Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

FristiLeaks

This is my second box I have on my list to work through. As I mentioned earlier, these list is comprised of old boxes, but still can form a good challenge to work up to OSCP.

Recon

Starting with a nmap scan to find out which ports are open and what public facing services are running on the system.

[/crayon]
Port 80 with a webserver running behind it. The version of the webserver is Apache 2.2.15.
Nmap has guessed that the OS is CentOS.

There are some entries in the robots.txt file, but before I investigate the website, I’m going to check the known vulnerabilities of the Apache version.

[/crayon]

Webserver

The main page of the website has some names of the hackers behind Fristileaks and in the source there is a comment:

[/crayon]
The 3 entries in the robots.txt file all point to the same picture, which looks like a red haring. Just to be sure I check the pic for meta data or other hidden data, but I can’t find anything.

Time to run dirSearch and bruteforce the website in hope of finding more files/folders.
Nothing……very frustrating. I tried different worklists, but all come back with the same results. Only the 3 drinks. I really cracked my head, it dawned on me that the 3 drinks were a hint and the main page was the answer. There was one drink that wasn’t in any of my lists, mostly because it is a particular Dutch drink……fristi

The result was a admin portal with some comments.

[/crayon]

[/crayon]
There are several ways to decode this base64 comment. As it is an encoded PNG file, I just replace the initial picture on the site with this piece of code. The result is a picture with a string of letters: keKkeKKeKKeKkEkkEk

A password? But what about the username? In the comment above there is name: eezeepz
This username combined with the password gives me access to a page with an upload posibility.
Will it let me upload anything?

[/crayon]
So it won’t let me upload a php file. Will it let me upload a file with the extention php.jpg?

[/crayon]
Yes, it will. Now to start up a listener and run the file from the browser.

[/crayon]
The file can be found in /fristi/uploads/shell.php.jpg

[/crayon]
A good place to start is the www folder and look for things I’ve missed.

[/crayon]
A file called notes.txt

[/crayon]
In the home directory of user eezeepz is a note:

[/crayon]
Ok, so I can try and use chmod to let me read more home folders. An important note is the piece of info in the note, that it is required to use the full path. So in this case I try /usr/bin/chmod

[/crayon]
After a minute I check /home and it seems like it worked.

[/crayon]

[/crayon]
A few python scripts and textfiles. Let’s look at the text file from fristigod.

[/crayon]
Hmmm. What about the other text file.

[/crayon]
It isn’t base64. So let’s take a look at the python scripts.

[/crayon]
It starts with a strings, encode base64, reverses the string and finally rot13 encoding.
To make it readible again, I need to reverse this script. For this I can use a bash oneliner.

[/crayon]

[/crayon]
Ok. Let’s see if this is a password.

[/crayon]

[/crayon]
Nothing….but as we could see in /etc/passwd the home folder was located in /var/fristigod.

[/crayon]
An ELF file with the SGID/SUID bit set.

[/crayon]
Hahaha….bummer.

[/crayon]

[/crayon]
So I can run the file as fristi.

[/crayon]
Nice.

[/crayon]

[/crayon]
And that was the challenge. Not to difficult and really a good one to try.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.