I started from the scan of the target box. There was only 1 (tcp) port open so I started to dig a bit...
First things first: so little ('directory') enumeration:
As you can see there was interesting resource called 'backup'. I downloaded it and renamed to zip-file. Next thing I tried to do is of course unzip the backup-zip-file. ;]
So now we should be somewhere here:
(Just like few times before) to check the "password strength" ;) I used fcrackzip, like this:
Let's try:
Inside extracted file we will find a dump from DB. Cool. Checking - maybe we'll find some password(s):
More:
Let's say we have those two to try:
Checking:
I wasn't sure why it took so long... So I restarted the session (of john, this time also using correct parameters ;]) So:
Yep.
I was wondering if I'll be able to prepare some similar attack like during all of those cases when you already "got admin's password" - like for Joomla or Wordpress ... but how to do similar case in Drupal? I decided to create my own 'module' and upload it as our 'admin' user - webman:
Ready to go:
If you would like to get some more details about building your own module I will suggest you reading this page[1, 2]. (By the way, I saw that there is also some interesting module but we will create our own anyway ;))
Let's start here: create new directory (mine is sample_module2). Inside we will create 3 files:
- form_example.info:
- form_example.module:
Now we should be ready to 'pack' it and move to our wwwroot, like this:
We can upload our new module directly via Drupal's admin panel but I used other way: poiting to a link to download 'new module':
"Install new module:"
"Install":
Enable and save configuration if needed:
Our new form is ready to use:
Looks like we need something more:
As you remember, we placed our 'evil code' in event when your price is 'not good', so we must 'run' it:
Cool. Now we'll need to obtain an 'interactive shell'. Let's do that.
My next step was to use venome.sh to prepare a PHP reverse shell. I copied it to my webroot again to download it via our new webshell:
- download it
- move to drupal's directory (as php file)
- prepare Metasploit handler
- visit our file via browser
Remember to 'click here':
Let's visit our new page:
Great!
Next:
Searching:
Ok, so next idea was to get 300 pwds from rockyou.txt on my Kali, prepare a script to use in that pseudo-interactive-bash...
Preparing:
Checking if it will work on Kali:
So far so good. I copied both files (superbf.sh and part of rockyou.txt) to target VM. Now we are ready to run it:
...and after a while...
You should see the result of your command:
I decided to change superbf.sh script and replace whoami command to 'chown www-data:www-data -R /root' ;)
Now we are here:
Thanks for preparing this cool CTF goes to Fred Wemeijer.
Big thanks goes to the VulnHub Team for sharing all of those games.
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz