A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
📌 VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76
“Supreme excellence consists of breaking the enemy’s resistance without fighting.”
― Sun Tzu, The Art of War
The possible way to get in through the web server (80). Might be LFI/RFI, SQLi, and then, RCE.
- Port 80
- Manual Enum + Robots.txt + source code
Found Nothing on those pages.
- Nikto Scan
└─$ gobuster dir -f -x php,html,txt -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.103.146 -n -q -e
Currently, i am out of options. I could not find any dir/file with information. I need to find a directory or file of interest but the Gobuster did not give anything. Possible option is to find a really big wordlist of every words. However, that is not feasible. Hence, I will be using cewl to generate wordlist.
After long struggle, i found by looking for hints. 🔑
Found a username and base64 encoded data on the Source code of the Page. When decoded the base64, got a png with some words. Lets use those to login.
Upload a php reverse shell by naming it xyz.php.png. It will be uploaded to /uploads folder.
Looking around the files/dirs, i got:
Get into the /home/admin dir, and look around
Decoded the .txt and got: LetThereBeFristi!
/var/fristigod/.secret_admin_stuff/doCom can do high priv. tasks.
Lets try : sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash