DriftingBlues6 - OffSec Proving Grounds
Objective
Deploy enumeration and web enumeration methods to identify vulnerabilities. Engage in password cracking techniques to gain unauthorized access. Capitalize on privilege escalation strategies to further elevate access. This lab is designed to apply your skills in system exploitation.
Enumeration
Nmap
Initially, I conducted an Nmap scan on the target host, which revealed only the HTTP service on port 80.
Web Enumeration
While enumerating the web application, I discovered a robots.txt file that included a hint suggesting to append .zip to filenames during DirBuster scans.
Using the .zip extension during my DirBuster scan, I discovered a file named scammer.zip, which was password-protected. I used zip2john to extract the password hash from scammer.zip and cracked it with John the Ripper. After extracting the archive, I found credentials stored inside.
I used these credentials to log into a Textpattern CMS instance that I had previously discovered using DirBuster.
Inside the Textpattern CMS, I identified that it was running an outdated and unpatched version. I attempted several publicly available exploits against it, but none of them were successful.
Since the automated exploits failed, I manually uploaded a simple web shell that executed commands via GET requests to verify code execution. After confirming functionality with the basic web shell, I uploaded a PHP reverse shell, established a connection, and gained remote access to the server.
Privilege Escalation
I attempted several common privilege escalation techniques, but none of them were successful. After running uname -a, I noticed the system was running an outdated Linux kernel. I used Linux Exploit Suggester, which recommended the Dirty COW (CVE-2016-5195) exploit. I executed the Dirty COW exploit and successfully obtained a root shell.