CTF – FristiLeaks 1.3 vulnhub – Walkthrough

CTF – FristiLeaks 1.3 vulnhub – Walkthrough

Introduction

FristiLeaks 1.3 is an offline Capture the Flag-Style Virtual Machine created by Ar0xA. I managed to solve this challenge today and here is what I did.

Goals

  • Get Root
  • Read the flag file.

Starting the Hackstart screen ahsanshabbir.com

On initializing the virtual machine, this screen popped up and gave some useful information. I didn’t have to dig up further for the IP Address of the machine.

IP address: 192.168.0.102

 

Finding the services.

To find the active services on the VM, I fired up nmap and scanned for the open ports.

 

Cool, I see there is a web server running on the HTTP default port. On browsing port 80, it brought this page on the screen.

Finding Clues

homepage_of_frisikileaks_ahsanshabbir.com

Interesting. But this page didn’t have anything special. So I checked the source code of the page. There was a comment.

 

But, It was not something I was looking for. However, I followed the source of the image on the homepage and it leads me to images directory. Which had two images.

 

3037440.jpg
3037440.jpg
keep-calm.png
keep-calm.png
I could see where keep-calm was being used. But what about the other image?

To find my answers, I started looking for some place where this image was actually being used.

Robots.txt

I checked for robots.txt file. And luckily it was there.

All these directories had nothing other than that image. Disappointment! But, I knew there was something about these urls…  They are all names of drinks. And looking at keep-calm image; it says

Keep calmn and drink Fristi

 

drink_fristi

Drink Fristi? A drink? Just like beer, Sisi and Cola? 

It clicked my mind and I tried this url

192.168.0.102/firsti/

And voila! I found a login panel here.

 

Fristileaks admin panel
Fristi Login panel

 

This admin portal brought up a whole new challenge. I had to bypass this authentication somehow. I tried SQL Injection Authentication Bypass Queries like

‘or’1’=’1

And likewise, but, login script was sanitizing input properly. Hence. No luck with SQL Injection. After a few failed SQL Injection attempts, I moved on to try something else. 

Sometimes, due to to poor session management,  there is a possibility to access private files without authentication. For example admin/dashboard.php is for admins, but they are redirected to login form automatically if there is no session. However, we can try blocking this redirect manually and see if we can see the content of dashboard.php.

Bypass Attempt – Blocking HTTP Redirect

Before using this method, I had to know about actual admin files first. So I started guessing common file names like

  • dashboard.php
  • admin.php
  • home.php
  • loggedin.php
  • upload.php
  • submit.php

And I found one. upload.php worked for me. It was redirecting me back to main_login.php file. So, I fired up my Firefox and installed an add-on NoRedirect, added a no-redirect rule for main_login.php file, browsed upload.php again and voila! I was provided with a file upload form.

Bypassing Admin Area
Bypassing Admin Area

 

Awesome. But, the sad part is I couldn’t upload PHP shell as this upload script was accepting only files with image extensions. After few failed attempts. I gave up and started looking for a proper login session.

Bypassing Attempt – using clues

Before using that redirect blocker, I found some useful information in the source code also. There was a commented out text in the login page source.

eezeepz?

Yeah Right. I know what you’re thinking. A possible username? I thought if username is given here, then It’s quite possible that the password is also hidden somewhere – waiting to be found. So I kept reading source code, looking for clues. I noticed the image displayed on the login form was stored in base64 data string. And right after this image there was another base64 string but It was commented out.

And It was just another file. To keep things going faster, I fired up firebug and replaced login page image source with this string and result was something like

Grabbing Password
Grabbing Password

The resultant image gave me this string

Which is no wonder our password.  After having both username and password, made a login attempt and I was redirected to login_success.php.

upload fileshell_fristiSuper! But, I was disappointed. I thought there would be more modules available if I logged with a proper session. But nothing unknown was found. The same old upload module to which I already had access.

Now, I was sure if there was a way, It’s a way through upload.php. I added another extension “jpg” to the shell and tried to access it then and voila! A Lovely Shell was waiting for me to take control over the server.

Take Over!

I found mysql credentials in checklogin.php file

Inspecting database

After logging in to mysql server with given credentials, I could only find a single table “members” with only 1 record. Which I already knew. No surprises there. members_dump

Gathering more clues..

I started a reverse shell on the server for better command results. And while going through different directories, I came across an interesting file “notes.txt” in /home/eezeepz/ directory.

All other files were either useless or not accessible with current rights.

Wow! Seriously? Let’s do something with your given rights b***h 😎

Taking down Admin Home

As instructed, I added runthis file in /tmp and added following command

And after sometime, cronresult file was there

Amazingly, I could access /home/admin directory with my current user then.  Admin user had some very interesting files there. There were  cryptedpass.txt whoisyourgod.txt and cryptpass.py files. I believe cryptedpass.txt was cipher text generated by the cryptpass.py script. So I looked into the script

I moved on to test it.

Cool. It generated a crypted password for me. However, the script is using rot13 and base64 algorithms (both are reversible). So all I had to do was reversing the algorithms which was pretty easy. I modified the original script as following:

And to test the result if it was working fine:

 

Awesome! Everything was in order. Now It’s time to decrypt other passwords and try SU.

And after trying these passwords on different users, I was able to login fristygod user.

However, I was not able to use sudo

Hmm. This is interesting.

Great. Looks like there is an executable “/var/fristigod/.secret_admin_stuff/doCom” which can run all commands with user “fristi”.

Rooting the box

Booyah!! I'm ROOT
Booyah!! I’m ROOT

Fristileaks – Capturing the Flag

Conclusion:

This was a good CTF challenge and I really enjoyed solving it. I hope you guys like it too.

Thank you for reading.
  • A proud Indian

    Awesome hacks! I tried this myself but couldn’t get past admin portal

Comments are closed.