It was a good idea to choose this one as well as a lot of fun when I was wondering how to get root.
Below you will find a solution how to get the flag (and to "love Fristi"! ;))
(For those who want to read other writeups for Fristi, you can find them here.)
Here we go...
Setup VM and run FristiLeaks. I assume that you're in the same LAN, so let's scan the host
to check what's running there:
what else we can get about the server or the webpage.(Yes, I know, old and lame. You can choose DirBuster or similar tool.
But it's still working, so... ;])
...that's how I found "/fristi/" directory:
eezeepz" I assume that this is the username
for the admin panel. Decoded (base64) image is the password for this user. Isn't it?
It's working ;]
And now, as you can see, image file is presentes in the same way as PHP file. We will use it to attack the box and get a reverse shell:
We can see that there is a source code of a cryptpass.py as well as cryptedpass.txt file and whosyourgodnow.txt. Interesting. It looks like the password is base64 encoded and then rot13 is used.
Let's reverse this to decode the password. (Few minutes with Google and you will get the idea what the python source code is doing;))
Great. Let's try to login as other user (admin? not working. ls -la /home, and try other one):
Yes. Escalated up. But still not root. ;] Let's finish this.
It could be interesting, let's see what's inside: uh... a list of commands used with sudo?
Cool, I want to try it too. ;]
Finally! Got root ;]
Once again big thanks to Ar0xA for preparing this CTF.
(btw: if you want to read also other adventures, try here. If you will have any questions,
feel free to ask. I will answer ASAP.)
See you next time ;)