oscp-vulnhub-VulnOS - My-oscp-all-things

[https://g0blin.co.uk/vulnos-2-vulnhub-writeup/](https://g0blin.co.uk/vulnos-2-vulnhub-writeup/) 通过arp-scan定位靶机ipaddress为192.168.56.104 ### information_gathering ![1.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608862975220-fccda9ca-44bd-4109-9ea4-3cb13b4fbc53.jpeg#align=left&display=inline&height=247&margin=%5Bobject%20Object%5D&name=1.jpg&originHeight=247&originWidth=1080&size=181881&status=done&style=none&width=1080) 端口情况： ``` nmap -sC -sV -vv -p- 192.168.56.104 ``` open port:80 22 6667 ![2.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608862982424-b010834d-b5e4-4136-86b7-80e6887f51df.jpeg#align=left&display=inline&height=306&margin=%5Bobject%20Object%5D&name=2.jpg&originHeight=306&originWidth=1080&size=288813&status=done&style=none&width=1080) 访问80，通过图标发现为drupal，访问默认登陆页面进行确认, default credentials:admin admin[@123 ](https://www.yuque.com/123%C2%A0) 登陆失败 [http://192.168.56.104/jabc/?q=user](http://192.168.56.104/jabc/?q=user) ![3.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608862991194-82122be5-7dfb-4f19-af94-59f13c03ed40.jpeg#align=left&display=inline&height=426&margin=%5Bobject%20Object%5D&name=3.jpg&originHeight=426&originWidth=1080&size=77806&status=done&style=none&width=1080) ![4.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608862998155-d58572ee-f7b2-49c1-98a0-524e94d50fa2.jpeg#align=left&display=inline&height=489&margin=%5Bobject%20Object%5D&name=4.jpg&originHeight=489&originWidth=1080&size=85639&status=done&style=none&width=1080) ![5.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863007582-18f16be2-ecc8-4330-99d9-e9a93d4309f1.jpeg#align=left&display=inline&height=641&margin=%5Bobject%20Object%5D&name=5.jpg&originHeight=641&originWidth=1080&size=103776&status=done&style=none&width=1080) ### Establish a foothold 通过msf 修改下targeturi 为/jabc reverse_shell ![6.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863015049-94fd71a9-82e7-48fb-bca2-6dfc510981eb.jpeg#align=left&display=inline&height=846&margin=%5Bobject%20Object%5D&name=6.jpg&originHeight=846&originWidth=1080&size=472848&status=done&style=none&width=1080) ``` python -c 'import pty;pty.spawn("/bin/bash")' ``` 发现/var/www/html下有多个目录，即多个网站 ![7.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863022119-32ce8893-85e3-472a-be0d-cfea82c213c5.jpeg#align=left&display=inline&height=594&margin=%5Bobject%20Object%5D&name=7.jpg&originHeight=594&originWidth=1080&size=243528&status=done&style=none&width=1080) 从database.sql中得到密码 ![8.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863030025-0136dbab-3729-4a8f-bb20-49488133dbcd.jpeg#align=left&display=inline&height=917&margin=%5Bobject%20Object%5D&name=8.jpg&originHeight=917&originWidth=1080&size=329707&status=done&style=none&width=1080) 访问192.168.56.104/jabcd0cs ![9.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863036307-2780d3c7-9ca4-4097-aaf2-549ae63390a4.jpeg#align=left&display=inline&height=398&margin=%5Bobject%20Object%5D&name=9.jpg&originHeight=398&originWidth=1070&size=104102&status=done&style=none&width=1070) 然而登陆失败，查看config.php ![10.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863043224-da37a0d4-12d3-42fc-9fbb-ebc96ff31391.jpeg#align=left&display=inline&height=764&margin=%5Bobject%20Object%5D&name=10.jpg&originHeight=764&originWidth=1080&size=410898&status=done&style=none&width=1080) database->drupal7->users/system ![11.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863050152-7b351ad4-932f-4cd4-8d4a-e072277a34d4.jpeg#align=left&display=inline&height=144&margin=%5Bobject%20Object%5D&name=11.jpg&originHeight=144&originWidth=1080&size=78252&status=done&style=none&width=1080) ``` $S$DPc41p2JwLXR6vgPCi.jC7WnRMkw3Zge3pVoJFnOn6gfMfsOr/Ug ``` 用john爆破，，，然并卵用jabcd0cs库，找到两个密码 webadmin密码加密为：b78aae356709f8c31118ea613980954b 密码为webmin1980 ![12.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863057882-fdeef3c2-71f2-48d6-a0ec-f26ae91efd94.jpeg#align=left&display=inline&height=421&margin=%5Bobject%20Object%5D&name=12.jpg&originHeight=421&originWidth=1080&size=206569&status=done&style=none&width=1080) ![13.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863083904-b352b995-731e-4b33-b151-71b70ed90717.jpeg#align=left&display=inline&height=555&margin=%5Bobject%20Object%5D&name=13.jpg&originHeight=555&originWidth=1080&size=77814&status=done&style=none&width=1080) ### Privilege Escalation 直接内核提权 ![14.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863091696-cef1cdd4-6dd6-486e-bc81-d87ef121c0dd.jpeg#align=left&display=inline&height=289&margin=%5Bobject%20Object%5D&name=14.jpg&originHeight=289&originWidth=1080&size=136819&status=done&style=none&width=1080)![15.jpg](https://cdn.nlark.com/yuque/0/2020/jpeg/10362401/1608863100233-1cf891fa-52f4-43e3-8291-406f7432398f.jpeg#align=left&display=inline&height=498&margin=%5Bobject%20Object%5D&name=15.jpg&originHeight=498&originWidth=792&size=65895&status=done&style=none&width=792)