Pentesting and Privilege Escalation with FristiLeaks


Fristi Leaks Setup
PREVIEW12m 10s
Hacking the Server
12m 20s

The course is part of this learning path

Fristi Leaks Setup
1h 1m

In this course, we solve a vulnerable virtual machine called FristiLeaks in order to explore pentesting and privilege escalation techniques.


Hi. Within this section, we're going to solve another virtual machine, another vulnerable machine called FristiLeaks. And again, this is in, so you can come over here to and search for Fristi in order to freely reach this.  Okay. So, this is FristiLeaks 1.3 and that's the thing that we are looking for. And indeed, this is a little bit similar to Mr-Robot, the previous CTF that we have solved. But again, this has another techniques, different techniques that we have previously learned about. So, we're going to learn new things and also we're going to practice the old things that we have learned so far in this course and we're going to solve this. So, maybe you can try to give it a shot before you just follow along with the course and see how far you can get over here.  Okay. So, maybe you may want to pause the video and try this one yourself and then come back and see the solution that I have in mind. So, over here, we are in the FristiLeaks  and again, this is a vulnerable machine, a virtual machine, just click over here to download the OVA. This is around 700 megs and read the description over here. As you can see, the style is at one more time enumeration following the breadcrumbs in order to find the solution. And the goal is to get the root and read the flag file. Here, we have a small description, small virtual machine made for Dutch informal hacker meeting called up FristiLeaks. So, this is again built for a hacker meeting, so it's supposed to be good.

So, it's meant to be broken in a few hours without requiring debuggers, reverse engineering, etc. So, we don't know how many flags we have over here, but we do know that we have to get root and read the flag. So, if you're in VMware, you're going to have to manually edit these VM's MAC address to this one. And, of course, this is also valid for VirtualBox as well. So, if your VirtualBox doesn't actually open this in a regular fashion, make sure you edit the MAC over there as it's instructed like this.  Okay? So, let's see if we have to do that. I'm going to come over here. And as you can see, my Kali Linux is running on NAT network. So, what I'm going to do, I'm going to double click on the 'FristiLeaks'  and just import this and leave this as it is. And it says that guest OS type is a Red Hat. So, I'm going to leave that as it is and see what happens. So, 64 bit. And come over here to settings. And over there, the system has 500 megs. So, maybe I can just make it one gig.  Okay. And it isn't necessary. We're not going to do much in this one as well. But again, I have 32 gig. So, I'm going to come over here and make this into NAT network and just do Allow All for Promiscuous Mode. And here, we have the MAC address. So, let's check that. So, over here, it says that your MAC address should be this one. So, let's check and see if this is the same thing. And here you go. We have some differences over here.

I'm going to change this, as it's instructed in the page. So, let's come over here and say 'OK.' So, if you had any problems with that, if you try to pause the video and solve it on your own and had a problem with that, then now, you know how to solve this. Maybe in this step, you may want to pause the video and give it a shot because we have learned so many things. Even now, maybe you can just hack this. So, here we have the IP address, which is very good. So, I won't bother with Netdiscover or Nmap. So, I'm going to come over here to my Kali Linux and run ifconfig. And here you go. I have So, I'm in, I'm going to go for And you can go in Zenmap for intense scan or you can just choose anything you want from here and run it on Nmap on your terminal. I'm going to run this on my terminal as usual.  Okay. So, I'm going to paste this thing over here and I'm going to run this against Here we go. So, I'm running a fast scan as you can see in a verbose mode. And I believe the fast scan will be enough for us, but if it doesn't, if it isn't the case, we can always go back and search for all ports or all UDP or TCP ports. I'm going to go into my CTF folder and create a new folder called Fristileaks as we have done before, because we're going to need to take some notes here as well. So, inside of this folder, I'm going to nano a notes.txt, so that we can take notes. Here we go. Our Nmap scan seems to be completed. So, I'm going to copy everything over here, so that if we need it later on, we can come back and see what's going on.

So, let me choose one more time. And it seems that I cannot do that for some reason. Here you go. Finally, selected that thing, and here you go. I'm going to control or 'Enter' and control leaks out of this one to save it. And here you go. So, let's scan the Nmap results over here. So, what we have over here, let me just scroll down. We have 80 port open.  Okay. So, again, a web pentesting thingy going on. We have robots.txt and Nmap managed to find it as well. So, we're going to definitely take a look at this: three disallowed entries, cola/ sisi/ beer, we're going to see what are those things. We have the Linux running over here as usual. We have some specific kernel thingy over there like 2.6. So, let me come back and I know the 80 port is open and it seems that nothing else is open.  Okay. We're going to take a look at this of course. And here you go. We have CentOS as a Linux operating system over here. So, it's a little bit different than we have seen before. We're going to see what we can do with it. And it seems that we don't have anything in the Nmap, right? Because we only found 80 port is open. Of course, we're going to take a look at that. But first I'm going to run nikto against 10:0.2.16 and see what kind of information can we get from here. And again, nikto is a vulnerability scanner for web pentesting. It's an entry point. It won't do much in real life web pentesting scenarios but it will do much in CTF. So, make a note of that as well. So, here we go. As you can see, we have some kind of different icons, images, folders over here that we can see. So, it found the robots.txt as well, but we already knew that. So, I'm just going to go straight into to see the web server. So, here you go. The FristiLeaks motto is keep calm and drink Fristi. So, it seems like Fristi is some kind of a drink. I don't know, some kind of beverage. So, this website should be about the Fristi. If I click on this, it will take us to the Twitter page for some reason. Yeah, for the hashtag. So, we can see the FristiLeaks hashtags over here. So, I'm going to come back. And we have some credits thingy over here, I believe. So, this should be the orders of this VM, maybe. But also, they maybe some hint as well, like user names. So, what I'm going to do, I'm going to come over here and search for the robots.txt. We know that it exists. So, I'm going to come up and just zoom in a little bit to see the disallowed content over here. So, let's go for cola, and say this is not the URL that you're looking for. Yes. Star Wars thingy coming up. So, I'm going to go for sisi and I don't know what sisi is, but it should be some kind of beverage, I believe, or drink because, yeah, we get the same image in everywhere and we are looking for beer, cola, sisi. So, let's see. This image resides under the images folder.  Okay. And let's see the source for this one. Yup, they all point the same image. And I believe there's nothing over here tip-wise,  right? So, but robots.txt should have a meaning, right? So, maybe we can go for the images folder and I believe we had something else other than images, okay, like icons. There is nothing over here. Maybe we can try icon.  Yeah, it's not that important. Under the images, we don't have anything besides, this is not the URL that we are looking for and also the image over here. But again, so these robots.txt should do something. And if you pay attention over here, Fristi is a drink as well, right? So, I'm going to come over here to page source and show you that there's nothing over here as well. So, no tip, no hints, anything. So, it only says that your goal is to get root.  Yeah, we know that already and it says that this should be doable in four hours. Great. So, what I did over here when I first solve the CTF is to think that, yeah, Fristi is a drink, and so is cola and beer and hopefully sisi. I don't know what is sisi. So, I came over here and tried Fristi as well. It was just a hunch, but why not?  Right? Because we have cola, we have beer, we have sisi; why not we have Fristi? And here you go. We are inside of the FristiLeaks admin portal. So, of course, at this point, you can think that how the hell this is supposed to teach us something, right? Because we took a guess and it worked. And most of the time, it's the same scenario in real life examples as well. For example, you always have to try for /admin or /administrator and I have already tried them in here as well. But again, this is maybe some kind of hunch, maybe some kind of experience. But eventually, anyway, we found the Fristi admin portal. And we don't have any other leads over here I believe. We have a user name and a password logged in over there, but we don't know how to log in. So, we're going to try various things in order to do that, but we're going to do that within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.