This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM droopy-v02,143 from Vulnhub - a site dedicated to penetration testing Capture The Flag challenges.
You can download the VM from here: https://www.vulnhub.com/entry/droopy-v02,143/
Best change the network to NAT.
We find the machine at .140 after running netdiscover, nmap ping scan is also an option.
After doing a quick scan we discover that there is an apache server. Let's do several scans on that. I used my script for nmap web services for that:
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-21 08:27 EDT
Nmap scan report for 192.168.179.140
Host is up (0.00029s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-php-version: Version from header x-powered-by: PHP/5.5.9-1ubuntu4.5
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B0:71:DA
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-21 08:27 EDT
Nmap scan report for 192.168.179.140
Host is up (0.00019s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.179.140/misc/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.179.140/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.179.140/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.179.140/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
MAC Address: 00:0C:29:B0:71:DA
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-21 08:27 EDT
Nmap scan report for 192.168.179.140
Host is up (0.00022s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-headers:
| Date: Tue, 21 Jun 2016 12:28:04 GMT
| Server: Apache/2.4.7 (Ubuntu)
| X-Powered-By: PHP/5.5.9-1ubuntu4.5
| Expires: Sun, 19 Nov 1978 05:00:00 GMT
| Last-Modified: Tue, 21 Jun 2016 12:28:04 +0000
| Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
| ETag: "1466512084"
| Content-Language: en
| X-Generator: Drupal 7 (http://drupal.org)
| Connection: close
| Content-Type: text/html; charset=utf-8
|
|_ (Request type: HEAD)
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B0:71:DA
Ok, let us inject then:
We are admins:
Let's enable PHP Filter.
Add an article with PHP code and don't forget to switch to interpret as PHP. Let's try this:
Great :)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false
gsuser:x:1000:1000:Generic User,,,:/home/gsuser:/bin/bash
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false
Let's try something more. We are in /var/www/html/
Actually I tried writing to a file after that, but since I did not want to lose much more time - I included a reverse shell and started nc on the other end. As a result:
As you see I tried several exploits here, finally one of them worked.
Inspect the root, there is a encrypted file - you can actually decrypt it - there is also a hint in the mails about it, I really don't see value in that (system is owned anyway) - but if you like go ahead.
