7MS #203: Vulnhub Walkthrough - FristiLeaks

Update 6/15: Sorry, I know I said on today's episode I was going to do a video version of this VM, but I'm jumping ship on that idea. The reason is I'm already excited about making a podcast + video version of a different VM. And, selfishly, that also allows me to be able to release some fresh material next week when I'm on vacation. :-)

Intro

The following is a semi-spoilerish walkthrough of the FristiLeaks VM from Vulnhub by @Ar0xA.

Disclaimer

I'm intentionally not posting a full walkthrough for a few reasons:

  1. Full (and better) walkthroughs already exist online.

  2. By not posting the full details, it allows readers the chance to get just a little push in the right direction without ruining the entire challenge.

  3. I like to show my full thought process as I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)

Write-up

An NMAP scan reveals port 80 open. At this point I usually run nikto, dirb check out /robots.txt, check for WebDAV and any insecure Web methods. That didn't lead me to much, so I built my own word list using key words and phrases to do with the VM (check out the Vulnhub page and also the copy on the root of the Web site. Then, copy/paste the data into a text file. From that, you can create a list of unique words, one per line, using:

cat comment_file.txt | tr " " "\n" | sort | uniq

After running this word list with dirb you should've found a new folder to explore. It is a login screen where you can try some SQLi or brute-forcing of passwords. Be sure to also look at the source code of the page, as it hints at a password mechanism in play, as well as a user account that may be paired with an unknown password. I had to get a hint with how exactly to handle the garbled password data I discovered. Here's a hint if you're in the same boat: you'll need to convert that string into a picture file using something similar to:

echo 'big-long-string-of-stuff' | base64 -d > something.jpg'

Once you use this information to log into the site successfully, the next challenge will be a page you can use to upload files to the server. You will find that you can't upload just any old file, but maybe you can find a way to get your shell there using Burp or Tamper Data (I really like using b374k).

When your initial shell is established, look at /etc/passwd, the /home dirs and any other areas your account has access to. These files will point you towards a file you can modify to escalate privs further. I made the file give "everybody" permissions to the /home/name-of-admin user so I could see all the files there. And once I could see all of those files, I had to cheat again and look for a hint online, as there is some password mechanism manipulation that was beyond my programming/scripting skills.

I used that information to elevate to another account, but the fun wasn't over yet! There's still one more challenge involving manipulating another file in such a way that your commands get executed with root privs so you can reveal the flag's content and call Fristi officially pwned!

Wow, the author says this VM should take about 4 hours to beat. Lets just say I didn't quite hit that mark ;-)