templatemo easy profile


I start by looking for the target machine
nmap -sn Once I find it I proceed with a full scan:

It looks like there's only port 80 to play with, so let's check what the index page looks like:

Nothing special.
After reviewing the source there are no hints to be found, so I run dirb, dirsearch.py and nikto and the only interesting thing that comes up is a robots.txt (which already nmap had found)
I check the directories in the robots file (beer, cola and sisi) and they all look like trolls :(
After some time and a lot of thinking I try custom named directories until I hit /fristi and get a login page:

So let's see if something interesting is in the source...yep, I get the first hint, a possible username:

..and the second one, a possible password hidden in another image based64ed and commented out... After editing the source file I can see hint 2 in plain view:

Let's try to login:

It works :D and I get redirected to an upload page.... It seems the author wants us so upload a file, how about a shell?
I first start a fancy exiftool comment based php shell which doesn't work...

So I try a fancier gifsicle based shell, but I hit another wall..

... in the end a simple double extension does the trick...

I could write a simple fake prompt script, but the simplest way to work more comfortably is to just upload a reverse meterpreter with a .gif extension and use our simple-backdoor to rename it...
I start a listener...

and trigger the shell...

Boom! I am in! The shell is ran with Apache privileges.
Ok, I get a proper bash and check the various .php files finding the creds to the database....In it just the username and password I exploited to login in the first place :( Time to move forward...

Checking the users on the machine reveals admin, eezeepz and fristigod... I check the home directories and the only readable one is eezeepz's.. In it I find notes.txt and after catting it I see my next move seems to be already set...

So let's get access to admin's home:

Within it there are couple of encrypted words (possible passwords) in text files; I also find a python script that, as the name suggests, was probably used to encrypt the passwords

It is then just a matter of reversing the process to get the plain text:

I can now su to fristigod with one of the found passwords and check what is now possible to do. So it looks like fristigod can sudo a file called doCom (do command? :P) under /var/fristigod and by checking .bash_history it seems like my suspect is correct...

taking advantage of that I get root and grab the flag!!!

Overall it was a simple yet very fun challenge, so thanks to Ar0xA and VulnHub.com!

Happy rooting by Shell0ck :)