Well, its been a while since I last wrote any blog. After a gap of almost 6 months, today I played with #Fristileaks box(well was trying this for a while but couldn’t finish it due to works) from vulnhub and it was worth tweaking. You can download #Fristileaks from here.
As usual, I scanned my network for targets IP and found “10.0.2.22” is my target. Scanning it with Nmap to find all the open ports and running services.
It’s always better to run #nikto if http/https is running on the target.
I found out, there are 3 files with the name cola,sisi, beer but I could not get anything out of them. During enumeration, I thought the name of the machine is #Fristileaks so, why can’t use this name to find any files and damn, it works.
After looking into source code,I found the user name is eezeepz and for password, I changed base64 encoding into image and got the hit.
I used this username and password to login into machine and was welcomed by this:
Let’s upload shell to get the reverse access, I used this. I changed the reverse handler IP and port. After uploading the .php format, I got an error that only image format can be uploaded. Just adding .png after my .php shell gives me reverse shell.
After enumerating, In user eezeepz directory, opening notes.txt gave this:
Let’s inspect /home/admin folder but before that let’s follow the instruction given in notes.txt:
echo “/home/admin/chmod -R 777 /home/admin” > /tmp/runthis
Here, I found 2 cipher password with their encode code. I edited this code so that it can decrypt our encoded code.
Time for Privilege Escalation
First, bypass this limited shell and try to login using fristigod.
Ok so as fristi user, I was allowed to run ALL under the location /var/fristigod/.secret_admin_stuff/doCom.
adding /bin/sh under fristi user works like a charm and I got “THE ROOT“.
Visit: AzureSkynet | Cosmicskills
#penetrationtesting #cybersecurity #ethicalhacking #privilegeescalation #vulnhub #oscplikemachine