vulnhub target machine learning -- fristileaks actual combat record

Posted by deaguero at 2020-04-03

Tidesec @ new information

Escort for network security

2000- to date

Sheng Ming

This article was first published by "you can't hurt me" member of the tide security team in freebuf tidesec column:

The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

1、 Foreword

Up to now, I have done several sets of targets on vulnhub, although they are not very difficult, but I still learned a lot of knowledge. This time, I will try to change a target machine with medium difficulty, and record my actual combat process to communicate and learn with you.

2、 Installation and operation instructions

* target difficulty: Intermediate

* target: raise root and obtain flag

* operating environment: Kali Linux

Target aircraft fristileaks (download address: OVA)

Both are running in VMWare

* network settings: the connection mode is NAT mode

3、 Infiltrate the actual combat process

1. Target discovery, catalog explosion

First, turn on Kali and the target, and then use nmap to find the target IP address according to the old routine

Here, the target's address is First, use a browser to access a wave

There is a link in the middle. Click to have a look

Links to twitter... OK, let's do the target machine actual combat instead of turning over the (harmonious) wall course, let's ignore it first. Click the source code of the opening page again

There is nothing found in the source code. The author said that it should be finished in 4 hours. Try to meet the requirements, ha ha

Since the IP access fails, the directory will be exploded

I don't know why, dirbuster always reports an error after scanning for some time. If you understand, please give me some advice

Next, according to the existing blasting results of dirbuster, first open images to see

Open two pictures respectively

It's both pictures, which seem useless. Next, use nmap to scan the IP address, and see how many ports are open

Input nmap-sv-p- in the Kali command line to scan the port of the target. It turns out that the target machine has only opened an 80 port, and after visiting it, it is still the above web page

Nothing. Next, scan port 80. On the Kali command line, enter nmap - A - O - p80

The scanning results show that there is also a robots.txt under the face-to-face address. Visit it and have a look

According to the page prompts, access the cola, Sisi and beer directories in turn, and the results are all the same

Ah, it's a sad story. I've been busy for a long time without any valuable information. All of a sudden, I found that there are several same pictures of keep call and drink fristI. Try to visit

I have to sigh that the author's brain hole is big.... Now we have a landing page, but according to my previous experience of making a target machine, it is generally not advisable to brutally crack the landing, first look at the source code.

Note that this eezeepz is probably the login user name. Continue to scroll down. There is Base64 code under the web page

Take it to decrypt, except for the PNG at the beginning to let me know that this may be a picture, all the others are garbled

I can't help but write a py script according to the experts' tutorial

In Kali's home directory, I got a picture like this

This should be the password. Go back to the previous page and log in

Login, log in successfully. It is a file upload page

2. Rebound shell by using file upload vulnerability

If the web page shows that we want to upload pictures, we will use the shell in the format of pictures to bounce back. First, monitor in Kali, then modify the shell, and change the IP address and port number to the corresponding Kali machine's

Save the shell as a PNG file, upload it and access it in uploads, and successfully rebound the shell

3. Upgrade permissions and obtain flag

After the rebound shell is successful, first ls to see what files are available

Find the home directory, open it and have a look

Eezeepz is our user name when we log in. Let's see what's in it

Here is a note.txt. Open it and have a look

The author said that to go back to the / tmp directory and create the runthis file, try it. The command window executes "echo" / usr / bin /.. / bin / Chmod - R 777 / home / Admin "> / TMP / runthis, and then creates runthis

OK, the creation is successful. Next, look at the admin directory

There are four files worthy of our attention. is the PY file of the load command. The encryption code is The other two TXT documents are the encrypted code. However, I really have limited ability to decrypt the two documents (not because it's too delicious). According to the documents decrypted by the great gods, whoisorgodnow.txt corresponds to lettherebefristi!. Cryptedpass.txt decrypts the corresponding thisisalsopw123.

Next, try switching user accounts and enter the command Su – fristignod

This situation has happened many times. Enter the code directly

Python - C 'import Pty; Pty. Spawn ("/ bin / bash")' enter

Enter the password lettherebefristi! And log in successfully

Let's see what files there are. LS has nothing. Maybe it's hidden. Direct ls-la

There is a history file. Open it and have a look

You can see that "fristignod" always uses sudo to execute commands. Let's try it, too

Then try to generate a shell by imitating the previous bash command execution history

             sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

Get flag successfully

Four, summarize

After finishing the target machine, I feel that I have benefited a lot. It's OK to do something simpler before. Once I improve the difficulty, I have no clue. And I also found that I really have a lot to improve. The front part of the target machine can still be solved by myself. At the back, especially the power lifting part, I exposed a lot of weaknesses. I found that I really have a lot of shortcomings. I hope I can improve my technical level as soon as possible. In short, in the absence of reference materials and expert tutorial guidance, I failed to complete independently, after that, I need to broaden my mind and practice more.




G an








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: or long by two-dimensional code, pay attention to official account number:

Trendy information

Professional focus excellence safety