This Christmas I had the opportunity to catch up with the latest VMs on Vulnhub.
In this post I’m going to show you how to solve the FristiLeaks VM provided by Ar0xA.
Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.
This challenge involves various hacking techniques and privilege escalation.
First step: INFORMATION GATHERING
The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:
A port scan on the victim host gives this:
The only open port is the port 80/tcp, so I have a look and this is what I find:
Second step: VULNERABILITY SCAN
I spider the website with Burp Suite and I find that there’s a hidden robots.txt file, but all the links in there are returning the same image which says that the provided url is not what I’m looking for.
The index page says Keep calm and drink Fristi, and all the links in the robots.txt file are names of drinks, so I try http://192.168.56.101/fristi, and this is what I find:
The source code has the following content:
Thank you eezeepz, this really makes the ‘testing easier’.
Since the image shown on the page is in base64 and the one below is commented, I download the page and I uncomment the commented image.
It comes out the following image:
This is eezeepz’s login password, so I login and I find a page that allows me to upload a file.
Third step: EXPLOITATION
I make a test and I find out that the page allows just png, gig and jpg files, but the check is just of the extension, and it stores it into /uploads folder.
So, I prepare my trusted b374k web shell and I upload it changing the extension to .png, and this is what happens when I open http://192.168.56.101/uploads/myShell.php.png:
First thing, I open a reverse shell on my local on port 443, since for me it is more convenient than to start wandering around on a browser:
On a local terminal:
On the remote shell:
And so I’m in as user apache.
Fourth step: PRIVILEGE ESCALATION
I notice the file /var/www/notes.txt whose content gives me a clue to go to check something on the home directory of the user eezeepz.
I go to eezeepz home folder and I notice the file /home/eezeepz/notes.txt with the following content:
So, as far as I understand I have to create the file /tmp/runthis, and it will be run from a privileged user. Ideal.
I find out that the privileged user is admin, and the command that can be run into the /tmp/runthis file can only start with either /home/admin or /usr/bin, so I create a script that runs a command from /usr/bin and I append a command to set the folder /home/admin accessible by everybody.
I wait a minute and check the permissions on the folder /home/admin, and it’s now accessible by everybody.
The folder contains several files, and the ones that get my attention are cryptedpass.txt, whoisyourgodnow.txt, and cryptpass.py.
The first two files contains hashed passwords, and the third file is a script that hashes the passwords:
The script encrypts a given string the in base64 and the in rot13.
So, I write a script to decrypt a given string:
And these are the decrypted passwords:
I login as fristigod, but the user can’t become root on the machine. So, I access to the folder /var/fristigod, and I have a look at the .bash_history file:
Looks like that the guy was running some commands as user fristi via the file /var/fristigod/.secret_admin_stuff/doCom, so I run the following command to spawn a root shell:
Excellent, I’m root. Time to get the flag.
As usual, for any information or comment, please do not hesitate to leave a comment.