渗透测试演练 DC-1

author:leadlife

data:2023/5/11

blog:https://tripse.github.io/

demonstration:靶机原本意图是获取所有 Flag,这里懒得弄,有兴趣可以自行去找

本次测试使用到的工具如下:

  • 信息收集:nmap,fscan,cmseek,searchsploit
  • 获取 SHELL:MSF
  • 内部信息收集:无
  • 权限提升:无

外部信息收集

Nmap ICMP 扫描发现主机

其中 10.10.10.128 IP 为我们的测试靶机

1
sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000
1
2
3
4
5
6
7
8
9
10
11
leadlife@endeavrouOS ~/p/DC1> sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 18:31 CST
Nmap scan report for 10.10.10.128
Host is up (0.00011s latency).
MAC Address: 08:00:27:0C:90:9D (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.254
Host is up (0.000025s latency).
MAC Address: 00:50:56:EC:CF:01 (VMware)
Nmap scan report for 10.10.10.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.43 seconds

Fsacn 探测开放端口

1
sudo fscan -h 10.10.10.128 -p 0-66535 -t 30

image-20230511183246504

Nmap 进行详细端口扫描

1
sudo nmap -sS -T4 -sV -O -p22,80,111,50387 --min-rate 10000 -oN namp.all 10.10.10.128 -sC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Nmap 7.93 scan initiated Thu May 11 18:27:05 2023 as: nmap -sS -T4 -sV -O -p22,80,111,50387 --min-rate 10000 -oN namp.all -sC 10.10.10.128
Nmap scan report for 10.10.10.128
Host is up (0.00021s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
|   1024 c4d659e6774c227a961660678b42488f (DSA)
|   2048 1182fe534edc5b327f446482757dd0a0 (RSA)
|_  256 3daa985c87afea84b823688db9055fd8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Welcome to Drupal Site | Drupal Site
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35804/udp6  status
|   100024  1          41727/udp   status
|   100024  1          50387/tcp   status
|_  100024  1          52241/tcp6  status
50387/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:0C:90:9D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 11 18:27:20 2023 -- 1 IP address (1 host up) scanned in 15.41 seconds

判断 CMS

进来可以看见是 Drupal

image-20230511183428025

CMSeek 判断 CMS 版本

image-20230511183520350

image-20230511183533259

image-20230511183548473

searchsploit 搜寻 cms 版本漏洞

1
searchsploit drupal 7

image-20230511183818824

发现不管是 version 7 还是 7 以上或以下均有漏洞可利用,调用 msf 进行尝试

获取 SHELL

MSF 漏洞利用尝试

这里若是真实渗透,不推荐一个一个 exp 去打,要确定细节,精准利用 exp

image-20230511184021489

利用编号 1 exp 拿到了 SHELL

image-20230511184210700

image-20230511184317395

内部信息收集

为后续权限提升做准备

内核与发行版

image-20230511184532037

SUID

这里 find 可以用于提权

image-20230511184710047

SUDO

没有 sudo 

1
2
www-data@DC-1:/var/www$ sudo -l
bash: sudo: command not found

权限提升

利用 SUID find 提权

image-20230511185527583