Saturday, April 30, 2016

Droopy: v0.2 ~ VulnHub

Droopy: v0.2 Boot2Root/CTF

Vulnerable Machine: Droopy: v0.2
Attacker OS: Kali Linux 2016.1-amd64
Oracle Virtualbox
Network: Internal Network

1. Scan the network to see what systems are available. Using netdiscover -i eth0 -r
We are able to see that there are two machines running under CADMUS COMPUTER SYSTEMS. Let's look further into the 104 IP.

2. Use nmap to discover what open ports and services are running.
Looks like the vulnerable system has an application called Drupal 7 running on port 80.

3. Let's take a look at that http front end.
Now that we've verified that the service is indeed running and we can connect to it. Let's find an exploit for it.

There is a nice python exploit written for Drupal that will allow us to insert an Admin user into the application.

Following the format given I was able to add a new user.

5. Let's log into the service and see what we can do with the account.

Doesn't look like much. Let's look at the modules that are available. 

Adding the PHP module will allow us to inject code. We will also need to go into the permissions for the PHP Filter and allow "Use the PHP code text format" in order to create new content that consists of PHP code.

6. Use your favorite php reverse shell code and build a new page with it. The one I use can be found here:
Almost ready.

7. Use netcat to listen on the port that you are opening.

Now we can execute our PHP code by hitting save.

We now have a basic shell for the system.

8. /bin/bash shell using python.
Running the following command will allow you to have better visibility of the path that you are in:
    python -c 'import pty; pty.spawn("/bin/bash")'

This step is not necessary, but it's one that I like to perform any time I am in a limited shell.

9. Root
Running the lsb_release -a command we are able to see that the server is running Ubuntu 14.04.1 LTS. Fortunately there is an privilege escalation exploit available for this version.

10. Email
We are given the hint "It's fun to read other people's email." Let's go to that directory and see what's there. /var/mail/
There are several hints here for us:
1) No longer than 11 characters
2) We know what academy we went to
Combine that with the hint "Grab a copy of the rockyou wordlist" and let's sort through the wordlist for words containing academy. This can be done with the following command:
grep -n "academy" rockyou.txt > rockacademy.txt

Now let's transfer our truecrypt flag file from the root directory to our machine where we can crack it.

11. Copy to a location where it can be downloaded

We can easily get to /var/www/html/sites from the web front end so let's copy there.

12. Use truecrack with modified wordlist to crack the password.
That didn't find the password. Let's try it using the sha512key derivation function.

13. Open Truecrypt container to find flag.
In Kali 2.0 truecrypt was removed from the list of programs. The following link shows how to install an alternate program veracrypt to open the volume.

The flag is is several hidden folders within the truecrypt container. Use the ls -a command to find it.

14. Beer Time!!!