So I’m on a roll and doing atleast 3 VM’s daily. This is my first for today and hopefully won’t take too long.
Step 1 – Find out Fristileaks IP
Since all devices are on my home Wifi network, I run a quick netdiscover scan. The Fristileaks machine is at 192.168.1.32
Step 2 – Enumerate the IP to find out open ports, service version, OS etc..
This provides the following attack surface:
- Port 80 – Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
- OS – Linux 2.6.32 – 3.10
Step 3 – Enumerating web ports
Author expects the challenge to be completed within 4 hours. Lets see if I can do it earlier 🙂
Entries in robots.txt also indicated by Nmap
Each of the links contain an image. Downloaded all 3 images and compared sizes but they are all the same (point to same URL). Reviewed the file for any strings but found none.
Since there is so much emphasis on Fristi, just entered this on a hunch and turned out to be right
Decoding some base64 text found on the login page
Created a userlist with all known values found. Used Hydra to attempt a brute force attack and found the login credentials eezeepz / keKkeKKeKKeKkEkkEk
After logging in an option is provided to upload file
Only certain file types are allowed
Adding the .jpg file extension to php reverse shell and attempting to upload
File successfully uploaded. Executed the file and obtained reverse shell
Enumerating the system to perform privilege escalation
Users eezeepz, admin, fristigod and fristi exist
Found a file in user eezeepz’s home directory which indicates that commands added in a file called runthis in /tmp folder are executed every one minute using privileges of admin user
Used this to make user admin’s home directory accessible to current user apache
Found couple of files containing encrypted text with a possible method used to perform the encryption
I copied the encrypted text and verified that it isn’t simple base64 encoding only. I then copied the encryption function and gave it few inputs to check if that’s what has been used. Basis the output it appears that this is indeed the case and now needs to be reversed. I simply took the encryption function, searched and found the corresponding opposite functions and reversed the sequence of steps
The encrypted texts are successfully decrypted
Used the decrypted text to su to user fristigod’s account
Checked for password re-use but was unsuccessful
User fristi is permitted to execute a command which has setuid bit set
As the current user is fristigod, therefore the command needs to be executed with sudo -u fristi option. After a few tries, I was able to get the correct syntax and executed a bash shell using the setuid program resulting in root access !!!
Finished the challenge in around 3 hours. Could have been faster had I not spent a lot of time on trying to get an IP assigned to the Fristileaks VM on VMware. I just couldn’t and finally ended up running it on VirtualBox. Overall excellent VM and really enjoyed completing it !!!