Metasploitable 3 Ubuntu Walkthrough: Part III

Exploiting Port 80 – Drupal

Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License.

When browsing port 80 with Firefox, Apache will present you with a directory listing containing a number of entries:

Port 80 directory listing

If you go back to the OpenVAS report, you will see a lot of potential on port 80:

OpenVAS list of port 80 services vulnerabilities

The first thing to do should be to identify Drupal’s version. Analyzing the source code for the Drupal page you can immediately get some information about the website’s structure, namely the fact that many things are coming from the drupal/modules folder.

Drupal webpage source code

Digging and researching online will lead you to the discovery of the blog.info file located inside the drupal/modules/blog folder.

Drupal version

Now you know Drupal is version 7.5

Exploiting Drupal using Metasploit

Searching inside MSF, you will find there are several modules available to use against Drupal:

List of Metasploit modules for Drupal

Comparing this list with the vulnerabilities identified by OpenVAS will tell you exploits 2 and 3 are probably going to succeed.

Let’s try to exploit the SQL Injection vulnerability:

Exploiting Drupal using Metasploit

This is a low privilege session…

NOTES:

  • The targeturi was set to /drupal/ instead of root (/) because that is the Drupal directory on the Apache web server.
  • This exploit is supposed to work only against Drupal 7.0 and 7.31 (the vulnerability was fixed in 7.32). The server apparently has version 7.5 and is still vulnerable.

Now let’s try to exploit the remote code execution vulnerability:

Exploiting Drupal using Metasploit

And this is another low privilege shell…

Exploiting Port 80 – Payroll Application

Another interesting item is the file payroll_app.php. Clicking on it will load a Payroll Login interface.

Payroll Login

The Nmap scan identified a MySQL server running on Metasploitable3. Therefore, it might be a good idea to try a basic SQL injection attack. Let’s use the classic ' OR 1=1#.

Trying basic SQL injection

Clicking the Ok button with the classic injection string in the User input box will immediately reveal a total of 15 users in the Payroll App.

Successful SQL injection

This could be the beginning of a real SQL Injection attack but instead I went after the code for the Payroll app. I remembered the file was listed in a previous exploit, namely ProFTPD. So, I repeated the exploit and investigated the contents of the file payroll_app.php.

Credentials inside the payroll_app.php file

These appear to be the credentials for the Payroll application but they are not…

Payroll failed logon

However, let’s not forget about these credentials as they might still be useful.

Exploiting Port 80 – phpMyAdmin

Opening the phpMyAdmin link will take you to the service login page:

phpMyAdmin login page

Brute forcing phpMyAdmin using Hydra

Brute forcing this service requires a bit of research but nothing special. You can use the wordlists provided with Kali, or you can add the previous credentials to the customized wordlists.

Brute forcing phpMyAdmin using Hydra

The credentials are valid for the phpMyAdmin service!

Brute forcing phpMyAdmin using Metasploit

There is a scanner module to use against phpMyAdmin but it’s broken and therefore completely useless:

Brute forcing phpMyAdmin using Metasploit

Exploiting phpMyAdmin using Metasploit

The phpMyAdmin web application running on Metasploitable 3 has a remote code execution vulnerability which can be exploited using the phpmyadmin_preg_replace module:

Exploiting phpMyAdmin using Metasploit

Unfortunately, something went wrong with this exploit. It might be a simple thing but I decided not to waste time investigating it. Instead, I tried to use the previously collected credentials…

Exploiting phpMyAdmin using Metasploit

It worked! The created session is a low privilege one, but this means the credentials are valid for phpMyAdmin. Therefore, instead of using them inside MSF, why not use them directly in the phpMyAdmin login page?

Inside the phpMyAdmin dashboard

From here, everything is your disposal. Take a look at the users table inside the payroll database:

The payroll database

You still need to get root access to the target, so why don’t you add all this information to your user/pass custom wordlists and try to brute force SSH again?

Brute forcing SSH with the new credentials

It works! All these accounts have SSH access and on top of that, Leia, Luke, and Han all have sudo privileges so some of these sessions have root access to the target machine.



1 comment:

sethi said...

If you're based in the USA and need Drupal support and maintenance services, I suggest reaching out to LN Webwork. They offer reliable and efficient support services to help you maintain your Drupal site.