Fristileaks was an easy box from abatchy’s OSCP like vulnhub boxes list. Unlike the other boxes from the list so far, this is a more CTF style box than real life vulnerabilities. So, we should approach this box with a treasure hunting mentality.
I had issues when I first imported the box into Virtual Box as the box was not getting an IP address assigned. I’ve tried different network modes and troubleshooting techniques, but none of it worked.
The solution is to set the MAC address of the Virtual Machine manually to 08:00:27:A5:A6:76 . (In Virtual Box the MAC address is unseparated by : and looks like this 080027A5A676). After setting the MAC address of the VM to this, everything worked flawlessly!
Let’s start the enumeration process with netdiscover.
netdiscover -Lr 192.168.1.0/24
Where 192.168.1.0/24 is my home network’s range, -L is to keep listening and -r is to specify range.
From that command i’ve found out the IP Address of the target as 192.168.1.8.
we are going to start the enumeration by a Nmap scan.
nmap -sCV -v -oN tcp 192.168.1.8And the output is as follows.
# Nmap 7.91 scan initiated Thu Dec 24 07:36:15 2020 as: nmap -sCV -v -oN tcp 192.168.1.8
Nmap scan report for 192.168.1.8
Host is up (0.00039s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Right from the scan output, we can see that the machine only has port 80 open. I’ve scanned the machine’s whole 65535 ports just to be sure that there is no other services running at higher port numbers, but there wasn’t any other services expect port 80.
The home page showed the following image.
The Nmap script scan also shows the entries in robots.txt file. There are three directories, /beer /sisi and /cola. But these directories was just to confuse the attacker. Every directory name is a reference to beverages. 😅
So, I started gobuster on the machine.
gobuster -m dir -u http://192.168.1.8/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |tee gobuster.outI used tee instead of gobuster’s -o (Out) flag because if the target refuses connection for any reason, then we might have to abruptly close gobuster without finishing the scan. If this is the case, then we might not get the output back. However, tee is an independent program and it writes any output to file as soon as the input is received. So, even if we abruptly close the program, the output will already be written to file. Pretty nifty!
But, even running gobuster didn’t returned any useful directories. There was an exposed /uploads directory, but there is nothing interesting except the uploaded images.
So, I tried the directory /fristi since that name is shown at the home page and it is the name of the VM.
And we’ve found a Login panel.
I have tried basic SQL injection techniques, but it didn’t work. So, I decided to check the source code of the website to find any clues.
The clue in source code mentioned the user eezeepz leaving something here. Another thing worth mentioning is that just above the said comment, the meta tag said that the fristi team uses base64 encoding in their images.
Scrolling down the page, we can see a commented out base64 code!
I’ve copied this base64 code and used the following command to decode it and save it as file.
echo "insert-base64-code-here" |base64 -d > outfileThis command will decode the base64 code and save it into a file named outfile.
Let’s see what kind of file is it by using the following command.
file outfile
The image is a series of characters. Maybe a password?
Let’s use this as a password to login to the member panel in conjunction with the username eezeepz.
There is an upload file link, where we can upload images to.
I uploaded a sample image file through this portal and the following message was shown.
Going into the http://192.168.1.8/fristi/uploads/{FILENAME} URL displayed the image I just uploaded.
Now, from the Nmap scan we can see that, the web server technology used is PHP. So, let’s try to upload a PHP reverse shell web page here.
There are different PHP reverse shell codes preinstalled with Kali linux, in the laudanum package.
The PHP reverse shells can be found in
/usr/share/laudanum/php/I used the php-reverse-shell.php file and modified the LHOST and LPORT variables.
And tried to upload this file directly via the Image uploader.
So, the challenge must be for bypassing file format filters and this means that we need to do to upload the PHP reverse shell by bypassing this file filter checking.
Let’s start BurpSuite and capture a valid image file upload request.
Now, I have tried several tricks like manipulating the file extension, changing the content types etc. when uploading the PHP shell. But that didn’t work.
So, what I did was I copied the entire PHP code, and pasted it at the end of the PNG file contents in the request. I also changed the name of the file from “test.png” to “shell.php.png“.
Now I sent the request to the server and it has uploaded successfully!
Let’s now start a netcat listener and request the file.
nc -lvnp 9001Now on the browser, request the file by going into this URL.
http://192.168.1.8/fristi/uploads/shell.php.pngAnd we got a shell back as apache user!
This happened because the machine is misconfigured to execute the PHP code from any text/html files, that have .php in their filename. This means that if we access the shell.php.png file we just uploaded, then the PHP code we just embedded in the image file will get executed.
The misconfiguration in php.conf file will look like the following.
This is an old vulnerability and this can be patched by upgrading the PHP version or replacing the AddType attribute to the following.
<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>This will ensure that only files that ends with .php or the other extensions related to PHP will be executed. This vulnerability is mitigated in newer PHP versions.
Now, let’s do our local enumeration. I looked in the /var/www/html/ to find any credentials, and found one.
But for some reason, I couldn’t login to MySQL service with this credentials.
Moving on..
Inspecting the /var/www directory, a notes.txt file came into my attention.
Let’s check out the /home/eezeepz directory. There is another notes.txt file there.
So, there is a cronjob running every minute in the machine and it executes any script in a file named /tmp/runthis and saves it’s output in a file named /tmp/cronresult.
Also, there is another point worth mentioning. Although eezeepz is a low privileged
This seems easy!
My first thought was to save a bash reverse one liner as runthis file and catch the reverse shell via nc.
But putting a bash one liner showed the following error in cronresult file, meaning that we can only use binaries from /home/admin or /usr/bin.
And there wasn’t any shells in both /home/admin and /usr/bin.
But, as the note mentioned, the /home/admin had the following binaries.
cat,chmod, df,echo,egrep,grep and ps.
So, I saved the following command as /tmp/runthis and waited.
/home/admin/chmod 777 /home/adminAnd we now have rwx access on /home/admin !
Inspecting the contents of /home/admin directory has showed us some files related to some sort of cryptography.
So, I decided to copy them all into my machine.
To do that I first moved everything to a folder named crypt.
mkdir crypt
mv *.py crypt/
mv *.txt crypt/Then I archived the folder using the following command.
tar -czvf archive.tar.gz crypt/Now I needed to transfer the file to my machine for further inspection. But, the target machine didn’t had Netcat and the python HTTP server wasn’t working.
So, I copied the archive from /home/admin to /var/www/html/beer directory and downloaded the archive.tar.gz file from there.
Now, up on inspecting the contents of the files exported from the target, I found these.
So, the cryptpass.py is a custom encoding program, in which the encodeString() function encodes the input string in three steps:
- Encodes the input string to base64
- Reverses the base64 string
- Encodes the reversed base64 string to rot13
That means the contents in whoisyourgodnow.txt must be the output of this encode function.
That means we have to write a decodeString() function that does this operation in reverse.
- Decode the input string to rot13
- Reverses the string
- Decodes the string to base64
The decode function I wrote looked like this.
def decodeString(encoded):
a=codecs.decode(encoded,'rot13')
decoded=base64.b64decode(a[::-1])
return decoded
print decodeString(sys.argv[1])
I saved this code as decode.py and decoded the encoded string using the following command.
Let’s try to login as user fristigod, as there is a folder for fristigod user in /home and the name of the txt file suggests the password is meant for this account.
> su fristigod
> Password: LetThereBeFristi!And we’re in as Fristigod!
Since we have the password for fristigod user, I used the following commands to check if this user is in sudoers file.
sudo -l
This sudoers entry means that fristigod user can run command /var/fristigod/.secret_admin_stuff/doCom as user fristi. (Confusing naming conventions. I know! 😵)
This means we need to pass the -u flag when issuing sudo.
For learning purposes, let’s skip the -u flag and issue the command to see what happens then.
sudo /var/fristigod/.secret_admin_stuff/doCom
Let’s issue the sudo command with the -u flag now.
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
Let’s try running /bin/bash.
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
And we’re root!
And here’s the flag!
Even though this was a CTF themed box, this was a fun box and a great learning experience. Kudos to the creator Ar0xA !
SecNigma