- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIJ6K8ErsKxKNe73m1e-EV4XxQqF6qtERaj-9k2FgbY-BhIQjfH9ZdeShU4Rcrbs73ZI21sA-QfvUduZAun-AXyat1W43x-rpdk2FuGQJ8C6S4ZW3PBB8Ve95Ah__l1577FD3ejDBa-P-G/s640/screenshot.72.jpg)
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Fristileaks 1.3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVwBzpWtXolhupdg3rUeRjqyE_QhjDN06XvfkkazA2B3rJa69L6vtkr0sl0ueAsdcWQxljLm4tfwaxNUWE7OznH2AE9eYhRpCglgriZy_0VJaQ2lwmALPbFiCJbLStIyfVA6iA_TwJXA2v/s640/screenshot.2.jpg)
- Fristileaks 1.3 can be downloaded from here:
https://www.vulnhub.com/entry/fristileaks-13,133/
- Once downloaded and extracted with VirtualBox:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiorNHmGKhYjVHVJmGDLXRZRNr1V9-bF6RMtqEEYo3iPJPob_iTo760pZFMMvAEVGUpipn3mVEBPaXc6iHDUVGBITy0K2fbYdlkl1jWZAmUhWX98nnLPfE4aIgeBmq1fj0OHrVOPJu2H95d/s1600/screenshot.1.jpg)
2 - ENUMERATION
- Using netdiscover to confirm the presence of host 192.168.1.9 that corresponds to the vulnerable machine Fristileaks 1.3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK71EIPSkbxjbVw316LAXtMjUwS3LvvjUojBzZewzHWPFjbwCn8PELiEOdmXTQqZG0eF20-6CpiLqgzTnWUonJgWsqzIPjsI_AY-901OciPDZoJmNddTzwzOImSrhXZcVtjxO5cUNgpOj0/s1600/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjnjbjcIly8I0Y32BxSUAeTJd5P3a-LsTWtATJbAuB0fw1Roabi_nGsPf1eIcrFYQap_YkVk_-aMlwZvuUB16G8TENEG2izoMYLfUTB02MABdaV37VDW6y927y1cS6aVocTI0hR998GV6D/s1600/screenshot.3.jpg)
- Scanning with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWh3KV2jQiqh88-7XsdwRvUlqoyFmn0qME170kQwj7pNenDde0qwqRgkxvLCcFdythkjxcOwvhGCdVS8YPGI9acQFXGVc2WzO5eIX2gQeFvpwrod5QIT9E-xiPeeMSYw8ylTRnoZxNEK24/s1600/screenshot.7.jpg)
- Connecting with the browser to the only open port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9r-0ra5_T8jxq9GH1bp7seJONrEV567ZZ7NTcau-XfmLHku1NkeubVF4B1Kza7fX1CprRKtgWFuXc4f3h2jvVI4NUL7Y5To-UmmWADNGpodqRxYcSeRyG09ljmzJniW6UPSR4d19pRc6l/s640/screenshot.8.jpg)
- Launching nikto to the host we find three folders inside robots.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN36daDkbhymoCp80zXz_P9FGkNH1x3BuG9SuU90tQ0mDhsD77P69Dkx5fzKlibKG_jKoImE4QJfHjfRR735WH1MJQMfvSpro4zLMpHdyLLxBrUNAfsgV5y4eiarkAtuyxp8JoqVbo92xC/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh76POiE8CPkVXV21rMU7-JlqV85WZ4qQP4biSvFLK7Ki5mzGNSgpml2vMVGgcd954mWmnShPPJ2AenOZegTNZqCwVc_n0tz3rpuIlUXtgBKmwWWwmCTRaduiaoBSdr9uG6KRMtDON0cKy1/s1600/screenshot.6.jpg)
- Looking at robots.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU6DTqzhfkbq8jUPI6TsN4E-Ni1UScm7aYb6-3Uo6QzBJLhL_QgONKbUvikmEra7ZF1ie2KpXGjZge4601lA9E-n7p3NJ0BM_LV64oGaDZ5hkoHwZB0sd91CMM-YaqFEJjHthnXaN5LQKl/s400/screenshot.9.jpg)
- Either connecting to /cola, /sisi or /beer the result is the same:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdfMFM-HppNfX20W5dVYGbLJPL2DQwlImFoFTcRmRBfhXUYfGltyQ4eh_L27HrdqNpug6d7uUragAYp2GdJlvvmeO6rD58s2Gtn9_0YX5StnQz0cF2VobvuQ9OCq0ZJnHnCDMXP3MMpSCF/s1600/screenshot.10.jpg)
- Following the advice: "KEEP CALM AND DRINK FRISTI" ... let's try fristi:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGm26w6bFMi4qEq6D_lOBb0ANlbWkiCb3z1onbCSeyTMLQUsZYRYxqKvhyphenhyphenJ260Ze8fWezeE-ZfOv1pR24JaGHM3Q3Lt4dpiQSPwqBUsTg87o-Y5-8Tx7KwmqAYAED2eMB-jM-NfoLNmVEo/s1600/screenshot.13.jpg)
3 - EXPLOITATION
- Viewing the source of the web page it seems that there is a user called eezeepz:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmS29TIKjFXeDQLtK5ZU_1XVxklI0ixHdq9Zng9iLbV6mLpsawtZorUvK0LMLAu7THnWj7eIAITAcEZu7wrx-EV65wK7I3rdnCx_hIMjxh0AfK8aDt0uEDt-qqBBLIgGzKiNOG3kpgXeD-/s1600/screenshot.14.jpg)
- After the image reference there is a text encoded into Base64 format:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDdO9A-j0Fh2PfocvuwtAU6HvK5W26_M2b-ZwYx7Pf0ZX0W0J9sMy1y1BWSBF0_f6R3d1r2oAGGJTfCNSlYk6-6a_HhZ2S6P0_JMo7G0_RufIxh0lHzV4Kd7OpfS19oGfeRxLl6Z5L13yW/s1600/screenshot.15.jpg)
- Decoding the text:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK9hQhvvi1R9o_FUSXUUQfyW3Bvt6P4Ofo6PRvh9HJI_c28b7j4-xuAN72MtnVNzvEW5ZNb78bOpEqwNgBaXmncRI-7JvbMs390GzEz1AFFzun2s3g9rnpo-NVcUOD8Y6s97gxTTVVPuf-/s1600/screenshot.16.jpg)
- The output is an image that could be a password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhoKTIVbvkYb1ZF5wWnlBRv4yo78eN4m8pXPfOlJgt1_7-de_Idkf21tdKthqWAVWCFAJ6aC9NXUlQ6tAMflNc-2nXdg-TDrBJx_V8V5tRbZ1l_dyXIqCl0eo2IDpZrQnpGmjigPplsUj_/s1600/screenshot.17.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkiikwLvc1Qyo1u7R48p1l_s5OUtmt5xEAGQV9Q6ryzz-c3hhB4sClwIm6oU_waFVmu5GRuKwpAG98ZrIWih0aSMUzTdwBRTDn2j_E12D44Pk9Q4SvaE7gbVoRSWpL5isOq6e9OUhToisL/s1600/screenshot.18.jpg)
- Using that series of letters as password for the user eezeepz:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMnZRSvyPXNPh8Imp_qsTnJwdBOgEBY-Btj4WdvXi2XkdeZOZWIcXXU1Kd-ZpEW95kguC2R99NJo2d7eLOEDbNAroesQMXYBGy3nYOlowlz4wgTXceYV7d0UeR2-_RGcgbV8vYhwGQb1NR/s1600/screenshot.21.jpg)
- The login is successful, and we are invited to upload a file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo6fvFyWbv83xTAIkgYbKvTxapObmcRP7mmgoKKF70Esg9gFBCaiUwbVCzfKNTm_tInDoDtgvUbvLT_HsAVe-5ju6IzqoQDQwXoIM5VrGX8ZfhvaY2x04leVC6BA6m7a4uCoGqm2_NryCx/s1600/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHne6fgE6TgeZ-CEmmYWF2_mcQ8E2_X2kw3qGQJ5dYSunU5VWFJsXkT3tI-8ft_xYlORWWTogGtIyqLfnioQ6xEQUk62EgCPQIcZjs3LpFxJcsHyyv1gs0rx8DAXvbMrrRInmf7CkKiqdG/s1600/screenshot.23.jpg)
- Let's try a webshell, for instance this provided by Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-ktJSwMl7ckbNBdXGLiSAwow8F9rX26Ki3IqLanlV1K03x02IRVXbDVgZ9EqM4mRJbMBl45o5bP2GcPiu5cKNoYA6pjexyBaCINAge0zbzMz5yY5eDTKcBlJxaD9PJuu6MGSQ409uNJrb/s1600/screenshot.24.jpg)
- Copying into a working directory to keep untouched the original version:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtePEwL015qKFBMDnJKJS8CzrcsN0xKMWMXokQ0uRms530A10nqGMdPBlKKpQLc0nJDdyBRGhIZohoTEvAWSeAQY8pGd-eAV69QiVjWgScbOnHpaWgv89vv82PjFvn5oObfCUQ5gpS7Mru/s1600/screenshot.27.jpg)
- The webshell must be modified to adapt to our needs:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsX3q6LBtBsa5pNory5oU6kOFmpMVzN_V_XsEm34qVzbu-aETquHssZsnjf2ZFrPKEg27SQwVGGDT0S_349XG6pMp1_ylYSmfezTEuwNALmzd1FXG_ujKOfrtAo6_0q6C0ZlCWLc8b-f4E/s1600/screenshot.28.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicFOW5HC4-QvYQ3hkHvEbKPpgR55EOGU2EWiK-wbMNyr1ZRyYHxicJRGjk8xZy_aWsxSGknOStYLY84YafX_wq7-9ng2B7oep4g-vVJncbXwyUhhA34h6UkMH90r1bpMCPn_uDer9pVxbg/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5BHMBKyySWdvbcJ3vJezVEMbNVXaAxO85xIqaFikoP80ROq6eDEBKbdHiqcpuD9jRHiv4oZ61ov9WcaqNzBI9C3l-R6WlvvWetd0YvtpvVku67NcQzEMaVigEUHZlCSjn7jzoGcDLFnwi/s1600/screenshot.29.jpg)
- Now, it's time to upload the PHP file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCh1q-PrGWlMYGA5nFjKpHfaspDkNBfIj-taK9R-EyVW39pQ2dVb8TX376qtHdNpfwNF2OnylmAKRkJlnZ3BrgM0ZOP4YjsGzB68i7bqJq_jNFvhYS3e9wncs1NgQJljBrVo31roFaHDx-/s1600/screenshot.30.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOOXPyFWOGPC6CIQVYnbwg27giCfw6DGMeo7HGkDkxonluyUisnVwQ6aubDTc80JaSP2-tO0PUoh4Ygwy0LApy8MXuKBd404mdYBZAHj1yNNAVJHd3q7h6KjBi1bAJqFCwDIaTq5jJsOjk/s1600/screenshot.31.jpg)
- However the upload fails because an image format (png,jpg,gif) is required:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlASkE6vWgNhSUwUUF_FV-_G0xy-u2E90p6ai2Lg8sgn1U_seJ5B6qUfQff4h5vC8FsINIPCTWJn0w6LD20Gl5lXsfUvherYnFUdEY_XCNhEpmBDtsKpZMkwCuppfAIo2uZWoaL1V1PIy8/s1600/screenshot.32.jpg)
- To bypass this problem let's rename the PHP webshell just adding a png extension:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8q4dNwmAyWvol4m0AibvQAYKQJBoHZowNaw7zyB_Vmzh610IyYG9_FkBzMGfdChXAleqmNWI0jA_G5klPjV0RGWoyzTZwSmAi9kfcRvbhD_mM4Ut5t9mTt7ruEpyQRG9xLA-FkfuoI5tR/s1600/screenshot.33.jpg)
- The new file is uploaded successfully:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmsEW4gDUgi_SECOHC2T6Zhv2vA3JBmK_-UIDfOkQ0ZGg5jhfdPoKbEslBzU5ugFJKABALOWxOx1WgJIBSUOJmyq7PtfLXJl0xxwy463pue0Xmc2IK0aLwQ-scT9npfdH60iWWpX4yKc_S/s1600/screenshot.34.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd8QvgU-Yb4ay_-B7etMkkuWQJICXT-jasnmSMyMFzjcll-FlErtmDe3OoEawq63Q4xMVE7aPXISTzr62O_BgAU5Y8H0EeuaeV0TdqhgSRTqfuEYN1cR5Z8Ji4UroYD6JHgIVXHlWJ9HhY/s1600/screenshot.73.jpg)
- Now, starting a netcat listening session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ujXLfMykfx3qGJtflZ9Lpy6GVCGf-qUE_nZmwanQushtPcPcIBLY8cenXYogrmPQQl_UF37yPG9dkCUOXlKp3RCkBMR8RodrI62_jj5qMBmFykPZ5-nFKnr5-fO6Rc-onv3rPvKd-8_A/s400/screenshot.39.jpg)
- Running the PHP reverse shell including it through the URL:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRh_pk53vvLg-lsH6oS1aicFZJtTRK31lL8GrOj5TkESwE7KbNwX6vbkAHJ-vKnvtjmQJ9T6wh6LWrrqjio5u4YQHyDr9CEUye_GXl6Wz8ghHvVSHdojMKIeJ6QTzZn76o3mTtOyJGuXFG/s1600/screenshot.40.jpg)
- The PHP reverse shell script is successful, achieving a limited shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw53WrS0y-WjLx1nSX0_fUnz6zFBF4UGPwSGjpis9tVXnprREPVnLHZotKT0yVTRrglgjdELQ1TfGCoghyl5MYyBBuUIbw2-JapoBkL_i_JzIgzhUGMeMegXTSKkK_yooMiWFLypc4-Gnr/s1600/screenshot.41.jpg)
4 - PRIVILEGE ESCALATION
- Browsing the /home directory, we detect 3 users:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-RdYKNmmd4UI_ipB2qvBg7_Gln9M2eF9pJ6JsYOZJ9FaYjPl7ClWAeOlnVuaB6oMxQvUuXBjiayjV7Wah5AgdLZw5pIERY6LzLa6LDcHOvSkVa9Jc52GOf0IDpy-xEYGjM7a2U-J_xESp/s400/screenshot.42.jpg)
- Access is denied to both /admin and /fristigod home folders:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBJcgwX7lHVYo_PVuqtY8Go3GYb5pVCNWNrxamSOI4YKFw65h_5OMMza9OFUTqkjyP56adawLrYaZzIo4lkqDVK3Zm2e5IY5mnMnmeXj0pVTxpJqucw6DsyrsrCkDbJss0MDuBGGypNbxQ/s1600/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM0AWOMGIgF9ATIYbgveS6tK8VNTSmeVxg5lYPFzbHHt-lFZkMNR3etYN_yzQBkTZrTCSdt85mE95WgSNcRjmt3JnZ-PD8oPoN6e3y9iCzYRvAuTKD4KO96LHW0qTTaxsTorOYl-2SXZan/s1600/screenshot.44.jpg)
- However there is access to /eezeepz:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFbvh_Cf7FzR9JdxdaK07oe8NQ6UFYMDdPpM3hyUTUiNIOp9nBL3Mwpmhn6sySw63AlfTqtoxpOK9e_fdlySzAUE08qpS8mxZ7_VIsGeSzRLaW1MgxDGxRJjY5wv37tzCCkhcjsR6lmBJS/s400/screenshot.45.jpg)
- Listing the content of the home directory /eezeepz:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwzGsu1n4rPDSP0uJDk4ehJZuQ9WTGWA3A7OV37OuCiAnoWAgxREcjE3BY8N2B1ujKzJ0wjpOevGNltH0L6lEVL_FPAHGSzLKjyIkmrmqwld98mpceRIlvTI3PfxYse6rCWsDzAXsvezVS/s1600/screenshot.46.jpg)
- Reading notes.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUcJUuXE5Txy6flaEnwbSP1HU_czTw6kZ4AO94WUTmDuWA7sBzt3celub4kRu5GABTFbF4LdKILZ8INPxM7mRLQ3ugJnqXz-LcgVhpttI0I8fJ8k2BXvFRWIhC7IwW4Sd5M1jEQPHTKVM4/s1600/screenshot.47.jpg)
- Giving access permisions to the folder /home/admin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRjJ7faQSg4ToMjnqATv3jx_QJ6czfdBnmxx-BsF6OBPozh0CHKhNTzE0FR1CAsuY_fUlH2EgCNV56CW_WCv_diyPD_jGbOnFPl8Hw7kxpwntFsB8P6TfA_QX5u1pl3QDWHgzT7vvkKAZX/s1600/screenshot.49.jpg)
- Waiting for a minute, and accessing to /tmp/runthis:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7ffQrb4HWE2mMoqamlRYZqLEYMJFBQNMzIIZPDmuM-aWpeG8eS028tHcUmOzgHScxBJTdCzo5eSFWJawwIhDPNsgljpzYSqw1ru51yC51-6kQZ7GAZjL8ouKpY3Ka23CRzapkg8QePcmM/s320/screenshot.50.jpg)
- Now, access to /home/admin is granted:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-IZjYx3ims64Y6v3YkDwKmSVxjdF1XS1RFWbcN5vB0lkQVixvORUH5eUzZ44T1Lb4wyua7mbijjixxSWwZq-IWuXg7r9SbWflRlFJBCPGaEIdkk9fCaATOYGeC0KsRuWl6uYAOSrgAjAZ/s400/screenshot.51.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYZNoQYdb4uc1vhwSXpfZCoeZDpEDYuQ9u10hmh4YTKzw-cE0x019J3wCWNrTMJKIdOxNSRaYDySf2ta7scFLV4wnGqihQUU6RApBWPXROCIb5djoWJezcC3h5SHX4me741m-LPGFTJyGs/s1600/screenshot.52.jpg)
- There are 2 text files whose contents seem encrypted text:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFkQgQOlEkNCajLrKQKUXaedZw7jAUx6pgO8Pj4HujWQbGJTRvwjugXn1EvyKjXeBBHC-SN5EG_6KDNM7z5xaFkRgRpmu8OY6dd2I2pfUxqtdY3uBpy4U-oOFd0IENNxFqRN5qEKmhxEym/s400/screenshot.53.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiepZWgKPt46xWkdffIh2GAK5piIWSKPlZQJ4XjWfj3xGD7TpP6WxpuAefAUrQ9sjywMYmu3H09tMfPyWV4vx-YACxl-0twwvRnQaYWRFSjnUufe-Gu_Fvps3hNgazV7ROejsh_jVZYDDZx/s400/screenshot.54.jpg)
- Also there is a Python script self explanatory about how to decrypt the texts:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji7W_BPYkhUPtMfZZSZ-gvnMtEPCtDLGILf7c9BIL1v2UGnAMwBdX2BjqsD8_K4Nb89hfnZojO2BvPAsla-z6cuLy7hJ5iJeq0GMBO9wbfXOGFIRjTNm_eHKl7Ot_ckO4F5iETjMN4XpCP/s1600/screenshot.55.jpg)
- Reversing the encrypting process we find 2 plaintext outputs with this Python script:
a) decoding with rot13
b) reversing the order
c) decoding with base64
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvJRtXK2llBz5PwfY9zVwONtPExUoWy-ictUVbA6JX8JNJryv_yKOEj3psCIM34O84C-qlX0b2qIILNVoZ1qK6JiaMgYg8ha8f-Q5S-2HOqsfSALVdD-X2ess_1iTdyJ_IieFuV1eXAXLv/s1600/screenshot.56.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh-7QGPr6avkGkCqv4AQAtRzeBfk34HCftnxOSio7ZRAJIDQhMlfCzhjMcpBWscwKU8zzqeyRyoBFWi69-cJ_E4RmAV8YeDCWgIJwLGRktadK3-l5zuSfj7Sqv-uHwBW2ZllHhApTy65DE/s1600/screenshot.57.jpg)
- Now, trying to use su with fristigod we find that a new terminal is needed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-xqTCOnIov7NB4gBQOeZJ-6PgJ6cQ3JCH3OoXZnOT1PS0UDXdS6CX4bVeYNsfGqDWmqXkespGJjrJg2nO1JXxuwoHdgFjHi5jTVDM8uaMb8VgMFtokHag8P_pwkPTbfbHdFFjZKgEB3j0/s400/screenshot.59.jpg)
- Importing a new bash:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW7Y_6FOPrYhz4AxcJRmT0AxTw187cG7Ff6bccbsMglnhhOK0bS1BeRZ1TvJ8xDwKCi2Pw7pENIhZxYstihdN5uWCnIb6_4nI0D8974LsCZt8D-D22W44H9pi7T3iGLq5NLxbU1kXi-oYS/s1600/screenshot.61.jpg)
- su is successful for fristigod:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWgao5DZPxYS9ysy6GytttrgXXpC-TgmAw-OmffujhTpntLGBSfYJd2siVwaF15CTRXrvF2k9fhZjkZgqw0yOiaUVjycNkkyfyHtX3E8p_wmiD_E4wPdRGlN0ZD3ddsa0x5f3QDShUtc9m/s1600/screenshot.62.jpg)
- Listing sudo powers for fristigod:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKKGYMI0trY29MNDubmQoFiNkV-PEpNNBk0K2JH_YlJwDDmhrPhYwX0USQOCRAwJsILGqbXdg6JjV3M1QOANpiJH_7JPg_JYwmx5LzTQyq0KC1rEixtQdvAQNJRwFZZV-vrdHrrWIZGjxD/s1600/screenshot.63.jpg)
- Going to /var/fristigod it seems that the user fristi is able to run some interesting commands for administration purposes:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcOUh6GvxTY_BZpS89mLVQcvzuGaJuiMDOHL4bb1Z2Zo0ulH_90sMQjCKILBHkE6GzEaV4U7ZT8c4wN2H9Xh-jPkt6vuR5AiWXW6LaOXL1qNL72y1fxF0aVfWgEttaRsflV06l6gPv3cNT/s1600/screenshot.64.jpg)
- Reading .bash_history gives us interesting information about how to use doCom:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0qmb4iWXNaEDR3WgrxJStdYgZxINHbliTaEz-AW750E_hVI97iS467fZARcf62E2vVsBRwvGJgYGV-o9nrNPUYBcUpZDNnekOsO_iEJrCnAXnE_xPa0VDquxjbBwM622BIyc7PQ3QFMSL/s1600/screenshot.70.jpg)
- Opening .secret_admin_stuff we find doCom:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp1rrWRSsI9SWpBlU5W_31XsBiEO8A5Mj4Fs5uMrIOFT1V6ruiRBcxTGNw9h5MLNDCkM8SwfI03NUFr9xEroDYSLDcuEaajp0TcW-g6EzsPpQdQJDquBIAMgZ9r7ng0YL3EBLBNabAHi4x/s1600/screenshot.65.jpg)
- Running ./doCom we need to provide a command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg29EvyYnmi6uppsjEFm-TlRxUGmcQWUj_R-RNeGQyAl5NmSCDvEQKtw74afAo0XrjKxuR_iKJA1uxnfyA_bmLsmWBOdlucYY8JjihGq7tPN-K44I5nFtXvYKQf86S_x4s52sh1faHvLDYK/s1600/screenshot.66.jpg)
- Trying /bin/bash eventually we achieve a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwZQ2BEGhtWCOtkUBkDPFBRPI5X68w4zL05lK-F1WWAZqEOGY1R2-Ho51j3nxQkeKHDqwTIfBA8TSpF1jLBoWuOsiI0LwvPv8Y3Q1gBRgiu2Ipz6MBT_-XdN5RUbsCLSvUMoy5oCjTKtPK/s1600/screenshot.67.jpg)
5 - CAPTURING THE FLAG
- Going to the /root folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaSogu0to4IeOkXwUwHNWY2XK4BAjvQtuSd5LDH-PFYVkqFNXAhwy0t23lj0NjE2XEhjdUWMSVBTnV_abSLYnY-WSn4_KVH9zGinhIwmtFgcb9MIYlp_WKACcIhqUVyPQHz_P1blAu73Pf/s400/screenshot.68.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDe-8UWVDGLiCpwQUVYAAqXmikuWNPgrt90oBpVcwOQ5-2R9uQtcNbokytqhH4c9h70nBZQdH4otSdIDcNYgCEutEpFJ1jaCR_2wCEfl_ix9GRvnCOdGTygxEGPuoupks9rx2kL3fnjm1C/s1600/screenshot.69.jpg)