CTF Walkthroughs, VulnHub

VulnHub – FristiLeaks 1.3 Walkthrough

January 16, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an intermediate box that involved decoding a base64-encoded password to access a file upload page, through which a PHP reverse shell can be uploaded to gain an initial access. From there, a password has to be de-ciphered using ROT13 in order to obtain root access to the machine.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

From this initial scan I was only able to find port 80, so I decided to run another scan, using the following flags:

  • -p- to scan all ports
  • -O to enumerate the operating system
  • -A to run all scripts and scan options, it stands for aggressive scan
  • -sV to enumerate applications versions
  • -oA to save the output in all formats available

Unfortunately this did not find any new ports, that means the next step is to start enumerating port 80.

Enumerating port 80

Having a look at the website hosted on port 80, this is what comes up:

After inspecting the source code of this page, nothing really stands out

When inspecting the robots.txt file, which is used to tell search engine crawlers which pages or files they can request from a site, three options can be viewed.

After inspecting all three pages, all that was there was this image:

Since these entries are all names of drinks, and the site previously mentioned fristi, I tried navigating to the /fristi page, which displayed a login screen

When inspecting the source code of this page, there is a comment from a developer which mentions some junk in the page

After scrolling to the end of the page, a base64-encoded string can be found:

Since the site is using base64 to encode image, after replacing the image used in the login page with the base64-encoded comment, a different image now appears.

The source code for this page mentioned the name of the developer who built it, so when trying to login with “eezeepz” and the base64-encoded string found in the comment the site grants us access

File Upload Exploitation

When clicking on the “upload file” hyperlink, this takes to a file upload page. This could be used to upload a PHP reverse shell and obtain remote access.

Copying a PHP reverse shell to the working directory and updating the IP address and port based on the local machine

Uploading the PHP reverse shell file in the file upload page

It looks like the site has some sort of protection against certain file extensions or file types

As an initial test, changing the file extension and appending .jpg might work

It appears that this was enough to bypass this restriction

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to the PHP reverse shell will execute the code and connect to our listener. Navigating to /fristi/uploads/reverse-shell.php.jpg

The victim machine connected to the reverse shell granting remote access

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)'” on the victim host
  • Hitting CTRL+Z to background the process and go back to our host
  • Running “stty raw -echo” on our host
  • Hitting “fg + ENTER” to go back to our reverse shell

Privilege Escalation

After navigating to /var/www/html, which is the root directory for the web server, what appears to be a MySQL password can be found in checklogin.php, which is used to authenticate users to the site. Unfortunately after examining the database nothing useful was found.

In the home directory of the “eezeepz” user, notes.txt can be found

The file mentions that the current user has access to run certain binaries from the /home/admin directories through a cron job

To and access the /home/admin directory, a file called “runthis”, containing commands to be executed, can be created in the /tmp directory

When navigating to /home/admin, a base64-encoded string can be found:

There is also a python script used to encrypt passwords using rot13:

A new python script can be written to perform the same steps in reverse:

This can be tested against any base64-encoded string:

After running the script against the encoded string, the password for the fristigod user will be revealed:

The su command can then be used to switch to the fristigod user

After inspecting the files in fristigod’s home directory, something in the bash history stands out. It looks like we can execute commands as root when running the “/var/fristigod/.secret_admin_stuff/doCom” binary

This can simply be used to run /bin/sh and therefor obtaining a root shell

Conclusion

I found this machine very interesting, even though the initial foothold phase was quite trivial, the privilege escalation was multilayered and involved encryption which is something you don’t see very often.