Vulnhub FRISTILEAKS Walkthrough

After seting up the host on virtualbox we start to scan it with NMAP :

Nmap –A –T4 –p- 192.168.1.18 –vv

Only port 80 is open so we fire up the browser to see the webpage

Download the picture to my kali and use the exiftool tool to see if there anything useful inside of , also CAT the picture but nothing to find there … so the next step is to nikto :

As you can see I found the robot.txt file and it contains 3 locations to visit and the three locations got some pictures but nothing important about them ….

Lets visit the host name it self   /fristi

A login page with username and password … I ran dirb and burpsuite .. but what I found was in the page source as, you can find a name to use as the username and a big code which is a 64code …

The name is eezeepz … we going to use it as login username

We need to decode this big chunck of code using base64 command:

cat code_file | base64 –decode > pic.png

file pic.png

Then open the image and take a look at it and it looks like a password along with the user name eezeepz we found earlier

Using the username and password took me to a webpage with the ability to upload a file… so lets upload a script to gain a shell

I use weevely to get a shell using the following commands:

Weevely generate 123456 shell.php

Then changed the name of the file to shell.php.jpg

Upload the file and you will get a page with a message saying the file is uploaded to /uploads

`Go back to weevely and past the link to the file you uploaded :

Weevely http://192.168.1.1/fristi/uploads/shell.php.jpg 123456

You will get a shell after that

Now we need to priv escalation to gain root access

Listing the home directories found a file notes.txt , inside it some instructions on how to run some commands with root privilege

Initiating this command will give you access to the admin directory

echo “/home/admin/chmod -R 7777 /home/admin” > /tmp/runthis

cd /home/admin

ls

Cat whoisyourgodnow.txt

You we got the flag!!