offsec

DriftingBlue6 Walkthrough – OffSec Proving Grounds Play Machine

Post last modified:September 25, 2025
Post category:Proving Grounds Writeups
Reading time:2 mins read

After running a port scan on the IP, I investigated the open ports individually and found the following:

Port 80: HTTP

Textpattern CMS. Found a few RCEs online but they are Authenticated.

<http://192.168.167.219/textpattern/>

Tested a few default creds and was not able to get in. Waiting for the rest of the ports to be scanned to see if I can get the creds a different way.

There is also a comment in robots.txt that reminds you to include .zip in directory fuzzing.

Found spammer.zip which is password protected.

Used zip2john and grabbed the hash, then used john to crack it.

Password: myspace4

Unzipped spammer.zip and got access to creds.txt.

Credentials: mayer:lionheart

Able to login to Textpattern:

Foothold

I should be able to use this Authenticated RCE now. https://www.exploit-db.com/exploits/51176

Confirmed our version is 4.8.3

Found multiple RCE related to uploading Plugins but I get this error when I navigate to Plugins

Ended up uploading a PHP reverse shell to File and I browsed to it using http://192.168.167.219/textpattern/files/reverse_shell.php

Got a reverse shell as www-data

Privilege Escalation

Ran linpeas.sh. Interesting stuff below:

Nothing super interesting!
There seems to be a MySQL port running locally.

I also ran pspy64.sh.

Nothing interesting here either!

Inspecting Linpeas results more closely.

Looking inside /var/www/textpattern/textpattern/config.php and found the following:
	$txpcfg['db'] = 'textpattern_db';
	$txpcfg['user'] = 'drifter';
	$txpcfg['pass'] = 'imjustdrifting31';
	$txpcfg['host'] = 'localhost';
There are also a bunch of Kernel related CVE (Including DirtyCow)
	CVE-2016-5195
      Source: <http://www.exploit-db.com/exploits/40616>

Connected to the textpattern db and was only able to find hashed password for mayer, which I already know: