Hi Friends,
Today I am going to start Capture the Flag Series.
The Vulnerable Machine I am starting with is Droopy v0.2, that is available in vulnhub Here.
I will start with discovering the IP of vulnerable machine, using netdiscover
Information Gathering:
netdiscover -r 192.168.10.1/24
I founded that VM is running on IP 192.168.10.4
Port Scanning:
I used Nmap for Port Scanning to find the open ports
nmap -sS -A 192.168.10.4
Found Port 80 is open, and from nmap scanning it is showing as web application running Drupal v7.0 I further gone for information gathering by using Nikto
nikto -h 192.168.10.4
After finding the Nikto result I confirmed it as “Drupal 7”, I tried to access default files in Drupal like UPGRADE.txt, LICENCE.txt, CHANGELOG.txt etc.
Now by seeing exact version I found it is running Drupal 7.30
Exploitation:
Searched for exploit for Drupal 7.30 from exploit-db.com, and found SQL Injection based exploit https://www.exploit-db.com/exploits/34992/
I used Kali Linux tool “Searchsploit”
By using exploit, I created admin user with username “admin” and password “admin”
After logged in as admin, my idea is to place a php shell and get shell
From my past pentesting experiences I understood I directly cannot execute php code, to run PHP I have to enable PHP filter in Drupal Modules, which by default is not enabled
Created PHP shell using MSFVENOM,
go to Content, Add Content à add shell code and save as PHP
Use Metasploit, exploit/multi/handler
Set PAYLOAD php/meterpreter_reverse_tcp
Got meterpreter shell.
Privilege Escalation:
Found it is running on Linux kernel 3.13, search for exploit
Run the exploit using gcc compiler
Now I am the root, the CTF is not yet over
Now to read other people mail, I gone through /var/mail/ and found www-data
Now it has given hint that
- Password is not more than 11 characters
- we have to use rockyou wordlist
- In password academy is there
Create a wordlist using all this
- grep -n “academy” rockyou.txt > rockacademy.txt
I found one encrypted file in root called dave.tc, I downloaded in my machine
I executed command
- /etc/shadow and found an big hash, when i placed that in found my hash, confirmed it has “sha512”
Now time to crack
Run the Veracrypt
Access the files
- cd /media/veracrypt1/ and search for hidden folders and files using “ls -la”
Now finally, got flag.txt