FRISTILEAKS: 1.3 Walkthrough

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

📌 VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76

Enumeration

Supreme excellence consists of breaking the enemy’s resistance without fighting.”
Sun Tzu, The Art of War

Brooding:🤔

The possible way to get in through the web server (80). Might be LFI/RFI, SQLi, and then, RCE.

More Enumeration…

  1. Port 80
  • Manual Enum + Robots.txt + source code
Welcome Page
Source Code
Found a 🔑

Found Nothing on those pages.

  • Nikto Scan
Nothing Critical Here.
  • GoBuster

└─$ gobuster dir -f -x php,html,txt -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.103.146 -n -q -e
http://192.168.103.146/index.html
http://192.168.103.146/icons/
http://192.168.103.146/images/
http://192.168.103.146/cgi-bin/
http://192.168.103.146/robots.txt
http://192.168.103.146/error/
http://192.168.103.146/beer/

Brooding:

Currently, i am out of options. I could not find any dir/file with information. I need to find a directory or file of interest but the Gobuster did not give anything. Possible option is to find a really big wordlist of every words. However, that is not feasible. Hence, I will be using cewl to generate wordlist.

no luck😩

After long struggle, i found by looking for hints. 🔑

http://192.168.103.146/fristi/

Found a username and base64 encoded data on the Source code of the Page. When decoded the base64, got a png with some words. Lets use those to login.

eezeepz:kekkekkekkekkEkkEk

I think we can upload and get Reverse shell.

Upload a php reverse shell by naming it xyz.php.png. It will be uploaded to /uploads folder.

Privilege Escaltion

Looking around the files/dirs, i got:

Hence,

Get into the /home/admin dir, and look around

Decoded the .txt and got: LetThereBeFristi!

/var/fristigod/.secret_admin_stuff/doCom can do high priv. tasks.

Lets try : sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

Photo by bruce mars on Unsplash

What could be more fun than breaking stuffs!!!