This will be my first vulnerable VM walkthrough that I am documenting in preparation for my OSCP exam in December. I have dealt with Kioptrix 1 before, but I am really not in the mood for buffer overflows at this point. This will also serve as my first wild ass guess (WAG) at solidifying my methodology that I will be using during the exam.
The methodology that I will be using looks like this:
Recon -> Enumeration -> Exploits -> PrivEsc
This is a very macro view of the steps that I am going to take in order to pass this exam the next time, but I have my notes cued up in my OneNote.
There are tons of avenues here, so we will take a look at the webserver first.
Then to take a look at the source:
So we now know we need to get root (duh!) and read the flag file. got it. I played with the image and the index file a bit, and didn’t find anything of interest. Looking at the NMAP results, I notice the directories /cola /beer and /sisi are all present, but only contain:
Looking at the actual webpage, they are referring to drinking “Fristi”. The other directories are named after drinks, so lets try /fristi:
Looking at the source, the image is served up Base64 encoded, but with a couple strange anomalies. Upon inspecting the Nelson image, there isn’t anything interesting going on. Under the Nelson image in the HTML, there is another Base64 blob… after converting it to a .png, we see…
Well, we know the author of the webpage is ‘eezpeez’ so lets try that as the password.
They dissalow ‘.php’ uploads, so we try the old trick of just adding ‘.jpg’ to the file and uploading it.
Access… looking through all the docs in the /www, there is only one of note… which says:
Then eezeepz’s /home directory has another ‘notes.txt’ in it:
So Jerry placed chmod in admin’s home directory. If we are able to run chmod out of there, we should be able to change the permissions and gain access… right?
Yep. But now I am still trying to figure out frisitigod’s password in order to find the flag. I have a few clues…one of the files has a string that is a Base64 string in reverse. I know how to reverse a string in python (hooray for PyWars!). Then after a painful lesson in figuring out that the string was also Rot13, I got a string: ‘LetThereBeFristi!’
Logging in with those cred works, and lo and behold, there sat a hidden directory, ‘.secret_admin_stuff’ which contains an executable, so lets try to run it.
Now looking at the file a bit closer, I can see that the file is owned by root and that the SUID bit was set.
So I should be able to get a root shell by running:
sudo -u fristi ./doCom /bin/bash
So there it is, my first walkthrough. I will be knocking another one out this weeked, if everything works out the way it should, but this was a blast!