Wednesday, June 13, 2018
Fristileaks 1.3
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Fristileaks 1.3:
- Fristileaks 1.3 can be downloaded from here:
https://www.vulnhub.com/entry/fristileaks-13,133/
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Using netdiscover to confirm the presence of host 192.168.1.9 that corresponds to the vulnerable machine Fristileaks 1.3:
- Scanning with Nmap:
- Connecting with the browser to the only open port 80:
- Launching nikto to the host we find three folders inside robots.txt:
- Looking at robots.txt:
- Either connecting to /cola, /sisi or /beer the result is the same:
- Following the advice: "KEEP CALM AND DRINK FRISTI" ... let's try fristi:
3 - EXPLOITATION
- Viewing the source of the web page it seems that there is a user called eezeepz:
- After the image reference there is a text encoded into Base64 format:
- Decoding the text:
- The output is an image that could be a password:
- Using that series of letters as password for the user eezeepz:
- The login is successful, and we are invited to upload a file:
- Let's try a webshell, for instance this provided by Kali:
- Copying into a working directory to keep untouched the original version:
- The webshell must be modified to adapt to our needs:
- Now, it's time to upload the PHP file:
- However the upload fails because an image format (png,jpg,gif) is required:
- To bypass this problem let's rename the PHP webshell just adding a png extension:
- The new file is uploaded successfully:
- Now, starting a netcat listening session:
- Running the PHP reverse shell including it through the URL:
- The PHP reverse shell script is successful, achieving a limited shell:
4 - PRIVILEGE ESCALATION
- Browsing the /home directory, we detect 3 users:
- Access is denied to both /admin and /fristigod home folders:
- However there is access to /eezeepz:
- Listing the content of the home directory /eezeepz:
- Reading notes.txt:
- Giving access permisions to the folder /home/admin:
- Waiting for a minute, and accessing to /tmp/runthis:
- Now, access to /home/admin is granted:
- There are 2 text files whose contents seem encrypted text:
- Also there is a Python script self explanatory about how to decrypt the texts:
- Reversing the encrypting process we find 2 plaintext outputs with this Python script:
a) decoding with rot13
b) reversing the order
c) decoding with base64
- Now, trying to use su with fristigod we find that a new terminal is needed:
- Importing a new bash:
- su is successful for fristigod:
- Listing sudo powers for fristigod:
- Going to /var/fristigod it seems that the user fristi is able to run some interesting commands for administration purposes:
- Reading .bash_history gives us interesting information about how to use doCom:
- Opening .secret_admin_stuff we find doCom:
- Running ./doCom we need to provide a command:
- Trying /bin/bash eventually we achieve a root shell:
5 - CAPTURING THE FLAG
- Going to the /root folder: