7MS #188: Vulnhub Walkthrough - DroopyCTF
I'm intentionally not posting a full walkthrough with all the juicy details for a few reasons:
Full (and better) walkthroughs already exist online.
By not posting the full details, it allows you the chance to get just a little push in the right direction without ruining the entire challenge.
I like to show my full thought process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)
- Note: My experience with this VM is that sometimes after a reboot, the Web service would be in a crashed/broken state, which forces you to reimport the VM from scratch. Eventually I just did a fresh import, got the network config'd the way I wanted it, and made a snapshot. That way you can just roll back with easy if the VM gets borqued.
An NMAP scan of this site reveals only port 80 open in what looks to be a Drupal site. I learned during the OSCP that hitting the /changelog.txt of a Drupal site should reveal its current version.
In looking for specific vulnerabilities that apply to that version, I found one that could create an admin account without knowing existing admin credentials. From there, I was able to enable PHP code in Drupal content, and create a static page with a reverse shell. When the page was saved, it executed the PHP and got me a low-priv shell.
Sometimes not only will you have a low priv shell, but it will be a low functioning shell where many commands won't work. In that case, it's worth trying to "upgrade" the shell with:
python -c 'import pty; pty.spawn("/bin/bash");'
From there, I used the low-priv shell to further explore the Drupal config, and buried in a settings file I found some database credentials. They didn't work to escalate privs to root, but again, going back to fundamental enumeration and figuring out what users and other variables exist on the system, I was able to try some basic passwords and escalate to another user on the machine.
At this point I started looking for kernel exploits or other avenues to grab root access. My searches came up dry, so I went back to reread the VM description on Vulnhub.com. In that blurb is a hint about reading another user's email, so I went after the mail folders/files, and from that information I learned that an important file existed on the box that was encrypted. The password for the encrypted file was supposedly going to be a certain length, might mention a certain educational institution, and might be cracked with a specific word list.
However, I couldn't get to that file without my root access, so I continued poking around the box, trying to see if there were mail services or other things I missed that might help me get that root foothold. After wanting to jab my eye with a dull hairbrush for an hour or so, I walked away for a while. When I came back I went back to basics once again and was able to guess the root password pretty quickly.
Now with root access I could browse to the .tc file and attempt to crack it. A little Googling revealed that the built in tool Truecrack would be perfect for this. However, I had some issues getting it to run right. First it would bomb out about 5 minutes into running the file against a word list. So I did a bit of checking around and discovered I wasn't running the latest build. I grabbed the newest, installed it, and also took a Serverfault article's advice and compiled it for a CPU-only configuration. This time when the cracking operation ran, the tool remained stable for several hours. I went to bed thinking I'd wake up to some good news!
That bad news is I woke up to see a "Segmentation Fault" error on my screen. It looked like the app had quit about halfway through my word list. I went back to the hint I found in the mail archive about what the password might be. I had to look online for a hint as far as what the educational institution name had to do with the password, but once I had that information, I was able to parse a large wordlist down to something a little more manageable, and this time Truecrack cracked it!
It looks like a Linux version of TrueCrypt isn't installed by default in Kali anymore, so I downloaded an alternative tool which was able to mount and explore the container with no problems. Once inside the container, look carefully as you may have to do some digging to find the congratulatory note buried inside letting you know you've pwned the box!