Friday 6 May 2016

Droopy CTF

Hi,
Today im going to present you a walkthrough of Droopt challenge.
root@osboxes:~# nmap -sP 192.168.1.0/24

[CUT]

Nmap scan report for 192.168.1.103
Host is up (0.00054s latency).
MAC Address: 00:0C:29:4F:82:66 (VMware)

[CUT]

root@osboxes:~# nmap -p- 192.168.1.103

[CUT]

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:4F:82:66 (VMware)
I open a browser and display the web application.

OK, I was trying conduct SQL Injection and default credentials attack but without success. So I examine a source code and BINGO!




















Drupal 7 contains several vulnerabilities.I found one of them  -SQL Injection, I executed it and...




Excellent! We should verify this good news.





















Great! We logged into admin account! We have to find some way upload a backdoor. I was trying with Avatar, with Add Content but without success.
Finally I found helpful options






















Now we should check the PHP Filter and try inject into page content our reverse shell code.






















and...











Excellent! We have gained limited shell!
We can check OS with details and find an exploit to escalate our peivileges (as an exercise for you).










Game over!