Skip to main content

VMW- FristiLeaks: 1.3. base64 encode/decode, search webapp



  1. https://www.scattiscattanti.com/walkthroughs/fristi/  ….using Metasploit
  2. https://reversebrain.wordpress.com/2016/11/24/vulnhub-fristileaks-1-3/ ….show how to convert the base64 encoding using cat, check if the coding is a picture of text..but didn’t work


  1. Scan showed port 80 with Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
  2. Looked thru website or nikto or dirb didn’t show much except a few dir in robot.txt which didn’t have any text except a picture
    1. So created a custom dictionary to use with dirb to see If there are any webapp that cant be seen
    2.  use cewl www.drchaos.com -w drchaospasswords.txt to create custom dictionary based on the website text. Since there were pictures so add words/text from the picture to the list and than run the dirb http://1.2.3.4 drchaospasswords.txt again. This time found a dir called /firsti
  1. Checked the comments in the source gets you username while the base64 enccoding/decoding gives you pwd. This could be done using echo cmd but didn’t work at this time.
  1. Username: eezeepz & Password: keKkeKKeKKeKkEkkEk
  2. You now have ability to upload a picture fie (lets try to add 112.php.gif) which is a PHP reverse shell file.
  3. Modify the PHP reverse file to change the ip and ports of attacks
  4. Once uploaded, go to the URL Http://ip/fristi/uploads/112.php.gif after you have started nc -np 1234 which will give you reverse shell access. We can only upload gif like files. PHP file type is not allowed to b uploaded
  5. Got access to shell now. Look around. Look notes.txt. The batch file runs as cron job so add
echo "/usr/bin/../../bin/chmod -R 777 /home/admin" > /tmp/runthis OR
echo "/home/chmod -R 777 /home/admin" > /tmp/runthis
to get access to /home/admin. In it we have encoded pwd. Run a  python script to decode the pwd. Didn’t usecryptedpass.txt although it can be decoded.
  1. Spawn tty. Su to fristigod. Than su -fristigod  which will log you in under /var/fristigod. Looking around in bash_history appears we can sudo . use SUID binary for privilege escalation
>sudo -u fristi .secret_admin_stuff/doCom /bin/sh
>sh-4.1# id
>id
>uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more