Hello, in this article I will show you step by step how to solve Fristileaks 1.3. The purpose of this CTF will be to become root and read flag. Click to get more information about CTF.
LEVEL : Medium - Hard
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb and Nitko tools
- Getting Reverse Shell access via File Upload
- Performing privilege escalation via Cronjob
- Create Python script to decode encoded string
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.1.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n --reason -p- -A 192.168.1.8
Fuzzing was performed via dirb on open port 80. Afterwards, robots.txt was visited among the paths obtained.
dirb http://192.168.1.8/
The paths in robots.txt were visited and no results were obtained. In this step, a tool called nikto was used to collect more information.
nikto -h 192.168.1.8
No remarkable results were obtained from Nikto and Dirb tools. In this step, checks were made on the Web application using the machine name “Fristileaks” and finally a path named “/fristi” was detected.
When the source codes of the application were checked through the browser, it was determined that there was a Base64 value in the comment line.
When this obtained value was decoded into a file after a few processes, it was understood that the type of data was image. The content of the photo is as follows.
echo <base64-data> | base64 -d > asd.png
While the checks on “/fristi” were continuing, a word named “eezeepz” was recently encountered as a comment of source page. These obtained values were used in several different combinations through the Login panel and a successful login was achieved with the following information.
After the login process, the application redirects to a page where File Upload can be made.
Since the target application is PHP, a PHP file that will create a Reverse Shell has been prepared and its content is filled in as follows.
The file upload process was performed as follows and an error was received from the application. The application completes the File Upload process after checking the extension of the file it receives and checking “.png, .jpg, .gif”.
It has been observed that a successful result is obtained when the file name is renamed as “shell.php.jpg” and sent to bypass the check here.
Even though this page not found error is given, a reverse shell connection was received through the netcat tool running in the background.
After access, research began for Privilege Escalation. During these investigations, a note as follows was obtained. In this note, “The file named ‘runthis’ in /tmp is run every minute and its output is kept as cronresult in /tmp.” explanation has been made.
At this stage, many things can be done based on the authority of the user running the script. Here, the contents of the “/home/admin” folder and the relevant user folder where read, write and execute permissions are given for each user are displayed.
When we entered and checked “/home/admin”, a different python script named “cryptpass” was encountered. The purpose of this script is;
- Takes a value as argument to the script
- This value is encoded using base64
- The resulting string expression is inverted and re-encoded with the algorithm called Rot13, and the final value is written to the screen.
It has been determined that the contents of some files in “/home/admin” are encoded using this script and are unreadable.
In order to obtain the original version of the data encoded with the relevant script, a script that works with the opposite logic has been created.
Below is the encoded version of a file existing in “/home/admin” using the relevant script. The script shown above was used to restore this text to its original form.
When the resulting text was tried on the machine for the “fristigod” user, it was transferred to the relevant user. Then, what they could do with root rights was checked using the sudo command.
su fristigod <- LetTereBeFristi!
whoami
sudo -l
In this step, it has been confirmed that operations can be performed using the sudo command on “/var/fristigod/.secret_admin_stuff/doCom”.
At this stage, you became the root user on the relevant machine by running a command as follows. At this stage, the flag in the /root folder is read.
Summary
- I think it was both fun and enjoyable, with the machine receiving a reverse shell, the research done on the privilege escalation side, and the writing of the python scripting decoding version used for encoding.
Click here to see my other articles about OSCP Walkthrough. Link