Started the box with a netdiscover, we have an IP of 192.168.0.139
Then an nmap scan: nmap -sV -Pn -vv -T4 -A -p- scan_ip –script=auth,brute,discovery,exploit,vuln -oN $ip/$ip_.nmap.scan
Nmap only found 1 open tcp port: 80, with a default dir
I browsed to the webpage, but didn’t find anything of interest
Then checked the robots.txt
I browsed to these sites, but they only revealed:
I used nikto and dirbuster to find out further details, but again, not much of interest.
I tried a couple different url’s adhoc, and eventually landed on fristi!
After checking the source, I found some interesting info. Comments in the source are authored by an “eezeepz,” and there’s some base64 encoded text. At the bottom of the page, I found a base64 encoded comment.
After runing it through base64, I noticed that it was a png file, so I ran it again and output it to a .png
I opened the file to find:
Maybe this is a pw?? I dunno, but we have a potential user, and some encoded text… let’s give it a try at the login page
I tried to upload a reverse php shell, but it didn’t take the .php extension
So I intercepted the request in burp, and changed the extension and content-type
Our file as uploaded successfully!
Lets checkout the uploads dir…
Hmm… lets just try an execute the file w/o being able to browse to it. Opened a netcat listener and…
We got a shell!
I looked around the box and found a couple users home dir’s. Looks like we can read and execute from eezeepz’s dir, let’s check it out
After listing the files, I found an interesting note.txt in the list
Sounds like if we put commands in the runthis file, we’ll get user admin to execute them for us 🙂
I didn’t have a pw for apache, so I couldn’t add our user to sudoers, so instead I gave myself access to other system folders. I tried shadow with no luck, then I attempted to view the admin users home dir
I issued the following command to create the runthis file, and give me access to admin’s home dir
echo $(echo ‘/home/admin/chmod 755 /home/admin’) >> runthis
I waited a minute, then checked the dir. It had some interesting files named crytedpass.txt, cryptpass.py
Cryptpass.py tells us how the cryptedpass.txt was generated. PW -> base64 -> reversed -> rot13, so let’s do the process in reverse
I used rot13 on mVGZ3O3omkJLmy2pcuTq to reveal: zITM3B3bzxWYzl2cphGd
Then reverse the text and base64 it to reveal a pw
I su’d to admin successfully, but the user still didn’t have admin rights
I remembered there was another crypted pass file called “whoisyourgodnow.” We also have a user called frisitigod, so I put 2 and 2 together…
Lets perform the same rot13/reverse/base64 process on this string:
=RFn0AKnlMHMPIzpyuTI0ITG to ROT13: =ESa0NXayZUZCVmclhGV0VGT
Reverse and base64:
We got another password! Let’s su to the fristigod user
We got a different error this time after trying to use sudo. This user must be in the file, but has certain restrictions.
After checking out the users home dir, I found an interesting folder, .secret_admin_stuff. I browsed to the folder and found an executable file, “doCom.”
I also thought to check the users bash history for hints… Looks like we might have some 🙂
After some messing around, I found that the executable doesn’t like my user. So it makes sense why the “-u fristi” is issued in their previous commands. Let’s try an ls / command to see if it works for us
The command works, but what else can we do? Let’s change the permissions to the root dir and view it’s contents
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom chmod 777 /root/
I’m then able to browse to the /root and and view the flag!
I could then use doCom to create a new user and give that user sudo access. Then I could escalate to the root 🙂