Good Evening Guys,
We, Securium Solutions will be posting Walk-through of several CTF machines in the upcoming days. Stay tuned for latest updates.
Today we started our CTF series with a beginner level CTF machine named as FristiLeaks-1.3
Go through all the steps for clear understanding.
Switched on the Vulnerable Fristi Machine, then did Ping Sweep from Kali Machine with the help of Nmap tool to detect the IP of the vulnerable machine and found it with the help of very low latency. “nmap -sP IP”
Used the target IP with Directory Buster and nmap to find the Directories and open ports and services running on the target machine.
It is found that it is having robots.txt and port 80 is open with http server running in it. Tried to gather some information from those.
In robots.txt, three directories were found with the same picture and nothing found in page source and in the images also.
I tried to find some info from the picture if it has something, but end up with nothing.
Then i tried to access the http server which is running on port 80 through browser by using IP in URL.
When i Tried to view the page source, i found an user named “eezeepz“
In the same page i found a base64 encoded file, decoded it but i thought it will be a text file then i came to know it’s an png file. So i renamed it and end up with a picture contains multiple number of K
I used online OCR coverter to convert the picture into plain text.
We can easily guess there is a directory called fristi, because first page of the server indicates the words there itself, then I used the found username eezeepz and password of KeKkeKKeKKeKkEkkEk
I got a File upload feature right at my face after login with upload restrictions.
I used a PHP reverse Shell Script from online source but end up with a very unstable shell through NetCat
Then I used msfvenom for php payload then used with the different extension of .php.png to bypass upload restrictions. Then listened in msfconsole for the reverse shell, got the meterpreter of the machine easily…Kudos to MSF ….lol
REMEMBER: File name of your payload is important to run your payload in the browser from the /uploads folder.
It is clear that we have our uid=apache, so we need to find a way to escalate our privileges to root. I found a file notes.txt in the /var/www folder, there i was guided to home directory.
In the home directory I found three directories such as Admin, eezeepz, fristigod. In eezeepz directory another notes.txt in which its stated about the privileges that I can use like chmod, cat, echo and some other commands.
It is also written that normal user have an option to run any file with root permission if we can save a binary file in the /tmp folder with the name of “runthis”. The script will run with root privileges every minute.
What I did here, I Just gave the Admin Folder Permission to 777 by adding a small script in a file and saved it in the /tmp folder, So when it is executed Admin folder can be accessible by anyone, Obviously US(Attacker).
Now I got the privilege to access the home folder with ease, then I found three sensitive files such as cryptpass.py, cryptedpass.txt, whoisyourgodnow.txt
In cryptedpass.py I found that the other two files are encrypted with base64 and rot13.
This is where I got some help from online resources to crack this encoding with the help of python code. LOL
The code for decoding the encryption is mention in the below screenshot.
We can use python shell also for decrypting it and found another password which is possibly would be fristigod user password
When I try to SU fristigod, i came to know i can use it only on tty shell.
Then i used the tty shell command to open a tty shell python -c ‘import pty; pty.spawn(“/bin/sh”)’
Then I used SU to upgrade my privilege.
In the directory of fristigod, there are two hidden files one is the bash_history file in that we can know that doCom folder from the path /var/fristigod is executing with root privileges.
Navigating to /var/fristigod and executing that file with sudo permission using fristi privileges and changing the permission to root privileges (ie. 777)
Then Navigated to root directory to extract the final flag which is named as fristileaks_secrets.txt. cat the file to read the final flag as Y0u_kn0w_y0u_l0ve_fr1st1
Finally Cracked First machine for securium solutions.
We hope we can see lots and lots of CTF walkthrough in the upcoming days, stay tuned guys.
Bye Bye, Meet you with another blog.
Thank you, Have a nice day.