This VM, provided by VulnHub

There’s 2 hints I would offer you:

1.) Grab a copy of the rockyou wordlist.

2.) It’s fun to read other people’s email.

 

Ok , let me start first by finding the IP of that host by using netdiscover

 

Next thing I did was to run an Nmap scan to find any open ports of that host

 

Only port 80 running an HTTP service on it. I will run Nikto and see if there is anything interesting

 

Ok, it seems there is running a Drupal 7, it also finds a bunch of directories, lets keep that in mind as I may have to check some of them later on. At this point I want to search for any Drupal 7 exploit by using Searchsploit.

Searchsploit gives me some exploits I can use, the most interested is those are highlighted

 

I’m coping the 34992.txt on my desktop and have a look inside to see what it does.  It looks like its trying to create a new user to the database by using sql injection, lets run it and see if it works.

 

Great it works !!!

I log in to that site by using the credentials used in the script. Now next thing I want to do was to upload a PHP shell but before that I had to enable the PHP filters and the PHP text format options also.

 

Now everything must be ok , lets try to upload a PHP shell and also have Netcat listening for incoming connections.

After uploading the shell I had access to the Droopy vm. The first thing I was need to do is to get rid of that shell and use Bash instead, python will help for that.

 

Now its time for some enumeration ,  lets find first what kind of system is that.

 

Ok , I’m dealing with and Ubuntu 14.04 and I remember there are some local exploits for , actually few months ago I was in a course and the Teacher give us a non public exploit for Ubuntu 14.04 , but lets stick with only public findings. I run searchsploit once again and gives me some exploits I can use.

 

I copy the highlighted one to my apache folder and downloaded to the Droopy host

 

Now I had to compiled , give it executable permissions and run it. The first time it fails cause i was not in a directory where I had write permission, so I moved to the /tmp and tried again

 

Rooted !!!

But that was not enough, the hints says “It’s fun to read other people’s email”  , i have to move the to mail directory and search for email to read

 

Ok, the message was clear. There is a encrypted file I had to crack for finding the flag. The file was under the root directory, I copied to the apache directory and downloaded locally to start the cracking process.

 

After continuing searching I found a long hash in the shadow file and I did use the Hash-intedifier to figure out what kind of hash was. Hash-identifier gives me a SHA256 as result. Another one hint was that I had to use the rockyou list for that and the password was not longer that 11 characters. I did use the pw-inspector to reduce the side of the list and leave only passwords that was 11 characters. You can see that different in the original list with the new list I’ve create with the pw-inspector. I start the cracking process and I have to say that was time consuming , also the truecrack utility has no option for sha256 hashes so I tried with sha512 instead

 

Unfortunately the first try fails. I was missing something ? Lets go back and read that email once again. I overead the part says “we know what academy we went to, don’t you?” Ok after that I append the word “academy” in that list by using the command awk ‘{print$0, “academy”}’ rockyou.txt > newlist.txt and try again. After while I got the password and the flag !!!

The End !!!

 

It was a great VM to play with.

I do hate cracking but that was also a great lesson for me.

Thank VulnHub for hosting those kind of VM’s