Writeup: Hack The Box - Machines - Hawk

(Updated: )
writeups
,

Description

  • Name: Hawk
  • IP: 10.10.10.102
  • Author: mrh4sh
  • Difficulty: 4.6/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.102

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.124
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
|   256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
|_  256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
5435/tcp open  tcpwrapped
8082/tcp open  http          H2 database http console
|_http-title: H2 Console
9092/tcp open  XmlIpcRegSvc?
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Pwn

The FTP allow connection in anonymous mode or with ftp:ftp credential: we cannot upload files but there is an hidden file called drupal.txt.enc

The file i a OpenSSL salted file so we wrote a bruteforce python script to read the content of the file.

Since we don’t know password or encryption algorithm we got all encryption algorithms from openssl enc -ciphers and used rockyou as wordlist.

To speed-up the process we used the multiprocessing library and saved all tries in the ./decoded folder.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
import multiprocessing as mp
import os
import subprocess

CIPHERS = [
    "aes-128-cbc",
    "aes-128-cfb",
    "aes-128-cfb1",
    "aes-128-cfb8",
    "aes-128-ctr",
    "aes-128-ecb",
    "aes-128-ofb",
    "aes-192-cbc",
    "aes-192-cfb",
    "aes-192-cfb1",
    "aes-192-cfb8",
    "aes-192-ctr",
    "aes-192-ecb",
    "aes-192-ofb",
    "aes-256-cbc",
    "aes-256-cfb",
    "aes-256-cfb1",
    "aes-256-cfb8",
    "aes-256-ctr",
    "aes-256-ecb",
    "aes-256-ofb",
    "aes128",
    "aes128-wrap",
    "aes192",
    "aes192-wrap",
    "aes256",
    "aes256-wrap",
    "bf",
    "bf-cbc",
    "bf-cfb",
    "bf-ecb",
    "bf-ofb",
    "blowfish",
    "camellia-128-cbc",
    "camellia-128-cfb",
    "camellia-128-cfb1",
    "camellia-128-cfb8",
    "camellia-128-ctr",
    "camellia-128-ecb",
    "camellia-128-ofb",
    "camellia-192-cbc",
    "camellia-192-cfb",
    "camellia-192-cfb1",
    "camellia-192-cfb8",
    "camellia-192-ctr",
    "camellia-192-ecb",
    "camellia-192-ofb",
    "camellia-256-cbc",
    "camellia-256-cfb",
    "camellia-256-cfb1",
    "camellia-256-cfb8",
    "camellia-256-ctr",
    "camellia-256-ecb",
    "camellia-256-ofb",
    "camellia128",
    "camellia192",
    "camellia256",
    "cast",
    "cast-cbc",
    "cast5-cbc",
    "cast5-cfb",
    "cast5-ecb",
    "cast5-ofb",
    "chacha20",
    "des",
    "des-cbc",
    "des-cfb",
    "des-cfb1",
    "des-cfb8",
    "des-ecb",
    "des-ede",
    "des-ede-cbc",
    "des-ede-cfb",
    "des-ede-ecb",
    "des-ede-ofb",
    "des-ede3",
    "des-ede3-cbc",
    "des-ede3-cfb",
    "des-ede3-cfb1",
    "des-ede3-cfb8",
    "des-ede3-ecb",
    "des-ede3-ofb",
    "des-ofb",
    "des3",
    "des3-wrap",
    "desx",
    "desx-cbc",
    "id-aes128-wrap",
    "id-aes128-wrap-pad",
    "id-aes192-wrap",
    "id-aes192-wrap-pad",
    "id-aes256-wrap",
    "id-aes256-wrap-pad",
    "id-smime-alg-CMS3DESwrap",
    "idea",
    "idea-cbc",
    "idea-cfb",
    "idea-ecb",
    "idea-ofb",
    "rc2",
    "rc2-128",
    "rc2-40",
    "rc2-40-cbc",
    "rc2-64",
    "rc2-64-cbc",
    "rc2-cbc",
    "rc2-cfb",
    "rc2-ecb",
    "rc2-ofb",
    "rc4",
    "rc4-40",
    "seed",
    "seed-cbc",
    "seed-cfb",
    "seed-ecb",
    "seed-ofb",
]

os.system("rm -r ./decoded")
os.system("mkdir ./decoded")


def bruteforce(password):
    # -a/-base64     base64 encode/decode, depending on encryption flag
    command = "openssl {} -salt -a -d -in drupal.txt.enc -pass pass:{} -out decoded/{};"
    for c in CIPHERS:
        subprocess.getoutput(
            command.format(c, password, c + "-" + password + ".txt"))
    #os.system("find ./decoded -size 0 -delete")


with mp.Pool(os.cpu_count()) as p:
    wordlist = open(
        "/home/dodo/Tools/rockyou.txt", encoding='ISO-8859-1').read().split()
    p.map(bruteforce, wordlist)

when the script ended we purged all files that weren’t ASCII:

file * | rg -v ASCII | awk -F ":" '{print $1}' | xargs rm

and we got that the encryption algorithm was aes256 with password friend:

1
2
3
4
5
6
7
8
9
10
11
Daniel,

Following the password for the portal:

PencilKeyboardScanner123

Please let us know when the portal is ready.

Kind Regards,

IT department

With that password we can login as admin on the drupal site.

Once logged in as admin we need to enable the PHP filter module to allow PHP code in pages/blocks/articles.

Now we need to create an article with our code from the web_delivery metasploit module and Text Format on PHP code:

Now we have a session with user www-data which owns the folder of the drupal installation. Since we had no userful rights we search for some credential in the installation path and we discovered that the user to privesc is daniel.

Using the password drupal4hawk we logged in as daniel in a python shell and read the flag.

To privesc from daniel to root we focused on the service on port 8082: H2 database, since the service was running as root.

H2 is a relational database management system written in Java and can be use to store in-memory tables/databases, more info here.

On default installations the user is SA (which is the admin) and the password is blank (“”) but using those credentials we cannot login.

Searching for some exploit we found a way to run command from the console or read informations using the backup utility.

From the latter we got two files in a zip, on of them conteined a string: CREATE USER IF NOT EXISTS SA SALT '8c7f62c31903e978' HASH 'a942ba85504826fb7f25db0920650ad77c66570d526f76d4d3b9b0f6432daeef' ADMIN.

We tried to crack the hash with salt but we found nothing so we focused on the login page of H2: just changing the database to connect from ~/test to anything except ~/test we logged in with SA user and blank password.

Now that we can run commands we read the root flag.