This is a write-up of DriftingBlues-7 a machine from vulnhub driftingblues series. You can download it from https://www.vulnhub.com/entry/driftingblues-7,680/
Once you deployed the machine in virtual environment, scan it for open ports using nmap.
Service Version detection:
Visiting port 80 redirects me to https site. EyesOfNetwork Login Page.
I tried to login using common username password such as admin:admin, admin:password, admin:root etc. but unable to login. Also used gobuster and dirb to bruteforce the directories and pages, but not found anything.
Then I moved to port 66 as it is running SimpleHttpServer 0.6. I open the IP with port 66 in browser.
I tried gobuster and dirb but it was giving lots of errors, don’t know why? Then I tried dirsearch. Gives me below outputs.
index_search does not showed any interesting file, then I tried eon in browser, it downloads a file.
Running cat or base64 -d does not give any useful info. Then I piped cat eon to base64 -d.
If we look carefully, PK is for zip archive and it contain creds.txt file.
In next step, I redirect the output of cat eon | base64 -d > eon.zip
Lets open it………ohh!! asked for password..don’t worry will use fcrackzip with rockyou.txt.
Got the username and password.
We can use it on EyesOfNetwork login page. I directly check the version of the application.
google told me this version is vulnerable to authenticated RCE, and I came across an exploit. The exploit needs username and password those we have.
Downloaded the exploit and checked arguments need to supply with it.
We need to supply:
- EON url.
- ip address and port of kali to receive the reverse shell
- username and password.
We are root, no PE require…..