Fristileaks 1.3

So I’m on a roll and doing atleast 3 VM’s daily. This is my first for today and hopefully won’t take too long.

Step 1 – Find out Fristileaks IP

Since all devices are on my home Wifi network, I run a quick netdiscover scan. The Fristileaks machine is at 192.168.1.32

 

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 80 – Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
  • OS – Linux 2.6.32 – 3.10

Step 3 – Enumerating web ports

Author expects the challenge to be completed within 4 hours. Lets see if I can do it earlier 🙂

Entries in robots.txt also indicated by Nmap

Each of the links contain an image. Downloaded all 3 images and compared sizes but they are all the same (point to same URL). Reviewed the file for any strings but found none.

Since there is so much emphasis on Fristi, just entered this on a hunch and turned out to be right

Decoding some base64 text found on the login page

Created a userlist with all known values found. Used Hydra to attempt a brute force attack and found the login credentials eezeepz / keKkeKKeKKeKkEkkEk

After logging in an option is provided to upload file

Only certain file types are allowed

Adding the .jpg file extension to php reverse shell and attempting to upload

File successfully uploaded. Executed the file and obtained reverse shell

Enumerating the system to perform privilege escalation

Users eezeepz, admin, fristigod and fristi exist

Found a file in user eezeepz’s home directory which indicates that commands added in a file called runthis in /tmp folder are executed every one minute using privileges of admin user

Used this to make user admin’s home directory accessible to current user apache

Found couple of files containing encrypted text with a possible method used to perform the encryption

I copied the encrypted text and verified that it isn’t simple base64 encoding only. I then copied the encryption function and gave it few inputs to check if that’s what has been used. Basis the output it appears that this is indeed the case and now needs to be reversed. I simply took the encryption function, searched and found the corresponding opposite functions and reversed the sequence of steps

The encrypted texts are successfully decrypted

Used the decrypted text to su to user fristigod’s account

Checked for password re-use but was unsuccessful

User fristi is permitted to execute a command which has setuid bit set

As the current user is fristigod, therefore the command needs to be executed with sudo -u fristi option. After a few tries, I was able to get the correct syntax and executed a bash shell using the setuid program resulting in root access !!!

Finished the challenge in around 3 hours. Could have been faster had I not spent a lot of time on trying to get an IP assigned to the Fristileaks VM on VMware. I just couldn’t and finally ended up running it on VirtualBox. Overall excellent VM and really enjoyed completing it !!!

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *