Lets start

You should get the IP address of the machine, 192.168.21.140 in my case

Nmap Scanning

nmap -sC -sV {victim ip}
-sC for default scripts and -sV for version enumeration.

nmap scan result shows there is only one service running , that is http on port 80

lets run gobuster to do some directory bruteforcing

using go buster reveals two directories /images and /beer

/images contains image directory and /beer contains a image.

well this directory are not much of use. Looking at the theme of the lab and the website i tried manually entering /fristileaks , /fristi and other directory. Among which /fristi worked

We have login portal at /fristi directory. I tried to do some SQL injection but didnt work.

Viewing page source CTRL + U reveals some interesting things.
First thing to note is the username eezeepz

and at the bottom we have base64 encoded string

Decoding this string reveals it is of type png

Using base64 to png online tool gives us the png image. Which contains string.

With this info we can guess, this must be password for username eezeepz

Lets try to login

Credentials were valid and we are successfully logged in .

After login we are redirected to upload page. Here our best step would be to upload a reverse php script and get ourself shell.

download php-reverse-shell from here https://github.com/pentestmonkey/php-reverse-shell

Make sure to change the $ip to your machine ip. and upload this file .

Sadly we cannot upload .php file. website only takes png, jpg, gif
No problem here.

rename the script by adding .png at last. revhsell.php -> revshell.php.png

Then upload this file.

This time file is successfully uploaded.

Lets make our netcat listner ready.

nc -lnvp 5555 make sure the port number is same as in reverse shell file.

While nc is ready to listen. Go to the website and open the file.

ip/fristi/uploads/filename going here make the site stuck on infinite loading.
looking at our netcat listner.

We have got ourself shell as user apache

Lets make our shell stable using command
python -c ‘import pty; pty.spawn(“/bin/bash”)’

looking at /etc/passwd file we can see the users eezeepz admin fristigod and fristi

Looking at the directory i moved to /home wher i found 3 folder admin, eezeepz and fristigod . Among which we dont have access to admin and fristigod but have access to eezeepz . Looking at eezeepz home directory we can se some interesting file like notes.txt

In summary, you have a set of commands you can use, but you are restricted to a specific set of binaries in /usr/bin/*. You need to create a script in /tmp/runthis that will be executed every minute, and the output of each command should be stored in /tmp/cronresult with the privileges of the "Jerry" account.

echo “/home/admin/chmod -R 777 /home/admin/” >> /tmp/runthis

After executing this command, the file /tmp/runthis will contain /home/admin/chmod -R 777 /home/admin/ . And runthis file runs every minute hence giving us access to /admin directory.

In admin directory we can see multiple interesting files. Lets look at them one by one

whoisyourgodnow.txt contains some encoded string

cryptedpass.txt also contains encoded string.

cryptpass.py is responsible for encoding the text. Looking at this python script we can say. string is first encoded into base64 format → then this encoded string is reversed and then this reversed string is encoded into rot13 format

i.e rot13(reversed(base64(string))))
Now for above encoded strings inwhoisyougodnow.txt and cryptedpass.txt we can easily decode by reversing what this python script did

First we will decode the rot13

Then we will reverse this string

Then we will decode base64

Which gives us the string LetThereBeFristi! from whoisyourgodnow.txt

and repeating this steps for file cryptedpass.txt gives thisisalsopw123

This two string LetThereBeFristi! and thisisalsopw123 looks like password .

switching user to fristigod and entering password LetThereBeFristi! lets us in as user fristgod

running command sudo -l shows fristigod can execute the specified command /var/fristigod/.secret_admin_stuff/doCom as the user fristi with elevated privileges.

We can use this to execute /bin/bash shell as root user

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

This command essentially runs the doCom script with elevated privileges and instructs it to execute the Bash shell.

Hence we get shell as root

Going into /root gives us root flag. Hence the lab is successfully rooted.