DriftingBlues: 2 Vulnhub Write-up | Walkthrough
Hi, I am Hardik Jain, a cyber security researcher, and a student.
Welcome to another write-up
Use the clap button to appreciate the blog. Many readers are unaware of this, but you can clap 50 times on any post.
So, if you like something, don’t think twice; leave some more claps.
If you find this useful then share it with your connections on LinkedIn and WhatsApp groups to help others too.
In this write-up, I am gonna give you a walkthrough of DriftingBlues: 2 machines from Vulnhub.
The download link is added below
Most of the initial setup and recon steps are the same in any machine, so I would suggest you read DriftingBlues: 1 Write-up for a smooth understanding of the setup and initial recon.
Now start both the machines: DriftingBlues 2 and Kali Linux.
The IP address of Kali Machine
Using Netdiscover to find the IP address of the Drifting Blue Machine.
sudo netdiscover -i eth0 -r 192.168.0.0/24
Visiting the IP address to check what’s there.
Checking the source code of this web page
Using NMAP
nmap -sV -sC -p- 192.168.0.111
We saw the FTP port open with an anonymous login in the NMAP output. We tried to connect with FTP using an Anonymous login.
Checking the files present in the FTP server using the “dir” command. We see a secret.jpg file present. Let me download that image into our system using the “get” command.
This is the image that we got from that FTP server
Using Gobuster for directory enumeration
gobuster dir -u http://192.168.0.111/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt
Here we see that there is a /blog with 301 status so we visit http://192.168.0.111/blog and search for further hints.
While looking at the website we came to know that it is a WordPress website so we performed Wpscan.
wpscan - url http://192.168.0.111/blog/
The blog is not structured properly, when we hover over some links we can see that the domain is driftingblues.box so let us add it in the /etc/hosts file.
Now reload the blog
Now bruteforceing the /blog using gobuster. We see the /wp-login.php page.
gobuster dir -u http://192.168.0.111/blog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt
Let’s visit the login page.
We see a username and password login field. Let me brute force it using wpscan. wpscan has brute forcing modules that help in brute forcing WordPress websites.
wpscan - url http://driftingblues.box/blog - detection-mode aggressive -e - passwords=/usr/share/wordlists/rockyou.txt
I found the username and password by brute force which took wpscan around an hour.
Username : albert
Password: scotland1
Log into the WordPress admin page using these IDs and Password.
We are in the admin panel of the website.
Now go to Appearances -> Theme File Editor -> 404 Template.
Now, using this method
and the PHP reverse shell script by Pentestmonkey.
We try to gain access to this website.
nc -vlp 4444
After gaining a successful reverse shell I tried to enumerate and explore the system further and as you can see in the image below I found a user.txt file but the permissions to access that was denied.
But I found a .ssh file in the directory, which contained an “id_rsa” file that had the RSA private key.
I copied that key into my Kali Machine and created a file named “id_rsa” in my machine.
Now, try to connect to SSH using that private SSH key by the command:
ssh freddie@192.168.0.111 -i id_rsa
BOOM!! I’m in the system as freddie and now I can see the user.txt flag.
The next step is to gain root access to the system.
Let us see what the user freddie can do on this system by using “sudo -l” command.
We can see that user freddie can run the Nmap command on the machine. Now we need to find a way to escalate privileges using nmap.
Using GTFOBins Nmap binaries, I will try to escalate the privileges. GTFOBins binaries can be found here.
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap - script=$TF
It won’t be visible what you type here. I checked with the whoami command and I was root.
I typed reset and then pressed enter so that I could see what I was typing.
Now enumerating a little I found the root.txt flag and we pwned the machine.
This is not the only way Drifting Blues: 2 can be solved. There are other methods and tools that can be used.
Hope you got to learn something new from this write-up and enjoyed reading it. Thank you ❤
For any queries DM me on Twitter at HardikJain121 or LinkedIn at Hardik Jain
See y’all next time.
Till then you can read my other writeups on DriftingBlues: 1 Vulnhub Write-up | Walkthrough, Memory Dump Analysis by using Volatility Framework and Some common Steganography tools for CTFs