CTF Challenges Hacking Security

Droopy v0.2 VM Walkthorugh

Posted on Author rakeshnagekar Comment(0)

Hi Friends,

Today I am going to start Capture the Flag Series.

The Vulnerable Machine I am starting with is Droopy v0.2, that is available in vulnhub Here.

I will start with discovering the IP of vulnerable machine, using netdiscover

Information Gathering:

netdiscover -r 192.168.10.1/24

I founded that VM is running on IP 192.168.10.4

Port Scanning:

I used Nmap for Port Scanning to find the open ports

nmap -sS -A 192.168.10.4

Found Port 80 is open, and from nmap scanning it is showing as web application running Drupal v7.0 I further gone for information gathering by using Nikto

nikto -h 192.168.10.4

After finding the Nikto result I confirmed it as “Drupal 7”, I tried to access default files in Drupal like UPGRADE.txt, LICENCE.txt, CHANGELOG.txt etc.

Now by seeing exact version I found it is running Drupal 7.30

Exploitation:

Searched for exploit for Drupal 7.30 from exploit-db.com, and found SQL Injection based exploit https://www.exploit-db.com/exploits/34992/

I used Kali Linux tool “Searchsploit”

By using exploit, I created admin user with username “admin” and password “admin”

After logged in as admin, my idea is to place a php shell and get shell

From my past pentesting experiences I understood I directly cannot execute php code, to run PHP I have to enable PHP filter in Drupal Modules, which by default is not enabled

Created PHP shell using MSFVENOM,

go to Content, Add Content à add shell code and save as PHP

Use Metasploit, exploit/multi/handler

Set PAYLOAD php/meterpreter_reverse_tcp

Got meterpreter shell.

Privilege Escalation:

Found it is running on Linux kernel 3.13, search for exploit

Run the exploit using gcc compiler

Now I am the root, the CTF is not yet over

Now to read other people mail, I gone through /var/mail/ and found www-data

Now it has given hint that

  • Password is not more than 11 characters
  • we have to use rockyou wordlist
  • In password academy is there

Create a wordlist using all this

  • grep -n “academy” rockyou.txt > rockacademy.txt

I found one encrypted file in root called dave.tc, I downloaded in my machine

I executed command

  • /etc/shadow and found an big hash, when i placed that in found my hash, confirmed it has “sha512”

Now time to crack

Run the Veracrypt

Access the files

  • cd /media/veracrypt1/ and search for hidden folders and files using “ls -la”

Now finally, got flag.txt

rakeshnagekar

Related Articles
Google Hacking Tutorials

What Is Doxing? – Doxing And It’s Uses

Posted on Author rkarankote

Doxing is the process of gaining information about someone or something by using sources on the Internet and using basic deduction skills. Its name is derived from “Documents” and in short it is the retrieval of “Documents” on a person or company. You’re probably thinking, “Okay, so basically it’s getting information from searching someone’s email […]
CTF Challenges exploitation netcat tutorial

Sedna VM – Walkthrough

Posted on Author rakeshnagekar

Hi Friends, Today we will solve the Vulnhub VM Sedna Firstly, I need to detect the VM ip address, I will be using netdiscover command from Linux netdiscover -r 192.168.174.1/24 Now we got Target IP address 192.168.174.133 – Sedna VM (Target Machine) 192.168.174.128 – Kali Linux (Attacker Machine) First I will do the Port scan […]
backtrack command execution dvwa Hacking injection

Command Execution Vulnerability Exploitation

Posted on Author rkarankote

Today i will be showing how to hack the website with the command execution vulnerability. we will be see this on the DVWA What is Command Execution ? OS command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands […]

Leave a Reply

Your email address will not be published. Required fields are marked *