Please note: For all of these machines, I have used the VMware workstation to provision VMs. Kali Linux VM will be my attacking box. The techniques used are solely for educational purposes, and I am not responsible if listed techniques are used against any other targets.
VM Details
Download Description: A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, and so on. About Name: Fristileaks 1.3 Author: Ar0xA Series: Fristileaks Style: Enumeration/Follow the breadcrumbs Goal: get root (uid 0) and read the flag file Tester(s): dqi, barrebas Difficulty: Basic Also a note for VMware users: VMware users will need to manually edit the VM’s MAC address to: 08:00:27:A5:A6:76
Walkthrough
Download the Fristileaks VM from the above link and provision it as a VM.
Let’s start with enumeration. First, we need to identify the IP of this machine. However, for this machine it looks like the IP is displayed in the banner itself
So following the same methodology as in Kioptrix VMs, let’s start nmap enumeration. Below we can see that port 80 and robots.txt are displayed.
Contents of robots.txt are:
/cola /sisi /beer
However, enumerating these does not yield anything.
Nmap also suggested that port 80 is also opened. Let’s look out there.
Unfortunately nothing was of interest on this page as well. Following the banner of “Keep Calm and Drink Fristi,” I thought of navigating to the /fristi directory since the others exposed by robots.txt are also name of drinks. To my surprise, it did resolve, and we landed on a login page.
Quickly looking into the source code reveals a base-64 encoded string. Decoding it results in following string.
Just above this string there was also a message by eezeepz.
Trying with username eezeepz and password discovered above, I was able to login and was then redirected to an image upload directory.
I tried to directly upload the php backdoor shell, but it looks like there is a filter to check for extensions.
Merely adding the .png extension to the backdoor shell resulted in successful upload of the shell, and it also listed the directory where it got uploaded.
Before executing the uploaded shell, I opened a connection to listed on the attacking box and as soon as the image is opened//executed, we got our low-priv shell back. BOOM!
Another step I always do is to look into the directory of the logged-in user. In this case, we navigated to /var/www and found a notes.txt
Navigating to eezeepz user directory, we can another notes.txt and its content are listed below.
Per this message, we can run the stated binaries by placing the file ‘runthis’ in /tmp. Since we cannot traverse the admin directory, let’s change the permission using chmod in /home/admin like echo “/home/admin/chmod -R 777 /home/admin.”
After executing the above command, we are able to browse the /home/admin, and I found couple of interesting files like whoisyourgodnow.txt and cryptedpass.txt
The content of both the files whoisyourgodnow.txt and cryptedpass.txt are as below. In the same directory there is a cryptpass.py which I assumed to be used to encrypt both files.
Replicating the contents of cryptedpass.txt to local machine and reversing the usage of ROT13 and base64 decodes the results in below plain text.
Cryptedpass.txt = thisisalsopw123 whoisyourgodnow.txt=LetThereBeFristi!
Testing the password for admin with thisisalsopw123, and it worked.
Testing the password for fristigod with LetThereBeFristi! .
Running sudo -l reveals that file in /var/fristigod/.secret_admin_stuff/doCom can be run as ALL under user fristi. Running it under admin reveals the wrong user type.
Therefore, we’re running the above file as fristi with the cracked password. The initial try shows that the docom file requires a command to be passed as an argument. Following that, I passed /bin/bash as an argument. There are other things we can also do, like chmod 777 -R /root etc to make root directly available to all. Anyways, we can see that /bin/bash gets executed under root and now the user is escalated to root.
And below is the flag of fristileaks_secrets.txt captured, which showed our victory.
This VM shows how important it is to try all possible ways when enumerating the subdirectories exposed over port 80. Always test with the machine name and other banner messages. Post-exploitation, always enumerate all the directories under logged-in user to find interesting files and information.