DriftingBlues: 6 - Write-up

 DriftingBlues: 6 is a vulnerable machine that can be found on VulnHub and HackMyVM and the difficulty is rated as easy.

Nmap result:

$ sudo nmap -sC -sV 192.168.0.65   
                                                                                            
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-31 13:42 EEST
Nmap scan report for 192.168.0.65
Host is up (0.00017s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
MAC Address: 08:00:27:32:F7:0D (Oracle VirtualBox virtual NIC)

Port 80 website:

If we check the page source there is a comment, but won't help us in any way. Next step is to do a directory brute forcing:

$ gobuster dir -u http://192.168.0.65 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -x php,txt

/db (Status: 200)
/index (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/textpattern (Status: 301)
/server-status (Status: 403)

The only helpful directory/file from the gobuster result is /robots:

Let's do another gobuster scan but this time while using the .zip extension:

$ gobuster dir -u http://192.168.0.65/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,zip

...
...
/spammer (Status: 200)
/spammer.zip (Status: 200)

The zip file is password protected, so we'll use JohnTheRipper to crack it:

- first use zip2john:

/usr/sbin/zip2john spammer.zip > hash

-now we can 'crack' the hash:

sudo john hash

And the password to the zip file is: myspace4

Here is the content of the file:

Visiting http://<machine ip>/textpattern/textpattern, will find a Textpattern CMS:

If we add another /textpattern to the url we can find the CMS version:

Note: I knew about the 3rd /textpattern by using gobuster on the URL above.

We can use the credentials from the zip file to login to Textpattern CMS.

I tried to use some of the vulnerabilities for textpattern 4.8.3 but none worked for me, so the next thing I did was to upload a php reverse shell.

Now we have to access the php reverse shell, which can be found by going to http://<machine ip>/textpattern/files (this address can be found by bruteforcing the /textpattern directory).

And now we have a shell as user www-data.

Next step is to do some manual or automate enumeration. I like to start with the manual enumeration, and by doing that I've found that the kernel was quite old:

Usually the version 3 kernels are vulnerable to the dirty cow exploit, so I tried that, more exactly the firefart one which can be found easily if you google it, but I used this link: https://www.exploit-db.com/exploits/40839

 

Send the exploit to the vulnerable box, compile the exploit by using the commands below and execute the exploit:

gcc -pthread dirty.c -o dirty -lcrypt
and execute it:
./dirty

When you run the exploit, it will create a user named firefart and it will ask you to type a password, which will be the password for the firefart user.

After running the exploit, it might look like it won't work, but let it run for 1 or 2 minutes and then press CTRL+C to stop it, then change the user to user firefart.

Shell as root

Now you can go and find both the user and the root flag.