FRISTILEAKS: 1.3 Walkthrough
๐ VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
๐ VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76
Enumeration
โSupreme excellence consists of breaking the enemyโs resistance without fighting.โ
โ Sun Tzu, The Art of War
Brooding:๐ค
The possible way to get in through the web server (80). Might be LFI/RFI, SQLi, and then, RCE.
More Enumerationโฆ
- Port 80
- Manual Enum + Robots.txt + source code
Found Nothing on those pages.
- Nikto Scan
- GoBuster
โโ$ gobuster dir -f -x php,html,txt -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.103.146 -n -q -e
http://192.168.103.146/index.html
http://192.168.103.146/icons/
http://192.168.103.146/images/
http://192.168.103.146/cgi-bin/
http://192.168.103.146/robots.txt
http://192.168.103.146/error/
http://192.168.103.146/beer/
Brooding:
Currently, i am out of options. I could not find any dir/file with information. I need to find a directory or file of interest but the Gobuster did not give anything. Possible option is to find a really big wordlist of every words. However, that is not feasible. Hence, I will be using cewl to generate wordlist.
After long struggle, i found by looking for hints. ๐
http://192.168.103.146/fristi/
Found a username and base64 encoded data on the Source code of the Page. When decoded the base64, got a png with some words. Lets use those to login.
eezeepz:kekkekkekkekkEkkEk
Upload a php reverse shell by naming it xyz.php.png. It will be uploaded to /uploads folder.
Privilege Escaltion
Looking around the files/dirs, i got:
Hence,
Get into the /home/admin dir, and look around
Decoded the .txt and got: LetThereBeFristi!
/var/fristigod/.secret_admin_stuff/doCom can do high priv. tasks.
Lets try : sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash