Site = VULNHUB
Creator = Ar0xA
Difficulty = 🍕
Basic Summary:
Easy machine with multiple ways to root, I did only one so we’re gonna cover that one.So, theres a webpage open and thats it. We have multiple directory mentions in robots.txt but nothin in those directories. Then in /fristi directory, we get some credentials for the portal in /fristi. Then we can upload a shell and get our initial shell in the system.Afterwards its pretty easy as we get guided mostly and theres a cronjon running from which we get credentials for another account in the system. And then from that account we have a binary through which we can run commands as root. And just like that we’re ROOT. [and for running this machine in virtual box you need to add ‘08:00:27:A5:A6:76’ as the mac address.]
##QUICK LINKS
##RECON
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
##WEB
Visiting the web page theres an image.
Robots.txt has following entries
/cola
/sisi
/beer
All of the above directories lead to anything but useful stuff.
Then just using the box name for directory checking, we stumbled upon the directory /fristi.
A simple portal, lets check the source code.
A username eezeepz and a base64 image, lets render the image.
eezeepz:keKkeKKeKKeKkEkkEk
Trying to login, we’re presented with a picture upload page.
Wellll.. Lets just upload a revshell.
##Initial access
Wellll.. Lets just upload a revshell. And yess it does check if the uploading file ends with .jpg,etc so just add .jpg at the end of your revershell.
And We’ve got a revshell.
Going to the /home directory there are 3 {admin,eezeepz,fristigod}.
We only have access to eezeepz’s directory so lets check.
##CronJob RUNTHIS
Well to the /tmp/ directory we go!!!
##Fristigod
Checking the whoisyourgodnow.txt looks like a fristigod releated file.
Looks like a reversed base64. But actually it also has rot13 in between the both So reverse ~> ro13 decode ~> base64 decode
Lets try it for fristigod account!.
Lets check for stuff.
##R00T
Lets go to that doCom file
It looks like a binary using which we can run commands as root.
Lets try
Using sudo -u to run as another user, and using the user fristi as mentioned in the sudo -l output.
Boom we’re root.
Admin
Goin back to admin’s directory we also had a cryptedpass file lets check that.
just a reversed base64
and yes its a password for admin’s account. Not like it matters now but still.
‘ — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — `
Thanks for reading. Happy hacking 👏 😈.