82016Feb

Walkthrough: FristiLeaks 1.3

THIS PAGE HAS MOVED TO HTTP://WWW.ZERODAYPANDA.COM

I’ve decided to play with some of the challenges that can be found on vulnhub, and first out in this walkthrough series is FristiLeaks 1.3

The goal is to get root access (uid 0), and read a file to get the flag. So let’s get started.

After booting up the VM I had to change the MAC address of it to get the networking going, this was mentioned in the release notes so only took a few seconds.

fristileaks_1

Knowing the IP address I port scanned it with nmap. I also started a Nessus scan on it and let it run in the background, as it takes a lot longer than nmap I figured if I get stuck I might have more information from the Nessus results later on.

fristileaks_2

The only port I found to be open was 80/tcp, I brought it up in a browser and only found an image, a #fristileaks hashtag, and some twitter references at the bottom (not in the screenshot).

fristileaks_3

I fired up Burpsuite and spidered the site, without finding anything useful really, apart from the robots.txt which contained the directories /cola, /sisi, /beer. I browsed to these directories and they all contained the same image.

fristileaks_4

So there’s Obi-Wan kindly informing us that this indeed is not the url we are looking for. So we know we are looking for an url then, perfect. Now here is where I found this challenge to be the hardest to be honest, which it probably shouldn’t have been .. but, oh well.

I spent some time here, so let’s just fast forward to saying that had I been living in the Netherlands it would have taken me 2 seconds only. Remember those directories in robots.txt? Cola, Beer, Sisi. Apparently Sisi is a drink, and when I finally googled Fristi I found out that’s also a drink. This VM was created for a dutch hacker meet, so naturally they would know Sisi and Fristi are local drinks, but living in Sweden I had no idea. Anyways, the /fristi directory worked! Browsing to the url it presents us with the following:

fristileaks_5

An admin portal. Inspecting the source code instantly gives a lot of clues that we can use.

fristileaks_6

Followed by the image in base64, and after that comes this:

fristileaks_7

More base64 encoded stuff. I took the long route here by decoding the base64 and noticing in the leading hex bytes that it was a .png I exported it to a .png file. The quicker way (knowing it was a image file, which – to be honest – was mentioned at the top of the source) would have been to just save the html file, uncomment the base64 shown above and open it in a browser. Nevertheless, it only took a minute or two longer.

So in that base64 code is another image hidden:

fristileaks_8

That’s pretty much all information I could find from here, so I decided to try and log in with the name eezeepz (the hints in the html source was written by that alias) and the password keKkeKKeKKeKkEkkEk which worked like a charm.

Logging in with these credentials brings us to an upload page, where we apparently are only allowed to upload the formats png/jpg/gif.
Thankfully the upload function only performs a check on the filename ending and not the content, so we can upload anything we like really.

I tried ut out by uploading a simple php file to execute commands.

fristileaks_9

This lets me execute shell commands via web interface, and worked fine. So I decided to upload a file with a reverse shell to open a netcat connection to my own host.

Once the reverse shell was opened, I poked around in and found a notes.txt in eezeepz home directory with this information

fristileaks_10

Thanks Jerry, I can work with this. I tried to put a simple command in a file called ‘runthis’ in /tmp and it executed without problems, so I set up a local netcat listener on port 6666 and put the following piece of text in the ‘runthis’ file.

fristileaks_11

Waited a couple of seconds, as this file is run on each minute, and poof we got the reverse shell and are logged in as admin.

fristileaks_12

In the /home/admin directory there’s a couple of files, some which draws attention straight away, so let’s look in these two

fristileaks_13

These two are encrypted, and there’s a cryptpass.py script to inspect as well:

fristileaks_14

This script takes a piece of text, encodes it with base64 and then performs a rot13 substitution cipher on it. Not very complicated, the quickest process should be to write a similiar script to reverse the encryption, so let’s do that.

fristileaks_15

We got the decrypt script now, let’s run it on the two encrypted passwords.

fristileaks_16

This gives us two plaintext passwords:
whoisyourgodnow.txt = LetThereBeFristi!
cryptedpass.txt = thisisalsopw123

Naturally I’m interested in knowing who the god is, and when listing the files we can see that whoisyourgodnow.txt is owned by the user fristigod.

fristileaks_17

Let’s try and switch to that user instead and see if can find the flag somewhere.

fristileaks_18

Ok so it needs a tty, let’s spawn one and switch user to fristigod

fristileaks_19

We’re closing in on the flag, but the mission statement is quite clear

Goal: get root (uid 0) and read the flag file

When logging in as fristigod it places us in the /var/fristigod directory, which contains two files. The bash history, and a directory called ”secret_admin_stuff”. I really like secret admin stuff, so let’s check it out.

fristileaks_20
fristileaks_21

So there’s an executable called ”doCom” with root priviliges, this looks really promising.

fristileaks_22

.. but it won’t let me run it, wrong user apparently. It’s always interesting to look at the bash history and find out what this user has been doing previously.

fristileaks_23

Nice! This user has been executing the doCom file that we encountered, and has been doing so by sudo’ing as the user ”fristi”. And the syntax seems to indicate that after the doCom we specify a command to be run as root.

fristileaks_25

..and it works perfectly. When simply running the doCom it indeed tells us that we need to specify a command as well. Doing so with ‘whoami’ verifies that we indeed have root privilege now. And instead of sudo’ing every single command we need to do from here, let’s just spawn a shell as a root.

fristileaks_26

Now let’s find that flag. The first place I looked at was /root, and there it was.

fristileaks_27

So that’s our flag, and that’s the challenged completed.

Thanks to the FristiLeaks crew for putting this together, and thanks to vulnhub for hosting all these VM’s.