Droopy v0.2 VM Walkthorugh

Hi Friends,

Today I am going to start Capture the Flag Series.

The Vulnerable Machine I am starting with is Droopy v0.2, that is available in vulnhub Here.

I will start with discovering the IP of vulnerable machine, using netdiscover

Information Gathering:

netdiscover -r 192.168.10.1/24

I founded that VM is running on IP 192.168.10.4

Port Scanning:

I used Nmap for Port Scanning to find the open ports

nmap -sS -A 192.168.10.4

Found Port 80 is open, and from nmap scanning it is showing as web application running Drupal v7.0 I further gone for information gathering by using Nikto

nikto -h 192.168.10.4

After finding the Nikto result I confirmed it as “Drupal 7”, I tried to access default files in Drupal like UPGRADE.txt, LICENCE.txt, CHANGELOG.txt etc.

Now by seeing exact version I found it is running Drupal 7.30

Exploitation:

Searched for exploit for Drupal 7.30 from exploit-db.com, and found SQL Injection based exploit https://www.exploit-db.com/exploits/34992/

I used Kali Linux tool “Searchsploit”

By using exploit, I created admin user with username “admin” and password “admin”

After logged in as admin, my idea is to place a php shell and get shell

From my past pentesting experiences I understood I directly cannot execute php code, to run PHP I have to enable PHP filter in Drupal Modules, which by default is not enabled

Created PHP shell using MSFVENOM,

go to Content, Add Content à add shell code and save as PHP

Use Metasploit, exploit/multi/handler

Set PAYLOAD php/meterpreter_reverse_tcp

Got meterpreter shell.

Privilege Escalation:

Found it is running on Linux kernel 3.13, search for exploit

Run the exploit using gcc compiler

Now I am the root, the CTF is not yet over

Now to read other people mail, I gone through /var/mail/ and found www-data

Now it has given hint that

  • Password is not more than 11 characters
  • we have to use rockyou wordlist
  • In password academy is there

Create a wordlist using all this

  • grep -n “academy” rockyou.txt > rockacademy.txt

I found one encrypted file in root called dave.tc, I downloaded in my machine

I executed command

  • /etc/shadow and found an big hash, when i placed that in found my hash, confirmed it has “sha512”

Now time to crack

Run the Veracrypt

Access the files

  • cd /media/veracrypt1/ and search for hidden folders and files using “ls -la”

Now finally, got flag.txt

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − eight =