Fristileaks 1.3 CTF Writeup

This vulnerable VM is a fun and simple CTF that can be downloaded from the awesome portal VulnHub.

Note: For vmware you may need to set the MAC address to 08:00:27:A5:A6:76 to get it working. I did, see Fig 1.

srf_fristileaks_1

Let’s get ready to rumble…

As I knew the IP address let’s launch an nmap scan. From the scan we can see only 1 open port (HTTP) and the robots.txt file with some folders.

srf_fristileaks_2

Let’s open the website.

srf_fristileaks_3

Nothing interesting so far. Now let’s try robots.txt

srf_fristileaks_4

In these folders we only find a picture of Jedi Obi-Wan Kenobi and nothing else.

srf_fristileaks_5

Giving some thought and this is the fristi game, we arrive to the following URL; a login/password admin portal.

srf_fristileaks_6

Let’s check the HTML source code, we can find that the image is encoded in Base64 and also a possible login name: eezeepz

srf_fristileaks_7

Looking more closely at the HTML source code we find another potential base64 encoded text.

srf_fristileaks_8

Let’s put the base64 encoded text into a decoder like Burp Proxy. We see a PNG header. Sounds like an image!

srf_fristileaks_9

Let’s write a Python script to obtain the image.

srf_fristileaks_10

Open the image and looks to me a password 

srf_fristileaks_11

So now we have a login and a password. Let’s continue!

srf_fristileaks_12

Great, we have log in into the portal.

srf_fristileaks_13

We can upload an image.

srf_fristileaks_14

Why not a webshell? 🙂 I modify one of Kali webshells to set my IP address.

srf_fristileaks_15

Upload the webshell but an error happens. Some kind of filter!

srf_fristileaks_16

Let’s fire up Burp Proxy to bypass the filter, change the filename to add a png extension.

srf_fristileaks_17

Great, filter bypassed and we have a webshell uploaded.

srf_fristileaks_18

Let’s call our webshell

srf_fristileaks_19

Remember before calling the webshell to set up a Netcat listener! Awesome, we got shell 🙂

srf_fristileaks_20

Good place to start is checking the web app code, PHP in this case. In /var/ folder we can see a /fristigod/ folder by fristigod user, interesting.

srf_fristileaks_21

Poking around /var/www/ folder we find a notes.txt file.

srf_fristileaks_22

In /home/ folder we see several users.

srf_fristileaks_23

Moving to /eezeepz/ folder we find another notes.txt file with an interesting message. We can execute commands, great!

srf_fristileaks_24

Let’s execute a command so we can access /admin/ folder by using the /tmp/runthis file trick.

srf_fristileaks_25

Inside /admin/ folder we see a bunch of interesting files.

srf_fristileaks_26

We got some encrypted files and a Python script used to encrypt the files.

srf_fristileaks_27

Time for more Python scripting, let’s modify the encrypt script to decrypt the files.

srf_fristileaks_28

Now we have some passwords, let’s change our user to fristigod user. Remember one of the encrypted files was “whoisyourgodnow.txt”. We don’t have a real terminal so let’s get one, a good cheat sheet here.

srf_fristileaks_29

Moving to /fristigod/ folder reveals nothing.

srf_fristileaks_30

Recall in /var/ folder we had a /fristigod/ folder, let’s check that folder and we can find some interesting files, a root binary we can execute!

srf_fristileaks_31

Checking the .bash_history file we learn how to execute the previous root binary.

srf_fristileaks_32

Time to see the /root/ folder content by using the root binary we can execute.

srf_fristileaks_33

Jackpot! We got root shell and the Flag 🙂

srf_fristileaks_34

Kudos to the author for this fun CTF!

Did you get root shell and the Flag by using other tactics?

— Simon Roses Femerling / Twitter @simonroses

This entry was posted in Pentest, Security, Technology and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.