HackMyVM-Drifting Blues 6

Netdiscover

Rustscan

rustscan -a 192.168.1.9 -- -A -sC -sV                                         
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.1.9:80
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues

PORT 80 (HTTP)

Seeing robots.txt

So we will be fuzzing for files with .zip extension

We found the zip archive but downloading and opening it this will ask for a so we need to crack the password. I will be using frackzip.

We got the password now to enter the cracked password

Now login with these creds to textpattern

We have the ability to upload a file , I uploaded a phpbash to execute that file go to “/textpattern/files/phpbash.php”

Now we have a shell we could either use this or start a reverse shell

Seeing the kernel version we can search for this exploit

There’s an exploit for this kernel

Compile and execute the exploit it will ask for the password for a username we will input the password and it create a user firefart ,it will replace /etc/passwd file having the UID and GID set to 0 and home directory as /root so basically we will be root after running this exploit

We are root

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store