I start by looking for the target machine
nmap -sn 10.10.10.1-255
Once I find it I proceed with a full scan:
It looks like there's only port 80 to play with, so let's check what the index page looks like:
Nothing special.
After reviewing the source there are no hints to be found, so I run dirb, dirsearch.py and nikto and the only interesting thing that comes up is a robots.txt (which already nmap had found)
I check the directories in the robots file (beer, cola and sisi) and they all look like trolls :(
After some time and a lot of thinking I try custom named directories until I hit /fristi and get a login page:
So let's see if something interesting is in the source...yep, I get the first hint, a possible username:
..and the second one, a possible password hidden in another image based64ed and commented out... After editing the source file I can see hint 2 in plain view:
Let's try to login:
It works :D and I get redirected to an upload page.... It seems the author wants us so upload a file, how about a shell?
I first start a fancy exiftool comment based php shell which doesn't work...
So I try a fancier gifsicle based shell, but I hit another wall..
... in the end a simple double extension does the trick...
I could write a simple fake prompt script, but the simplest way to work more comfortably is to just upload a reverse meterpreter with a .gif extension and use our simple-backdoor to rename it...
I start a listener...
and trigger the shell...
Boom! I am in! The shell is ran with Apache privileges.
Ok, I get a proper bash and check the various .php files finding the creds to the database....In it just the username and password I exploited to login in the first place :(
Time to move forward...
Checking the users on the machine reveals admin, eezeepz and fristigod... I check the home directories and the only readable one is eezeepz's.. In it I find notes.txt and after catting it I see my next move seems to be already set...
So let's get access to admin's home:
Within it there are couple of encrypted words (possible passwords) in text files; I also find a python script that, as the name suggests, was probably used to encrypt the passwords
It is then just a matter of reversing the process to get the plain text:
I can now su to fristigod with one of the found passwords and check what is now possible to do. So it looks like fristigod can sudo a file called doCom (do command? :P) under /var/fristigod and by checking .bash_history it seems like my suspect is correct...
taking advantage of that I get root and grab the flag!!!
Overall it was a simple yet very fun challenge, so thanks to
Ar0xA and
VulnHub.com!
Happy rooting by
Shell0ck :)
