CTF Challenges Hacking Security

Droopy v0.2 VM Walkthorugh

Posted on Author rakeshnagekar Comment(0)

Hi Friends,

Today I am going to start Capture the Flag Series.

The Vulnerable Machine I am starting with is Droopy v0.2, that is available in vulnhub Here.

I will start with discovering the IP of vulnerable machine, using netdiscover

Information Gathering:

netdiscover -r 192.168.10.1/24

I founded that VM is running on IP 192.168.10.4

Port Scanning:

I used Nmap for Port Scanning to find the open ports

nmap -sS -A 192.168.10.4

Found Port 80 is open, and from nmap scanning it is showing as web application running Drupal v7.0 I further gone for information gathering by using Nikto

nikto -h 192.168.10.4

After finding the Nikto result I confirmed it as “Drupal 7”, I tried to access default files in Drupal like UPGRADE.txt, LICENCE.txt, CHANGELOG.txt etc.

Now by seeing exact version I found it is running Drupal 7.30

Exploitation:

Searched for exploit for Drupal 7.30 from exploit-db.com, and found SQL Injection based exploit https://www.exploit-db.com/exploits/34992/

I used Kali Linux tool “Searchsploit”

By using exploit, I created admin user with username “admin” and password “admin”

After logged in as admin, my idea is to place a php shell and get shell

From my past pentesting experiences I understood I directly cannot execute php code, to run PHP I have to enable PHP filter in Drupal Modules, which by default is not enabled

Created PHP shell using MSFVENOM,

go to Content, Add Content à add shell code and save as PHP

Use Metasploit, exploit/multi/handler

Set PAYLOAD php/meterpreter_reverse_tcp

Got meterpreter shell.

Privilege Escalation:

Found it is running on Linux kernel 3.13, search for exploit

Run the exploit using gcc compiler

Now I am the root, the CTF is not yet over

Now to read other people mail, I gone through /var/mail/ and found www-data

Now it has given hint that

  • Password is not more than 11 characters
  • we have to use rockyou wordlist
  • In password academy is there

Create a wordlist using all this

  • grep -n “academy” rockyou.txt > rockacademy.txt

I found one encrypted file in root called dave.tc, I downloaded in my machine

I executed command

  • /etc/shadow and found an big hash, when i placed that in found my hash, confirmed it has “sha512”

Now time to crack

Run the Veracrypt

Access the files

  • cd /media/veracrypt1/ and search for hidden folders and files using “ls -la”

Now finally, got flag.txt

rakeshnagekar

Related Articles
Security Windows

How to Change MAC Address

Posted on Author rkarankote

In computer networking, the Media Access Control (MAC) address is every bit as important as an IP address. Learn in this article how MAC addresses work and how to find the MAC addresses being used by a computer… What Is a MAC Address? The MAC address is a unique value associated with a network adapter. […]
CTF Challenges Security

Quaoar VM – Walkthrough

Posted on Author rakeshnagekar

Hi Friends, Today we are solving the Quaoar VM from vulnhub.com, This VM is for beginners 192.168.174.135 – Quaoar VM (Target Machine) 192.168.174.128 – Kali Linux (Attacker Machine) The first thing we have to do is information gathering, i will be using nmap and nikto tools i run nmap scan on the target host Found […]
proxy Security Security Tools

Surf Web Anonymously with TOR

Posted on Author rkarankote

What is TOR ? Tor-proxy is a free proxy-server service that Internet users can use to hide their IP address while surfing the Web. An IP address is a number used to identify computers on the Internet, and for reasons of safety and security, it may sometimes be desirable to hide the address. What is […]

Leave a Reply

Your email address will not be published. Required fields are marked *