FRISTILEAKS: 1.3 Walkthrough

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

📌 VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76


Supreme excellence consists of breaking the enemy’s resistance without fighting.”
Sun Tzu, The Art of War


The possible way to get in through the web server (80). Might be LFI/RFI, SQLi, and then, RCE.

More Enumeration…

  1. Port 80
  • Manual Enum + Robots.txt + source code
Welcome Page
Source Code
Found a 🔑

Found Nothing on those pages.

  • Nikto Scan
Nothing Critical Here.
  • GoBuster

└─$ gobuster dir -f -x php,html,txt -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -n -q -e


Currently, i am out of options. I could not find any dir/file with information. I need to find a directory or file of interest but the Gobuster did not give anything. Possible option is to find a really big wordlist of every words. However, that is not feasible. Hence, I will be using cewl to generate wordlist.

no luck😩

After long struggle, i found by looking for hints. 🔑

Found a username and base64 encoded data on the Source code of the Page. When decoded the base64, got a png with some words. Lets use those to login.


I think we can upload and get Reverse shell.

Upload a php reverse shell by naming it xyz.php.png. It will be uploaded to /uploads folder.

Privilege Escaltion

Looking around the files/dirs, i got:


Get into the /home/admin dir, and look around

Decoded the .txt and got: LetThereBeFristi!

/var/fristigod/.secret_admin_stuff/doCom can do high priv. tasks.

Lets try : sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

Photo by bruce mars on Unsplash

What could be more fun than breaking stuffs!!!