vulnhub-wp fristileaks:1.3

🖳 host discover

sudo netdiscover -r 192.168.165.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                          
                                                                                                                                                                       
3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                        
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.165.14  96:89:78:52:9c:12      1      60  Unknown vendor                                                                                                       
192.168.165.196 20:1e:88:ad:fc:55      1      60  Intel Corporate                                                                                                      
192.168.165.240 08:00:27:a5:a6:76      1      60  PCS Systemtechnik GmbH               

target was 192.168.165.240

👁 service scan

nmap scan

sudo nmap -p- -sV -sC -Pn -oN nmap --min-rate 8000 192.168.165.240
···
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
···

there was only 80

🚪🚶 get shell

in robots, we find three same path,all show a image,so let’s get back to index, it shows we need drink fristi, and there was the drink name in robots, so if the fristi was a path?

and it was!

it was a login page,there was a username and a base64 data.
after decode it, it seems a png

did it was a pass?

yes. and we could login it by eezeepz:KeKKeKKeKKeKKEKKEK
and we find a upload.php, let’s upload a backdoor into it.

after trying, we could upload it by change content/type and filename.
try to connect it!

we got a normal shell.
we got a hints in eezeepz’s home

but we dont have w in /home/admin, and there dont have bash or sh in/usr/bin/, so i chmod 777 to /home/admin, and copy a bash in it, and bound shell.

and copy a bash to it.

🛡️ PE

now we have admin’s shell and find a encode file

so let’s decode it.

it was admin’s password,after trying
and there was another encode str,after we decode it and trying, it was the password of fristigod

and we su this user, and find this user have sudo

and get root shell

📖 recommend article

another walkthrough
fristileaks download