This box is widely touted as being a good “OSCP prep” box, at the easier end of the difficulty spectrum. This blog post will detail how to achieve full compromise on the VM.
Note to the reader – I had a horrible time getting this to play nice with VirtualBox’s DHCP server, in the end the magic trick seemed to be to kill the vboxmanager process, spin this VM up first then start Kali.. YMMV!
Let’s go and pwn it!
nmap reported a fairly minimal attack surface here. One HTTP server with a couple of disallowed pages in robots.txt..
root@kali:~# nmap -sV -T5 -p- --script "vuln or default" 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.000098s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| /robots.txt: Robots file
| /icons/: Potentially interesting folder w/ directory listing
|_ /images/: Potentially interesting folder w/ directory listing
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
Apart from a Denial of Service attack nothing vulnerable on the server itself. Let’s kick off dirb and nikto before going to look in the web browser.
Dirb and Nikto
Dirb and Nikto reported nothing of interest which we didn’t already know – namely the cola, sisi and beer directories which are forbidden by the robots.txt
Navigating to the webapp yields a wonderful, lurid pink splash screen –
– nothing else of interest pops out particularly, the only interesting thing in the page source is:
Welcome to #Fristleaks, a quick hackme VM by @Ar0xA
Goal: get UID 0 (root) and read the special flag file.
Timeframe: should be doable in 4 hours.
Hrm. Navigating to any of the three directories forbidden by the robots.txt yields the following image –
Hrm again. Thinking laterally, “cola”, “sisi” and “beer” are all drinks, so let’s try “192.168.56.101/fristi” instead.
navigating to /fristi gives us an admin panel, so let’s try the usual tricks here (default creds, poor creds, stuff hidden in source, sql injection).
The usual credentials didn’t work (admin:admin, admin:password, etc. etc.), sqlmap didn’t yield anything interesting which just leaves checking the source.
Checking the source pointed out two pieces of information –
- One username of ‘eevee’ (making a comment about the dire state of the HTML)
- There’s a large lump of base64 encoded image data.
Swapping out the existing image with the base64 encoded image data swaps the Nelson image to –
So let’s try our new pieces of information as a login to the form… eezeepz:keKkeKKeKKeKkEkkEk
File upload vulnerability
Now that we’ve successfully logged in, we’re presented with a file upload form. Like good pentesters we immediately try to leverage that to upload a PHP shell to the target box.
I chose to use the metasploit meterpreter reverse tcp shell, I’ll leave it as an exercise to the reader on how to get that setup (msfvenom and msfconsole).
The upload form has some restrictions on filetypes which can be uploaded, namely that they must be .png, .gif and .jpg.. This is easily bypassed by upload a file named “whateverYouLike.php.jpg”..
A few short seconds later we have a restricted meterpreter shell.
Privilege escalation and completion
This step took me a little while, I ran unix-privesc-check and found nothing interesting, no interesting files or binaries which the apache
user could run either.. In the end I went for the ubiquitous dirty cow exploit.
After downloading the exploit from exploit-db and compiling it on the victim box with “gcc sploit.c -o sploit -pthread -lcrypt” the exploit starts running –
Really, really enjoyable box – not overly complicated and I completed it within the 4 hour suggested timelimit! Many thanks to the Fristileaks team 🙂