VulnHub - Droopy - Saiyan Pentesting

08Apr 2019 by admin

Greetings everyone! In today’s post, I’ll be attacking a system called Droopy, which I downloaded off of Vulnhub.com. Let’s get started!

Once we have the vulnerable machine booted up, we’ll need to find out what IP address it has. For me, the machine is located at 10.10.1.11. Knowing this, we’ll now scan it with Nmap to discover what ports are open and what services are running.

As we can see, we only have port 80 to work with. But hey, that’s more than fine. Right away, you may notice that Nmap picks up that the website is running on Drupal, which set off some red flags immediately! Perhaps the site is vulnerable to the drupalgeddon exploit? For now, let’s open up a web browser and head to the website.

Poking around the site for a few minutes doesn’t return much, so let’s test our original theory of using drupalgeddon to exploit the system. We can do this by loading up Metasploit and searching for webapp. When the results start returning, we’re going to be interested in the “drupal_drupalgeddon2” exploit. So let’s select it and configure its options.

The only option for us to configure was the remote host, which is 10.10.1.11. Once the exploit is fired off, we can see that we receive a meterpreter shell! Let’s check to see if we’re root.

Darn, not yet. Looks like it’s time to start digging around the system to see if we can escalate our privileges. But first let’s spawn a TTY shell for more stability using the “python -c ‘import pty; pty.spawn(“/bin/sh”)’ command.

Let’s have a look to see if there are any other users on the system that we may be able to switch to.

From viewing the contents of the /etc/passwd file and browsing to the home directory, we can see that there is a user called gsuser. Let’s check the /etc/shadow file for a password hash that maybe we could crack.

Hmm, no luck. Well what now? We know that weak passwords are often considered low-hanging fruit, so let’s try some password guessing techniques. After a few simple password guesses, the combo of gsuser/gsuser worked!

Simple enough! Now we’re still not root, but let’s hope this new account can reveal some new information to us.

I spent some time rummaging around the system with our new credentials, and eventually found this juicy email:

Very interesting! I continued my searching/exploring through the system, with the hopes of finding this encrypted file, however I had no luck. No big deal! Let’s try and enumerate the system to maybe help us find ways to escalate to root.

Here we see that the system is running version 3.13.0-43 Ubuntu. Knowing this, we can take our searching skills to Google to see if there are any available exploits. The first result to come back was overlayfs local root exploit located on ExploitDB. I downloaded the exploit, started the local webserver on our machine, and transferred the exploit over to the vulnerable machine using wget, and changed the permissions using chmod.

Now that the exploit has the proper permissions, we’ll need to compile it before we can run it.

Okay, we’re all set to fire off the exploit!

It worked! We are now the root user! Usually this is where I’d end my adventure with the system, but something was still bugging me. Remember that email we found about the encrypted file? Well now that we’re root, let’s have a look around to see if we can find it! Let’s browse to the /root/home directory.

Hello! There it is! But let’s not stop here, let’s copy it over to our system and see if we can crack the hash!

Switching back to our meterpreter session, we can download the file.

We’re going to use a program called trucrack to crack the hash, as .tc is a truecrypt file. But before we do, we can fine tune our cracking by looking at the clues in the email! The email hints to use the wordlist rockyou.txt (in the email title), and also makes mention of knowing of an academy they went to. With this in mind, we’re going to create a smaller wordlist containing only words with academy in it, from the rockyou.txt password list.