CTF Challenges Hacking Security

Droopy v0.2 VM Walkthorugh

Posted on Author rakeshnagekar Comment(0)

Hi Friends,

Today I am going to start Capture the Flag Series.

The Vulnerable Machine I am starting with is Droopy v0.2, that is available in vulnhub Here.

I will start with discovering the IP of vulnerable machine, using netdiscover

Information Gathering:

netdiscover -r 192.168.10.1/24

I founded that VM is running on IP 192.168.10.4

Port Scanning:

I used Nmap for Port Scanning to find the open ports

nmap -sS -A 192.168.10.4

Found Port 80 is open, and from nmap scanning it is showing as web application running Drupal v7.0 I further gone for information gathering by using Nikto

nikto -h 192.168.10.4

After finding the Nikto result I confirmed it as “Drupal 7”, I tried to access default files in Drupal like UPGRADE.txt, LICENCE.txt, CHANGELOG.txt etc.

Now by seeing exact version I found it is running Drupal 7.30

Exploitation:

Searched for exploit for Drupal 7.30 from exploit-db.com, and found SQL Injection based exploit https://www.exploit-db.com/exploits/34992/

I used Kali Linux tool “Searchsploit”

By using exploit, I created admin user with username “admin” and password “admin”

After logged in as admin, my idea is to place a php shell and get shell

From my past pentesting experiences I understood I directly cannot execute php code, to run PHP I have to enable PHP filter in Drupal Modules, which by default is not enabled

Created PHP shell using MSFVENOM,

go to Content, Add Content à add shell code and save as PHP

Use Metasploit, exploit/multi/handler

Set PAYLOAD php/meterpreter_reverse_tcp

Got meterpreter shell.

Privilege Escalation:

Found it is running on Linux kernel 3.13, search for exploit

Run the exploit using gcc compiler

Now I am the root, the CTF is not yet over

Now to read other people mail, I gone through /var/mail/ and found www-data

Now it has given hint that

  • Password is not more than 11 characters
  • we have to use rockyou wordlist
  • In password academy is there

Create a wordlist using all this

  • grep -n “academy” rockyou.txt > rockacademy.txt

I found one encrypted file in root called dave.tc, I downloaded in my machine

I executed command

  • /etc/shadow and found an big hash, when i placed that in found my hash, confirmed it has “sha512”

Now time to crack

Run the Veracrypt

Access the files

  • cd /media/veracrypt1/ and search for hidden folders and files using “ls -la”

Now finally, got flag.txt

rakeshnagekar

Related Articles
facebook News privacy Security

How Strangers Can Read Your Private Facebook Messages

Posted on Author rkarankote

Here’s something you probably didn’t know: Facebook has a team of employees who read your private messages if they have been flagged by an automated tool. The tool searches for content that appears to violate their terms of service, namely malicious (infected) URLs or child pornography. It’s imperfect, of course — that’s where humans come […]
Security Windows

How to Change MAC Address

Posted on Author rkarankote

In computer networking, the Media Access Control (MAC) address is every bit as important as an IP address. Learn in this article how MAC addresses work and how to find the MAC addresses being used by a computer… What Is a MAC Address? The MAC address is a unique value associated with a network adapter. […]
application security burp burpsuite burpsuite tutorial Hacking proxy Security Tools tools tutorial

Burpsuite Tutorial

Posted on Author rkarankote

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility. Burp Suite […]

Leave a Reply

Your email address will not be published. Required fields are marked *