Vulnhub virtual machine; OSCP prep box, and a very interesting one indeed. This box included a few hints and clues sprinkled around a web application which then pivoted to multiple user escalations along side decryption of cipher-text which led to eventual root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Initial Setup Note: When booting this VM ensure you virtualization software uses the MAC address 08:00:27:A5:A6:76
I probably spent way more time then I’d like to admit troubleshooting networking issues then I really should have. #fundamentalsofreading
Discover VM on network:
1 |
|
Enumeration
Nmap Scan:
1 |
|
robots.txt looks to have some interesting directories disallowed
Navigate to webserver:
Not my favorite color but we have a list of user names and a date of 2015.
Users:
1 |
|
Might be helpful in the future.
Source:
First clue, as we are to achieve root and box estimates 4hrs to complete.
Investigate robot.txt disallowed directories http://192.168.56.109/cola
Download locally to investigate for stenography
1 |
|
1 |
|
Nothing such as .zip or anything is standing out as of now.
Other /sisi/
and /beer/
both contain links to the same image.
Thinking all these directories have some type of drink in the name and we were told to “keep calm and drink fristi” maybe a /fristi/
directory exists.
Navigate to /fristi/
attempt basic logins admin/admin, root/password… etc first.
Met with a whole lot of “wrong username or password”
SQL-injection time
Content filtering is occurring, good job webadmin.
View source:
well hello base64 encoded image.
Decode base64: create file with base64
1 |
|
Decode:
1 |
|
File has a header of PNG. lets pipe this decode into a png file
1 |
|
Well this is turning into a bit of a Drake “keke” song.
image resolves to keKkeKKeKKeKkEkkEk
Since eezeepz
was the one that left the message let try to login
We are in like fine swimwear! and upload file based off php lets try and upload a reverse shell.
attempt to upload shell.php
we will need to disquise our shell as an image.
Made modifications to file name, content-type and added GIF89a;
File filer bypassed and uploaded to /uploads/
directory
Ensure listener is setup
1 |
|
SHELL/RCE
Launch shell.php.gif
upgrade partial shell to full tty Python method:
1 |
|
Priv-Esc
Start the quest to enumerate and elevate privileges on box.
1 |
|
search for vulnerabilities based off the 2.6.32 kernel
1 |
|
looks like we found some priv esc code. — anddddd this has turned out not to be helpful.
Running my enum scripts:
Interesting avenues to take.
Continue Enumerating User Home directories: Found in eezeepz a note.txt
1 |
|
Jerry left this not to add files to /tmp/run that get run as his account.
Lets input a reverse shell into the directory and see if we can elevate our privileges to jerry.
Creating Perl-Reverse-Shell
Made modifications needed.
Setup new listener on 9001
1 |
|
download script to /tmp
Append the perl script to a new file name runthis
1 |
|
We are now Admin
import new tty
as in our previous encounter the home directory aided in our escalation as to now investigate /home/admin
Interesting files exist here *cryptedpass.txt*
, cryptpass.py
and whoisyourgodnow.txt
.
Cat interesting files:
seems to be encoded in rot13 based off the python script.
Reconstructing the cryptpass.py to decode
1 |
|
run the scripts
1 |
|
we now have plain-text passwords.
Utilizing password to su
to fristigod
quick sudo -l
to see what fristi god is capable of doing:
we have a *.secret_admin_stuff/doCom*
file which looks very interesting.
Checking the .bash_history
we see a lot of movement pertaining to a user *fristi*
Root
Attempt to run the doCom as fristi
user.
1 |
|
well well….
running doCom
as usage indicates but calling /bin/sh
Bring me the Root!
-exec