Droopy: v0.2 Boot2Root/CTF
Vulnerable Machine: Droopy: v0.2
Attacker OS: Kali Linux 2016.1-amd64
Network: Internal Network
2. Use nmap to discover what open ports and services are running.
3. Let's take a look at that http front end.
There is a nice python exploit written for Drupal that will allow us to insert an Admin user into the application.
6. Use your favorite php reverse shell code and build a new page with it. The one I use can be found here: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
7. Use netcat to listen on the port that you are opening.
Now we can execute our PHP code by hitting save.
8. /bin/bash shell using python.
Running the following command will allow you to have better visibility of the path that you are in:
python -c 'import pty; pty.spawn("/bin/bash")'
This step is not necessary, but it's one that I like to perform any time I am in a limited shell.
Running the lsb_release -a command we are able to see that the server is running Ubuntu 14.04.1 LTS. Fortunately there is an privilege escalation exploit available for this version. https://www.exploit-db.com/exploits/37292/
We are given the hint "It's fun to read other people's email." Let's go to that directory and see what's there. /var/mail/
1) No longer than 11 characters
2) We know what academy we went to
Combine that with the hint "Grab a copy of the rockyou wordlist" and let's sort through the wordlist for words containing academy. This can be done with the following command:
grep -n "academy" rockyou.txt > rockacademy.txt
Now let's transfer our truecrypt flag file from the root directory to our machine where we can crack it.
11. Copy dave.tc to a location where it can be downloaded
We can easily get to /var/www/html/sites from the web front end so let's copy dave.tc there.
12. Use truecrack with modified wordlist to crack the password.
That didn't find the password. Let's try it using the sha512key derivation function.
In Kali 2.0 truecrypt was removed from the list of programs. The following link shows how to install an alternate program veracrypt to open the volume.
The flag is is several hidden folders within the truecrypt container. Use the ls -a command to find it.
14. Beer Time!!!