Wednesday, June 13, 2018

Fristileaks 1.3


- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine Fristileaks 1.3:




Fristileaks 1.3 can be downloaded from here:

https://www.vulnhub.com/entry/fristileaks-13,133/


- Once downloaded and extracted with VirtualBox:





2 - ENUMERATION

- Using netdiscover to confirm the presence of host 192.168.1.9 that corresponds to the vulnerable machine Fristileaks 1.3:






- Scanning with Nmap:




- Connecting with the browser to the only open port 80:





- Launching nikto to the host we find three folders inside robots.txt:






- Looking at robots.txt:




- Either connecting to /cola, /sisi or /beer the result is the same:




- Following the advice: "KEEP CALM AND DRINK FRISTI" ... let's try fristi:





3 - EXPLOITATION

- Viewing the source of the web page it seems that there is a user called eezeepz:




- After the image reference there is a text encoded into Base64 format:




- Decoding the text:




- The output is an image that could be a password:






- Using that series of letters as password for the user eezeepz:





- The login is successful, and we are invited to upload a file:



 


- Let's try a webshell, for instance this provided by Kali:




- Copying into a working directory to keep untouched the original version:





- The webshell must be modified to adapt to our needs:










- Now, it's time to upload the PHP file:














- However the upload fails because an image format (png,jpg,gif) is required:




- To bypass this problem let's rename the PHP webshell just adding a png extension:




- The new file is uploaded successfully:






- Now, starting a netcat listening session:




- Running the PHP reverse shell including it through the URL:




- The PHP reverse shell script is successful, achieving a limited shell:




4 - PRIVILEGE ESCALATION

- Browsing the /home directory, we detect 3 users:




- Access is denied to both /admin and /fristigod home folders:







- However there is access to /eezeepz:




- Listing the content of the home directory /eezeepz:




- Reading notes.txt:





- Giving access permisions to the folder /home/admin:




- Waiting for a minute, and accessing to /tmp/runthis:




- Now, access to /home/admin is granted:








- There are 2 text files whose contents seem encrypted text:






- Also there is a Python script self explanatory about how to decrypt the texts:





- Reversing the encrypting process we find 2 plaintext outputs with this Python script:

a) decoding with rot13
b) reversing the order
c) decoding with base64








- Now, trying to use su with fristigod we find that a new terminal is needed:




- Importing a new bash:




- su is successful for fristigod:





- Listing sudo powers for fristigod:





- Going to /var/fristigod it seems that the user fristi is able to run some interesting commands for administration purposes:





 - Reading .bash_history gives us interesting information about how to use doCom:





- Opening .secret_admin_stuff we find doCom:




- Running ./doCom we need to provide a command:





- Trying /bin/bash eventually we achieve a root shell:





5 - CAPTURING THE FLAG

- Going to the /root folder: