Vulnhub DriftingBlues:7 write-up

This is a write-up of DriftingBlues-7 a machine from vulnhub driftingblues series. You can download it from https://www.vulnhub.com/entry/driftingblues-7,680/

Once you deployed the machine in virtual environment, scan it for open ports using nmap.

Open ports

Service Version detection:

Service Version Detection using nmap

Visiting port 80 redirects me to https site. EyesOfNetwork Login Page.

EyesOfNetwork login page

I tried to login using common username password such as admin:admin, admin:password, admin:root etc. but unable to login. Also used gobuster and dirb to bruteforce the directories and pages, but not found anything.

Then I moved to port 66 as it is running SimpleHttpServer 0.6. I open the IP with port 66 in browser.

I tried gobuster and dirb but it was giving lots of errors, don’t know why? Then I tried dirsearch. Gives me below outputs.

dirsearch O/P for port 66

index_search does not showed any interesting file, then I tried eon in browser, it downloads a file.

eon file download.

Running cat or base64 -d does not give any useful info. Then I piped cat eon to base64 -d.

cat eon | base64 -d

If we look carefully, PK is for zip archive and it contain creds.txt file.

In next step, I redirect the output of cat eon | base64 -d > eon.zip

eon.zip

Lets open it………ohh!! asked for password..don’t worry will use fcrackzip with rockyou.txt.

fcrackzip to crack zip password

Got the username and password.

EON username and password

We can use it on EyesOfNetwork login page. I directly check the version of the application.

EON version 5.3

google told me this version is vulnerable to authenticated RCE, and I came across an exploit. The exploit needs username and password those we have.

Downloaded the exploit and checked arguments need to supply with it.

We need to supply:

  1. EON url.
  2. ip address and port of kali to receive the reverse shell
  3. username and password.
eonrce.py options

We are root, no PE require…..

root
flag.txt

References: