前言
首先大家一定要记住,所有未经授权的渗透都是违法的,所以大家切勿一通乱黑,被关进橘子有的哭了。我们可以在本地搭建一些本地靶场,比如Dvwa
项目介绍
靶机:172.16.10.33
攻击机:172.16.10.13;172.16.10.33
一、信息收集
1.主机信息
2.端口信息
3.服务信息
二、漏洞分析
1.访问80端口
打开后主页是一个搜索首页,在欢迎语中写到暴力破解或字典攻击可能不会成功,提示要跳出框框思考。如下图所示:
在上面发现都没有任何可以利用的,于是在搜索和登入处尝试找注入点,打了一通发现连sql注入点也没有。
2.社工
通过footer底部的联系人,搜索去搜索一下这个人的相关信息
搜索结果如下所示:
点击进来后发现只有一个仓库,进入staffdb仓库刚开始以为是该服务器的源码,通过查看首页文件,发现与80端口首页显示文件不一致。可判断该源码为与现在打的服务器不一致,在感觉没办法是,想着去试一下config.php下的数据库配置文件中的用户名和密码。
拿着这个用户名和密码去登入web发现不行,由于网站开放了22,80端口并没有3306端口,所以抱着侥幸的心理去尝试一下22端口,出乎意料的是居然登入进去了。
3.查看邮件
登入系统后,看到有一条新的邮件,看一下该邮件信息
"/var/mail/dc7user"
: 15 messages 15 unread
>U 1 Cron Daemon Mon Jan 8 15:30 24/775 Cron/opt/scripts/backups.sh
U 2 Cron Daemon Mon Jan 8 15:45 23/749 Cron/opt/scripts/backups.sh
U 3 Cron Daemon Mon Jan 8 16:00 23/749 Cron/opt/scripts/backups.sh
U 4 Cron Daemon Mon Jan 8 16:15 23/749 Cron/opt/scripts/backups.sh
U 5 Cron Daemon Mon Jan 8 16:30 23/749 Cron/opt/scripts/backups.sh
U 6 Cron Daemon Mon Jan 8 16:45 23/749 Cron/opt/scripts/backups.sh
U 7 Cron Daemon Mon Jan 8 17:00 23/749 Cron/opt/scripts/backups.sh
U 8 Cron Daemon Mon Jan 8 17:15 23/749 Cron/opt/scripts/backups.sh
U 9 Cron Daemon Mon Jan 8 17:30 23/749 Cron/opt/scripts/backups.sh
U 10 Cron Daemon Mon Jan 8 17:45 23/749 Cron/opt/scripts/backups.sh
U 11 Cron Daemon Mon Jan 8 18:00 23/749 Cron/opt/scripts/backups.sh
U 12 Cron Daemon Mon Jan 8 18:15 23/749 Cron/opt/scripts/backups.sh
U 13 Cron Daemon Mon Jan 8 18:30 23/749 Cron/opt/scripts/backups.sh
U 14 Cron Daemon Mon Jan 8 18:45 23/749 Cron/opt/scripts/backups.sh
U 15 Cron Daemon Mon Jan 8 19:00 23/749 Cron/opt/scripts/backups.sh
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 15:30:03 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMiD5-0000P6-VW
for root@dc-7; Mon, 08 Jan 2024 15:30:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 15:30:03 +1000
X-IMAPbase: 1704704625 28
Status: O
X-UID: 13
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 15:45:07 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMiRf-0000Pi-KC
for root@dc-7; Mon, 08 Jan 2024 15:45:07 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 15:45:07 +1000
Status: O
X-UID: 14
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 16:00:04 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMig8-0000QG-6w
for root@dc-7; Mon, 08 Jan 2024 16:00:04 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 16:00:04 +1000
Status: O
X-UID: 15
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 16:15:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMiuf-0000Qs-Rl
for root@dc-7; Mon, 08 Jan 2024 16:15:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 16:15:05 +1000
Status: O
X-UID: 16
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 16:30:04 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMj9A-0000RT-KW
for root@dc-7; Mon, 08 Jan 2024 16:30:04 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 16:30:04 +1000
Status: O
X-UID: 17
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 16:45:06 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMjNi-0000S5-BJ
for root@dc-7; Mon, 08 Jan 2024 16:45:06 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 16:45:06 +1000
Status: O
X-UID: 18
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 17:00:03 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMjcB-0000Sd-W4
for root@dc-7; Mon, 08 Jan 2024 17:00:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 17:00:03 +1000
Status: O
X-UID: 19
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 17:15:03 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMjqh-0000TF-O1
for root@dc-7; Mon, 08 Jan 2024 17:15:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 17:15:03 +1000
Status: O
X-UID: 20
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 17:30:04 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMk5E-0000Tq-Fo
for root@dc-7; Mon, 08 Jan 2024 17:30:04 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 17:30:04 +1000
Status: O
X-UID: 21
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 17:45:04 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMkJk-0000US-4A
for root@dc-7; Mon, 08 Jan 2024 17:45:04 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 17:45:04 +1000
Status: O
X-UID: 22
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 18:00:03 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMkYF-0000V0-PT
for root@dc-7; Mon, 08 Jan 2024 18:00:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 18:00:03 +1000
Status: O
X-UID: 23
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 18:15:04 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMkmm-0000Vc-SS
for root@dc-7; Mon, 08 Jan 2024 18:15:04 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 18:15:04 +1000
Status: O
X-UID: 24
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 18:30:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMl1J-0000WD-0R
for root@dc-7; Mon, 08 Jan 2024 18:30:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 18:30:05 +1000
Status: O
X-UID: 25
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 18:45:03 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMlFn-0000Wp-UN
for root@dc-7; Mon, 08 Jan 2024 18:45:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 18:45:03 +1000
Status: O
X-UID: 26
Database dump saved to /home/dc7user/backups/website.sql [success]
?
Return-path:
Envelope-to: root@dc-7
Delivery-date: Mon, 08 Jan 2024 19:00:03 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from )
id 1rMlUJ-0000Xn-Sr
for root@dc-7; Mon, 08 Jan 2024 19:00:03 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron/opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
X-Cron-Env:
Message-Id:
Date: Mon, 08 Jan 2024 19:00:03 +1000
Status: O
X-UID: 27
从邮件中除了知道一个定时任务(执行文件为/opt/scripts/backups.sh)外,找不到任何有用信息。查看该文件的权限
遗憾发现只有root和www-data才可以写入内容,看来只能去home目录看看了
在backups目录下存在两个加密文件
在.drush目录下发现有一下几个文件
在drush.complete.sh中看到有关于drush的一些信息,其中有一句话给了我们一个思路,就是Ensure drush is available,于是执行了一下发现确实存在这个命令,并且能够使用。Drush与drupal不是同一个东西,drush是用来安装和配置drupal的一个工具。
4.重置Web密码
1、连接drupal信息
根据上面的信息查看数据库的配置文件,并进入数据库,发现看不到用户的有用信息
使用drush重置web的admin密码,并登入网站
在编辑内容时发现只能使用如下三种HTML类型,无法使用php
于是看一下扩展,在扩展可以看到并没有可以编辑php的模块,但提供了安装,这里支持在线和离线安装
去Drupal官网上下载该插件 https://ftp.drupal.org/files/projects/php-8.x-1.x-dev.tar.gz,下载完成后将该插件导入并安装,安装成功后如下所示
安装后选择启用php模块,在去编辑栏查看后就多了一个php代码编辑选项了
在这插入php木马,插入木马后连接木马
三、权限提升
1.提权
连接木马后,反弹一个会话出来用来提权
看到已经是www-data用户,使用这个用户可以去写入前面的backups.sh这个文件了,我们往这个文件反弹shell,这里只能等待,因为定时任务是15分钟执行一次,所以我们只能等15分钟后才能获取到会话
2. 提权成功
3.查看flag
到这里就已经完成了
四、权限维持
略
五、痕迹清理
略
原文始发于微信公众号(Red Teams):DC-7
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论