Friday 13 May 2016

FristiLeaks: 1.3 CTF Writeup

During last day I had a pleasure to play FristiLEaks CTF prepared by Ar0xA. Thanks! ;)
It was a good idea to choose this one as well as a lot of fun when I was wondering how to get root.

Below you will find a solution how to get the flag (and to "love Fristi"! ;))
(For those who want to read other writeups for Fristi, you can find them here.)

Here we go...



Setup VM and run FristiLeaks. I assume that you're in the same LAN, so let's scan the host
to check what's running there:

Some kind of a 'web server'. Cool. Let's check the webpage then.

 Nice, hint from the author. But still nothing special. :| Let's check what else we can get about the server or the webpage.(Yes, I know, old and lame. You can choose DirBuster or similar tool.
But it's still working, so... ;])

...that's how I found "/fristi/" directory:


Nice. Looks like an opportunity to get inside. Let's see the source:

Good. Another hint. As the comment was written by "eezeepz" I assume that this is the username
for the admin panel. Decoded (base64) image is the password for this user. Isn't it?

Yes, he is. So now we can see next stage - file uploader. Let's check if we can add our favourite webshell:
As you will see, there is a filtering enabled. So let's try to bypass it by changing the name of the webshell file to something with "image" extension at the end:

It's working ;]
And now, as you can see, image file is presentes in the same way as PHP file. We will use it to attack the box and get a reverse shell:


Small test:
Ok, cool. Next.
Got the reverse shell, let's check where (and what) we can read inside the system... notes.txt?
Interesting...
Yo Jerry, thanks for the hint. ;) So... how it was done 15 years ago? Small C file with setuid() function and command + cron? Yep. Let's try this: for a mentioned 'command' we will use admin's binary (chmod) to chmod (777) all /home/admin/ (via cron). Now we're able to read admin's directory easier.

We can see that there is a source code of a cryptpass.py as well as cryptedpass.txt file and whosyourgodnow.txt. Interesting. It looks like the password is base64 encoded and then rot13 is used.
Let's reverse this to decode the password. (Few minutes with Google and you will get the idea what the python source code is doing;))


Decoding:


Great. Let's try to login as other user (admin? not working. ls -la /home, and try other one):


Yes. Escalated up. But still not root. ;] Let's finish this.


It could be interesting, let's see what's inside: uh... a list of commands used with sudo?
Cool, I want to try it too. ;]


Finally! Got root ;] 


Once again big thanks to Ar0xA for preparing this CTF.

(btw: if you want to read also other adventures, try here. If you will have any questions,
feel free to ask. I will answer ASAP.)

See you next time ;)






Posted by at
Labels: , , , ,

No comments:

Post a Comment

What do You think...?

Subscribe to: Post Comments (Atom)