Droopy: v0.2 Walkthrough

TL;DR: If you like watching instead, here’s a fairly short vid on getting root. Steps are below. Also, Dubstep is playing so if you don’t like it, please mute πŸ™‚

For this VM, you can find it here. Β It is a beginner’s boot2root so lets see how this goes.

Quick run-down:

  1. Find Services
  2. Play with Drupal
  3. Escalate to Root

Exploits used:

  1. Drupal 7 SQL Injection
  2. Overlayfs Local Root
  3. PHP-Reverse-Shell

First thing first, I need to see who is on my net. After I see, I begin to do a little recon on my target πŸ™‚

After I find my target, I begin to find out more about the target! Port 80 is open again and shows that it is running Drupal 7. I head to the site to see what it looks like.drupal homepage

I reach out to my handy dandy partner in crime, Exploit-DB, and search for Drupal 7.

So, SA-CORE-2014-005 says that it includes a database abstraction API is in place to prevent SQL attacks. Ironically, this very database allows an attacker to send a specially crafted request which ultimately leads to arbitrary SQL execution. This can lead to privilege escalation, arbitrary PHP execution, and/or other attacks.Β Haha, nice πŸ™‚ This should be interesting…

I downloaded the exploit and ran it.

Sweet…I’m now an administrator for the site. Nice.

This took me just a tad bit, but I went through everything I could and I found something, w00t!! I noticed that in the Content, you can obviously add content…but you can also set the text format. There were only three options to choose from:

  1. Filtered HTML
  2. Full HTML
  3. Plain Text

I took note of that to come back later.Β In Modules, I also noticed a “PHP filter”. So I checked the box, and noticed after saving the configuration, it had “Permissions”Β for it. I checked “Use the PHP code text format” for authenticated users. It has a warning of “This permission may have security implications depending on how the text format is configured”. Don’t mind if I do.

As I scroll more seeing what other options I have available, I also see “Administer Content” with a warning of “Give to trusted roles only; this permission has security implications.” Don’t mind if I do!

Now I run into “Use PHP for settings” with the same warning. So I checked that as well πŸ™‚ I’m sure you didn’t need to check most of them, but I did that because why not??

drupalsettings

After going through more settings, I found gold. I noticed a PHP code in the Text format box. So if you haven’t noticed, I’m opting to get a reverse php shell πŸ™‚

I head on over to Pentest monkey and take his php-reverse-shell and download it to my box. After extracting it, I change the IP to mine and set up my listener. Now, let’s just wait and see…

I go to Content, Add content, and a Basic Page. Then I threw in my reverse shell, change the Text format to PHP code, Previewed and guess what popped up in my terminal??? Oh. Freaking. Yes.

After seeing what i was working with, I downloaded the Overlayfs Local Root Exploit on to the box. After compiling, guess who is Root?? That’s right. Root is I πŸ™‚

There’s also a Truecrypt file called “Dave.tc”. Β We need to crack it to get our flag. Let’s transfer to our machine πŸ™‚

Fortunately for me, a good friend of mine has a sweet cracking rig. Thanks, H4v0k! Unfortunately for me, I think one of my GPU’s are going out πŸ™ Oh well. Needless to say, H4v0k cracked it for me in a sweet 11 SECONDS!! Heck yea!!

havokgpu

 

So after mounting the Truecrypt file, I was able to find the secret directory and retrieve my flag πŸ™‚

Ahhhh yeaaaaaaa!!

I had lots of fun with this one, as I do with all of them πŸ™‚ Big thanks to knightmare for creating this VM!

One thought on “Droopy: v0.2 Walkthrough

  1. Very awesome write up!

    So that is how you got the PHP shell working…. I was trying to upload a php shell through a custom PHP upload form however I could never get it to work. I should just uploaded PHP shell straight into the web forum…..

    Oh well. Awesome walkthrough!

    SP

Leave a Reply

Your email address will not be published. Required fields are marked *