FristiLeaks 1.3

    I'm a big fan of people who take time out of their day to help others in the community, especially with something as time consuming as building a vulnerable server.  So when I state that I don't really like the capture the flag style boxes, it's nothing against the maker and it's just a personal preference.  I'm sure it's enhancing my critical thinking skills and I should be happy with that but sometimes these challenges frustrate me. 

    FristiLeaks is one of those boxes that tested my patience.  My frustration came out at the end when I saw how I was supposed to conquer this box and instead I went for the kernel exploit.  Granted the kernel exploit is the fastest way to root so there's that but the author had intended for it to be more of a game.  

    Anyway, in protest:

    Kicking off with an Nmap scan:

    Not much here so we take a look at the web port with Nikto:

    Poking around at those directories bears no fruit so I move to GoBuster:

    Still not getting anywhere.  I circle back to the beginning and I start looking for open UDP ports, try different fuzzers but still nothing.  

    When we look at the initial page, we see:

    I think this is supposed to be a hint given that the other uncovered directories are also drinks but I didn't pickup on that clue until after the fact.  I just stumbled upon the /fristi directory:

    Here we have a login and I attempt to SQL inject.  I also hit it with SQLMap but come up empty.  Viewing the source gives us a nugget though:

    With this, I think I have a username and I just need a password.  Scrolling further down in the source, I see:

    That looks like Base64.  I copy that data into a text file and I attempt to decode it:

    I don't know if it's just dumb luck or what.  Since I didn't notice the space at the end of each line, I get that little hint of "PNG".  If I had cleaned up that spaces, I would have seen the "PNG" hint. 

    The "invalid input" error clues me in on the fact that something isn't right with my copy & paste (the extra spaces):

    You're obviously not able to see the space at the end of each line but trust me, it's there.  Removing the space, trying again:

    And redirecting the output to and image file.  We take a look at our newly created image:

    One can only guess that this is the password.  With what I believe are complete credentials, I head back to the login:

    Hitting the Login button, I'm presented with:

    My first attempt is uploading a reverse shell with a .php extension.  That fails and my next attempt is adding .jpg to the end of it:

    That works:

    The output of the upload gives us the path and I attempt to hit the shell:

    With my listener setup:

    We catch the shell, clean up the environment and we check our ID.  A quick look around, I find a note:

    I also check my environment.  I'm sure that note is a hint to how I'm supposed to escalate my privileges but a quick search for Linux 2.6.32 on Exploit-DB reveals:

    Dirtycow, of course.  Moving a compiled version from my box, giving it execute permissions, and we execute it:


    Way more capture the flag-y than I like but aside from getting hung up on the intial foothold, the box is pretty straightforward after that.  

    © 2020