Fristileaks 1.3

haha.jpg

 

Fristileak 1.3

Fristileak is a very awesome machine to work and practice on. Once you download the Vm from Vulnhub you will have to see the MAC address to 08:00:27:A5:A6:76 for it to be able to run correctly.
Lets get Started!

I knew the IP address of the machine as they give it to you when you start the VM.  But for fun and out of habit i run
Netdiscover

kit1png
diamond.png

Next I run a Nmap scan to see what open ports and services are available.
Once completed it returns with Port 80.
Also in the output are the robots.txt outputs
/cola/sisi/beer

kit2.png
diamond.png

First before testing i visit the webpage

kit3.png
diamond.png

Next I test the first robot txt output
/cola
and failed.

kit4.png
diamond.png

 

I visited the others and received negative outputs.
so i tried
fristi
BOOM! A login and password page

kit5.png
diamond.png

For good practicei check the source code of the webpage
I see that the image is encoded with Base64.

kit6.png
kit7.png
diamond.png

When inspected the photo i see a differentcode then above.
I then Take the Base64 code and decrypt it to get the password of the login.

kit8.png
kit9.png
diamond.png

Once Im logged in, i greeted with uploads page.

kit10.png
diamond.png

I made a php upload and tried uploadedit and got a error due to the fact that the only a png,jpg,gif file can only be use.
So what i fired up BurpSuite to bypass and change the filename by adding a png extension

kit11.png
diamond.png

Once changed i Forward the change and get a successful upload

kit12.png
diamond.png

I then visit the upload page to get execute my webshell!
Sucess!

kit13.png
diamond.png

 In /var/ folder we can see a /fristigod/ folder by fristigod user, interesting.

kit16.png
diamond.png

Once in the /fristigod dir ithen see the notes.file

kit15.png
diamond.png

In the /home dir i see users
admin
eezeepz
fristigod

fit17.png
diamond.png

I check to see whats in the eezeepz dir only to find another notes.txt file

kit18.png
diamond.png

Next i tried to get to the Admin dir. i get a permission denied

kit19.png

I first of all try issuing a chmod, by echoing chmod 777 /home/admin to /tmp/runthis.
Once the run and able to get into the Admin dir

kit20.png
diamond.png

cat whoisyourgodnow.txt
cat cryptedpass.txt
cat cryptpass.py

kit21.png
diamond.png

Once the Base64 is decode i am giving the words
LetThereBeFristi!
This will be the password to login

kit22.png
diamond.png