Droopy
Walkthrough
In this article we will complete a challenge of Capture the Flag series.
This is Walkthrough of Droopy VM
which is a vulnerable framework but it is little bit complex
too. Download it from –> Here
Walkthrough
Let us start by scanning the network so that we can know the IP of
our target. And to scan the network types the following:
netdiscover
So by
using the above command we know our target IP is 192.168.1.102. Now that we know our target IP, lets study it more
by using nmap :
nmap -p-
-A 192.168.1.102
Here,
-p- à is for port by port search
-A à is for an thorough search
By using nmap we fing that port no. 80 isi
the only one that is opened. So therefore, lets fire up the IP in the browser.
By studying the webpage we get to know that
the website has been made in drupal CMS. And we all know that there is an very
effective exploit for it in Metasploit and to use that type :
use
exploit/multi/http/drupal_drupageddon
once
the exploit starts working, it will ask you for rhost which you set by
following command and then runt he exploit.
set
rhost 192.168.1.102
exploit
As the exploits runs, you will have your
meterpreter session. Type sysinfo as
the first command to gather information about the target. This way we come to
know that the OS used by target is linux with the version of 3.13.0, this
version of linux has its own exploit which you can find on www.exploit-db.com.
Once you find the exploit there, download it and then type the following
command in the terminal of kali :
searchsploit
3.13.0
Go to the /tmp folder by typing cd /tmp and upload the exploit there by
typing :
upload
/root/Desktop/37292.c
Oncethe exploit is uploaded, got o shell by
simply giving shell command. And
then type :
python
-c ‘import pty;pty.spawn(“/bin/bash”)’
And then type the following command to
compile the exploit :
gcc
37292.c -o shell
once the exploit is compiled give the
permissions to shell :
chmod
777 shell
and then run the ./shell command for your exploit to work. This is the exploit for
privilege escalation so when this exploit runs, you will have your privilege to
the VM.
After this check you id by simply typing id. It shows that you are the root. So lets jump
to the folder root by typing cd /root
and then type ls to check the file
inside the root folder. And here we have one file in the root. Lets copy it to
var/www/html so we can open the file in the browser :
cp
dave.tc /var/www/html
Now lets open the file in the browser by
typing :
192.168.1.102/dave.tc
And then we will go into the /var by typing
cd /var and then type ls to view its content. Now lets go
into mail by typing cd mail and then ls to view its content. And the type cat
www-data to read whatever’s inside it.
In www-data we find a mail. This mail gives
us two hints about the password that we need i.e. we will find our password in
the rockyou wordlist and password contain prefix or suffix “academy”. So we
will take all the words from rockyou wordlist that has acadaemy in it and make
a different wordlist with all the possible passwords. And for this type :
Cat
rockyou.txt | grep academy > /root/Desktop/dict.txt
Now from the wordlist, that we just
created, we will apply dictionary attack to have our password. And so for this
type :
truecrack
–truecrypt /root/Downloads/dave.tc -k SHA512 -w /root/Desktop/dict.txt
Now using veracrypt we can decrypt the
file.
To decrypt the file enter the password that
we just found.
Once it opens you can see all of its
content.
Following are the folders you will find in
it.
Open its path in the terminal of kali and
type ls -la to view the files. Open
secret by typing cd .secret and the
type ls -la to see its content. And
then open .top by typing cd .top and
then type ls -la to see all the
files in it. There you will find flag.txt, type cat flag.txt to view the flag.
And yippiiee!!! We found our flag. 😊
0 comments:
Post a Comment