Wednesday, June 13, 2018

Fristileaks 1.3

- Layout for this exercise:


- The goal of this exercise is the study of the hacking process for the vulnerable machine Fristileaks 1.3:

Fristileaks 1.3 can be downloaded from here:,133/

- Once downloaded and extracted with VirtualBox:


- Using netdiscover to confirm the presence of host that corresponds to the vulnerable machine Fristileaks 1.3:

- Scanning with Nmap:

- Connecting with the browser to the only open port 80:

- Launching nikto to the host we find three folders inside robots.txt:

- Looking at robots.txt:

- Either connecting to /cola, /sisi or /beer the result is the same:

- Following the advice: "KEEP CALM AND DRINK FRISTI" ... let's try fristi:


- Viewing the source of the web page it seems that there is a user called eezeepz:

- After the image reference there is a text encoded into Base64 format:

- Decoding the text:

- The output is an image that could be a password:

- Using that series of letters as password for the user eezeepz:

- The login is successful, and we are invited to upload a file:


- Let's try a webshell, for instance this provided by Kali:

- Copying into a working directory to keep untouched the original version:

- The webshell must be modified to adapt to our needs:

- Now, it's time to upload the PHP file:

- However the upload fails because an image format (png,jpg,gif) is required:

- To bypass this problem let's rename the PHP webshell just adding a png extension:

- The new file is uploaded successfully:

- Now, starting a netcat listening session:

- Running the PHP reverse shell including it through the URL:

- The PHP reverse shell script is successful, achieving a limited shell:


- Browsing the /home directory, we detect 3 users:

- Access is denied to both /admin and /fristigod home folders:

- However there is access to /eezeepz:

- Listing the content of the home directory /eezeepz:

- Reading notes.txt:

- Giving access permisions to the folder /home/admin:

- Waiting for a minute, and accessing to /tmp/runthis:

- Now, access to /home/admin is granted:

- There are 2 text files whose contents seem encrypted text:

- Also there is a Python script self explanatory about how to decrypt the texts:

- Reversing the encrypting process we find 2 plaintext outputs with this Python script:

a) decoding with rot13
b) reversing the order
c) decoding with base64

- Now, trying to use su with fristigod we find that a new terminal is needed:

- Importing a new bash:

- su is successful for fristigod:

- Listing sudo powers for fristigod:

- Going to /var/fristigod it seems that the user fristi is able to run some interesting commands for administration purposes:

 - Reading .bash_history gives us interesting information about how to use doCom:

- Opening .secret_admin_stuff we find doCom:

- Running ./doCom we need to provide a command:

- Trying /bin/bash eventually we achieve a root shell:


- Going to the /root folder: