08 Jan 2024 15:45:07 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0    Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 15:45:07 +1000Status: OX-UID: 14           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 16:00:04 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMig8-0000QG-6w        for root@dc-7; Mon, 08 Jan 2024 16:00:04 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 16:00:04 +1000Status: OX-UID: 15           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 16:15:05 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )            id 1rMiuf-0000Qs-Rl        for root@dc-7; Mon, 08 Jan 2024 16:15:05 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 16:15:05 +1000Status: OX-UID: 16           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 16:30:04 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMj9A-0000RT-KW        for root@dc-7; Mon, 08 Jan 2024 16:30:04 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 16:30:04 +1000Status: OX-UID: 17           Database dump saved to /home/dc7user/backups/website.sql               [success]    ? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 16:45:06 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMjNi-0000S5-BJ        for root@dc-7; Mon, 08 Jan 2024 16:45:06 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 16:45:06 +1000Status: OX-UID: 18           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 17:00:03 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMjcB-0000Sd-W4        for root@dc-7; Mon, 08 Jan 2024 17:00:03 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:    Date: Mon, 08 Jan 2024 17:00:03 +1000Status: OX-UID: 19           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 17:15:03 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMjqh-0000TF-O1        for root@dc-7; Mon, 08 Jan 2024 17:15:03 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 17:15:03 +1000Status: OX-UID: 20           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 17:30:04 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMk5E-0000Tq-Fo        for root@dc-7; Mon, 08 Jan 2024 17:30:04 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8    Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 17:30:04 +1000Status: OX-UID: 21           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 17:45:04 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMkJk-0000US-4A        for root@dc-7; Mon, 08 Jan 2024 17:45:04 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 17:45:04 +1000Status: OX-UID: 22           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 18:00:03 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMkYF-0000V0-PT            for root@dc-7; Mon, 08 Jan 2024 18:00:03 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 18:00:03 +1000Status: OX-UID: 23           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 18:15:04 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMkmm-0000Vc-SS        for root@dc-7; Mon, 08 Jan 2024 18:15:04 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 18:15:04 +1000Status: OX-UID: 24           Database dump saved to /home/dc7user/backups/website.sql               [success]?     Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 18:30:05 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMl1J-0000WD-0R        for root@dc-7; Mon, 08 Jan 2024 18:30:05 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 18:30:05 +1000Status: OX-UID: 25           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 18:45:03 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMlFn-0000Wp-UN        for root@dc-7; Mon, 08 Jan 2024 18:45:03 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 18:45:03 +1000    Status: OX-UID: 26           Database dump saved to /home/dc7user/backups/website.sql               [success]? Return-path:Envelope-to: root@dc-7Delivery-date: Mon, 08 Jan 2024 19:00:03 +1000Received: from root by dc-7 with local (Exim 4.89)        (envelope-from           )        id 1rMlUJ-0000Xn-Sr        for root@dc-7; Mon, 08 Jan 2024 19:00:03 +1000From: root@dc-7 (Cron Daemon)To: root@dc-7Subject: Cron/opt/scripts/backups.shMIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitX-Cron-Env:      X-Cron-Env:      X-Cron-Env:      X-Cron-Env:      Message-Id:Date: Mon, 08 Jan 2024 19:00:03 +1000Status: OX-UID: 27

从邮件中除了知道一个定时任务(执行文件为/opt/scripts/backups.sh)外,找不到任何有用信息。查看该文件的权限
DC-7

遗憾发现只有root和www-data才可以写入内容,看来只能去home目录看看了 DC-7

在backups目录下存在两个加密文件
DC-7

在.drush目录下发现有一下几个文件
DC-7

在drush.complete.sh中看到有关于drush的一些信息,其中有一句话给了我们一个思路,就是Ensure drush is available,于是执行了一下发现确实存在这个命令,并且能够使用。Drush与drupal不是同一个东西,drush是用来安装和配置drupal的一个工具。

4.重置Web密码

1、连接drupal信息 DC-7

根据上面的信息查看数据库的配置文件,并进入数据库,发现看不到用户的有用信息
DC-7

使用drush重置web的admin密码,并登入网站
DC-7

在编辑内容时发现只能使用如下三种HTML类型,无法使用php
DC-7

于是看一下扩展,在扩展可以看到并没有可以编辑php的模块,但提供了安装,这里支持在线和离线安装 DC-7

去Drupal官网上下载该插件 https://ftp.drupal.org/files/projects/php-8.x-1.x-dev.tar.gz,下载完成后将该插件导入并安装,安装成功后如下所示

DC-7

安装后选择启用php模块,在去编辑栏查看后就多了一个php代码编辑选项了

DC-7

在这插入php木马,插入木马后连接木马

DC-7

三、权限提升

1.提权

连接木马后,反弹一个会话出来用来提权
DC-7

看到已经是www-data用户,使用这个用户可以去写入前面的backups.sh这个文件了,我们往这个文件反弹shell,这里只能等待,因为定时任务是15分钟执行一次,所以我们只能等15分钟后才能获取到会话



2. 提权成功

DC-7

3.查看flag

到这里就已经完成了
DC-7

四、权限维持

五、痕迹清理

原文始发于微信公众号(Red Teams):DC-7

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月8日22:04:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   DC-7http://cn-sec.com/archives/2375823.html

发表评论

匿名网友 填写信息