This vulnerable VM is a fun and simple CTF that can be downloaded from the awesome portal VulnHub.
Note: For vmware you may need to set the MAC address to 08:00:27:A5:A6:76 to get it working. I did, see Fig 1.
Letās get ready to rumbleā¦
As I knew the IP address letās launch an nmap scan. From the scan we can see only 1 open port (HTTP) and the robots.txt file with some folders.
Letās open the website.
Nothing interesting so far. Now letās try robots.txt
In these folders we only find a picture of Jedi Obi-Wan Kenobi and nothing else.
Giving some thought and this is the fristi game, we arrive to the following URL; a login/password admin portal.
Letās check the HTML source code, we can find that the image is encoded in Base64 and also a possible login name: eezeepz
Looking more closely at the HTML source code we find another potential base64 encoded text.
Letās put the base64 encoded text into a decoder like Burp Proxy. We see a PNG header. Sounds like an image!
Letās write a Python script to obtain the image.
Open the image and looks to me a password ļ
So now we have a login and a password. Letās continue!
Great, we have log in into the portal.
We can upload an image.
Why not a webshell? š I modify one of Kali webshells to set my IP address.
Upload the webshell but an error happens. Some kind of filter!
Letās fire up Burp Proxy to bypass the filter, change the filename to add a png extension.
Great, filter bypassed and we have a webshell uploaded.
Letās call our webshell
Remember before calling the webshell to set up a Netcat listener! Awesome, we got shell š
Good place to start is checking the web app code, PHP in this case. In /var/ folder we can see a /fristigod/ folder by fristigod user, interesting.
Poking around /var/www/ folder we find a notes.txt file.
In /home/ folder we see several users.
Moving to /eezeepz/ folder we find another notes.txt file with an interesting message. We can execute commands, great!
Letās execute a command so we can access /admin/ folder by using the /tmp/runthis file trick.
Inside /admin/ folder we see a bunch of interesting files.
We got some encrypted files and a Python script used to encrypt the files.
Time for more Python scripting, letās modify the encrypt script to decrypt the files.
Now we have some passwords, letās change our user to fristigod user. Remember one of the encrypted files was āwhoisyourgodnow.txtā. We donāt have a real terminal so letās get one, a good cheat sheet here.
Moving to /fristigod/ folder reveals nothing.
Recall in /var/ folder we had a /fristigod/ folder, letās check that folder and we can find some interesting files, a root binary we can execute!
Checking the .bash_history file we learn how to execute the previous root binary.
Time to see the /root/ folder content by using the root binary we can execute.
Jackpot! We got root shell and the Flag š
Kudos to the author for this fun CTF!
Did you get root shell and the Flag by using other tactics?
— Simon Roses Femerling / Twitter @simonroses