FRISTILEAKS: 1.3 Walkthrough

๐Ÿ“Œ VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

๐Ÿ“Œ VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76

FristiLeaks: 1.3
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy withโ€ฆ

Enumeration

โ€œSupreme excellence consists of breaking the enemyโ€™s resistance without fighting.โ€
โ€• Sun Tzu, The Art of War

Brooding:๐Ÿค”

The possible way to get in through the web server (80). Might be LFI/RFI, SQLi, and then, RCE.

More Enumerationโ€ฆ

  1. Port 80
  • Manual Enum + Robots.txt + source code
Welcome Page
Source Code
Found a ๐Ÿ”‘

Found Nothing on those pages.

  • Nikto Scan
Nothing Critical Here.
  • GoBuster

โ””โ”€$ gobuster dir -f -x php,html,txt -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.103.146 -n -q -e
http://192.168.103.146/index.html
http://192.168.103.146/icons/
http://192.168.103.146/images/
http://192.168.103.146/cgi-bin/
http://192.168.103.146/robots.txt
http://192.168.103.146/error/
http://192.168.103.146/beer/

Brooding:

Currently, i am out of options. I could not find any dir/file with information. I need to find a directory or file of interest but the Gobuster did not give anything. Possible option is to find a really big wordlist of every words. However, that is not feasible. Hence, I will be using cewl to generate wordlist.

no luck๐Ÿ˜ฉ

After long struggle, i found by looking for hints. ๐Ÿ”‘

http://192.168.103.146/fristi/

Found a username and base64 encoded data on the Source code of the Page. When decoded the base64, got a png with some words. Lets use those to login.

eezeepz:kekkekkekkekkEkkEk

I think we can upload and get Reverse shell.

Upload a php reverse shell by naming it xyz.php.png. It will be uploaded to /uploads folder.


Privilege Escaltion

Looking around the files/dirs, i got:

Hence,

Get into the /home/admin dir, and look around

Decoded the .txt and got: LetThereBeFristi!

/var/fristigod/.secret_admin_stuff/doCom can do high priv. tasks.

Lets try : sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash


Photo by bruce mars on Unsplash