ペネトレーションテストで使われているOS『BackTrack』などにも入っている。 今回は、Ubuntu 14.04 LTSにこの『netdiscover』コマンドをインストールし、実際に使ってみる事にする。 1.インストール. まずはインストールから。以下のコマンドを実行する。 Debian/Ubuntu. Jul 27, 2015 The netdiscover utility will list all connected hosts on your local LAN. This is useful for scanning a network and determining which hosts are online. I used this command to scan an IP range starting with 192.168.0.1. Jason@darkstar:$ sudo netdiscover -r 192.168.0.1 /24.
When I run Netdiscover from Kali, it doesn't pick up anything at all. I do have internet though and if I run ifconfig my IP is not a 192.168.x.x, its a 10.x.x.x. If I switch to bridged or host-only, then I lose internet completely. I can't ping anything.
Why is this happening?
And are there any specific settings that I need to make sure to always have on my VM's so that they can see each other?
Overview
Objective : Get Flag
OVA link: https://www.vulnhub.com/entry/mr-robot-1,151/
Tools used: netdiscover, nmap, nikto, metasploit, truecrack, veracrypt
Mac Os Download
To start, I just ran a quick netdiscover to get the DroopyOS IP. The highlighted IP is the one we're after.
Running a quick version scan shows up an open port of 80, which would imply a web server of some sort. Let's see what that web page looks like!
Upon loading the webpage, we can see a generic drupal login page (the logo above home is the drupal logo). Drupal is notorious for vulnerabilities so we should have some smooth sailing (hopefully?)
I clicked around the 'create new account' and 'request new password' links but nothing obvious stands out as a hint or direction. To help find some vulnerabilities, I ran a nikto scan with the corresponding output listed below.
Netdiscover Mac Os 10.13
We have a lot of information to parse through. The most immediately obvious clue is 'robots.txt', which is referenced multiple times. Loading up this page should some interesting information, as seen below. We can see some file structure we can go through as well as some specific files to checkout.
The 'giveaway' here is the /CHANGELOG.txt. This file is commonly used to show the current Drupal version with corresponding patch notes. We can see here that Drupal 7.30 is running.
A little googling about this version of Drupal, shows a vulnerability via CVE-2014-3704, which has a nicely prepackaged Metasploit exploit dubbed 'Drupageddon'. We can go boot up the msfconsole and see what the options are. Looks like we only need to add the RHOST (192.168.1.137).
This may have been the easiest shell I've ever obtained. I almost feel guily.. perhaps later I'll see if I can code the exploit by hand and see if I can get it to work. Anyways... we got a shell:
Interestingly enough, we have a /tmp folder we can use to get some executable exploits running.
Now we just have to figure out what we have to work with. For this situation, I'm going to call the normal bash shell instead of using meterpreter. The listed below are the commands I ran to just gather some information and find an exploit. It looks like searchsploit found what we need: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Root Shell.
I usually make seperate directories per Vulnhub VM. To get the exploit onto the DroopyOS box, I'm going to copy the exploit to my working directory then download it to the /tmp folder on the target host via meterpreter. I like copying the exploits per use case. This way if I have to edit the exploit and break it, I can always fallback to the original.
To emphasize, you can notice the permission changes below. The 'x' addition means essentially any user can execute the file.
We now have a raw .c file to compile. You can type 'gcc --version' to check if gcc is installed on the system. A quick compile and execute later, we have root! We're done now! RIGHT?!
I went into the /root/ folder aaand we have an .tc file. This is a file extension for a TrueCrypt container, which I guess we have to brute force?
The only hint we really have to go on is on the Vulnhub page where the author gives the following two hints:
I'm going to assume the rockyou wordlist is needed for the truecrypt file. The email hint is also worth looking into. (fast forward awhile) I found the 'email hint' in '/var/mail/':
Ok so now we obviously have to you use rockyou dictionary and we need to get that .tc file on our Kali host. To do this, I copied (as root) the dave.tc file to the /tmp directory. I then downloaded it via meterpreter as follows:
Now we need to prepare the rockyou wordlist. If you're on a new version of Kali, you need to extract it for use. The default location is '/usr/share/wordlists/rockyou.txt.gz'. I like keeping all my wordlists in '/root/Wordlists/'. We can see that this file is huge.. namely 14344392 lines long. From the email we know we can remove all passwords longer than 11 characters. I shortened the list using awk:
I then grepped that list for all entries with the string 'academy' in the password. The last step would (hopefully) be cracking the trucrypt file. Kali has a preinstalled tool called 'Truecrack' for just this purpose. Syntax as follows:
This did not produce any results, however, I tried the 'sha512' hash via :
Mac Os Mojave
We got the truecrypt password! Since truecrypt is no longer supported, I downloaded Veracrypt and plugged in the password. We can use this password, enable Truecrypt mode, the hash type, and open the Truecrypt container!
Netdiscover Mac Os Mojave
Going into the file structure, there's a couple directories and images but if you do a 'ls -a' you can see hidden directories. Going into '/media/veracrypt1/.secret/.top' will reveal the following flag: