PG - DriftingBlues6

PG – DriftingBlues6

In this walk through, we will be going through the DriftingBlues6 room from Proving Grounds. This room is rated as Easy on the platform and it consists of basic enumeration of the Textpattern CMS resulting in later getting a RCE on the target. For the privilege escalation part, it require use of a popular Linux kernel exploit. So, let’s get started without any delay.


Machine Info:

DescriptionDriftingBlues6 is an easy rated machine and it involves basic enumeration of the Textpattern CMS resulting in later getting a RCE on the target. For the privilege escalation part, it requires use of a popular Linux kernel exploit.


  • I started off with my regular nmap aggressive scan and found only one port open – 80 (HTTP).

$ sudo nmap -A
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( ) at 2024-01-09 14:18 IST

Nmap scan report for
Host is up (0.21s latency).
Not shown: 998 closed ports
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
| vulners: 
|   cpe:/a:apache:http_server:2.2.22: 
|     	CVE-2017-7679	7.5
|     	CVE-2017-3169	7.5
|     	CVE-2017-3167	7.5
|     	SSV:60427	6.9	*EXPLOIT*
|     	SSV:60386	6.9	*EXPLOIT*
|     	SSV:60069	6.9	*EXPLOIT*
|     	CVE-2012-0883	6.9
|     	PACKETSTORM:127546	6.8	*EXPLOIT*
|     	CVE-2016-5387	6.8
|     	CVE-2014-0226	6.8
|     	1337DAY-ID-22451	6.8*EXPLOIT*
|     	CVE-2017-9788	6.4
|     	SSV:60788	5.1	*EXPLOIT*
|     	CVE-2013-1862	5.1
|     	SSV:96537	5.0	*EXPLOIT*
|     	SSV:62058	5.0	*EXPLOIT*
|     	SSV:61874	5.0	*EXPLOIT*
|     	EDB-ID:42745	5.0	*EXPLOIT*
|     	CVE-2017-9798	5.0
|     	CVE-2016-8743	5.0
|     	CVE-2015-3183	5.0
|     	CVE-2014-0231	5.0
|     	CVE-2014-0098	5.0
|     	CVE-2013-6438	5.0
|     	CVE-2013-5704	5.0
|     	1337DAY-ID-28573	5.0*EXPLOIT*
|     	CVE-2012-0031	4.6
|     	SSV:60905	4.3	*EXPLOIT*
|     	SSV:60657	4.3	*EXPLOIT*
|     	SSV:60653	4.3	*EXPLOIT*
|     	SSV:60345	4.3	*EXPLOIT*
|     	CVE-2016-4975	4.3
|     	CVE-2014-0118	4.3
|     	CVE-2013-1896	4.3
|     	CVE-2012-4558	4.3
|     	CVE-2012-3499	4.3
|     	CVE-2012-0053	4.3
|     	CVE-2008-0455	4.3
|_    	CVE-2012-2687	2.6
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 4 hops

TRACEROUTE (using port 554/tcp)
1   206.53 ms
2   206.53 ms
3   206.57 ms
4   206.66 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 40.85 seconds

nmap scan

  • Enumerated the web server running on port 80 and found a static page with information related to an album, i guess.

Drifting Blues Tech

  • Fired gobuster on the target to reveal some hidden directories. The two interesting ones was – /robots and /textpattern.

$ gobuster dir -u -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2024/01/09 14:31:28 Starting gobuster in directory enumeration mode
/db                   (Status: 200) [Size: 53656]
/index                (Status: 200) [Size: 750]  
/robots               (Status: 200) [Size: 110]  
/textpattern          (Status: 301) [Size: 324] [-->]
/server-status        (Status: 403) [Size: 296]                                          
2024/01/09 14:38:03 Finished

gobuster scan

  • Checked the robots.txt file and it shows an entry to disallow crawl access to a specifc directory – /textpattern/textpattern.


  • I first enumerated the directory /textpattern and it shows me a page which seems like a front page of a blog. Found nothing interesting here as the links were also pointing to a non-accessible host.

textpattern directory

  • Next moved to /textpattern/textpattern directory and it reveals a login page. Confirming the Textpattern CMS. Next, i performed a directory bruteforce again and found another directory /textpattern which reveals the version we are dealing with here – 4.8.3. This might come handy later.

Textpattern login panel

textpattern file

  • At this point, i searched for the default creds of Textpattern CMS but found nothing credible. Next, tried bunch of common username and password combo but still found no luck. Finally after a lots of irrelevant enumeration, i once again performed a directory bruteforce on the root directory with a different wordlist and this time it gave me another directory – “spammer” which contains a zip file called

$ gobuster dir -u -w ~/Desktop/Wordlist/directory-medium.txt -x zip
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/directory-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              zip
[+] Timeout:                 10s
2024/01/10 13:52:16 Starting gobuster in directory enumeration mode
/index                (Status: 200) [Size: 750]
/db                   (Status: 200) [Size: 53656]
/robots               (Status: 200) [Size: 110]  
/spammer              (Status: 200) [Size: 179]  
/          (Status: 200) [Size: 179]  

gobuster scan

Initial Access:

  • Downloaded the zip file to my local machine however it was protected with a password. So, cracked the password using john – myspace4.

zip2john > hash
john hash

cracking the zip

Got password of

  • After unzipping the file, i got the Textpattern backend creds.



cat creds.txt

  • Logged into the dashboard. Now, i looked for any known exploits on the application for the running version and found out that it is vulnerable to a Authenticated RCE vulnerability. I tried the available exploits but they tend to fail. So, i performed the exploitation manually.

Got access to backend

  • Uploaded my PHP reverse shell payload using the application’s files section which can be found under the “Content” tab in the header menu.

File upload functionality

backdoor.php uploaded

  • Executed my payload by visiting the below URL and got the connection back at my netcat listener.

Index of /textpattern/files

got initial access

Privilege Escalation:

  • Checked the running kernel version number and it shows – 3.2.0-4-amd64 which is quite old. So, i checked for known exploits for it and found that it is vulnerable to “Dirty Cow” vulnerability.

uname -r

  • Transferred the below exploit onto the target by spawning an HTTP server on our local machine.


Linux Kernel Race Condition Privilege Escalation


downloading the exploit on target

  • Compiled and executed the exploit. The exploit will prompt you to enter a new password for the new user that will have root privileges. It maybe take a minute to complete.

gcc -pthread 40839.c -o exploit -lcrypt

chmod +x exploit


compiling and executing the exploit

  • After the process is complete, switched to the newly created root user. Thus, getting root on the target.

su firefart


got root

proof flag

Also Read: PG – Crane



So that was “DriftingBlues6” for you. We started off with a regular nmap scan and only one port opened – 80 (HTTP). Enumerated the web server on port 80 and found a textpattern login panel. Fired gobuster on the target and found a file. Next, used john to crack the password of the zip file. The zip file reveals the password of the textpattern login panel. Used the same to get into the backend of the textpattern CMS. Next, abused the file upload functionality to get initial access on the target. For Privilege Escalation, found out that the Linux version running is vulnerable to DirtyCow exploit. Used the same to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top