The initial access was incredibly easy, but the privilege escalation required some tools and concepts that I was not well versed in, which made it difficult for me to spot.
Initial Enumeration
sudo nmap -sV -sC <IP>
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
TcpForwarding is not explicitly prohibited, but it might be a firewall issue
This does only show 22 and 9050, which is odd:
proxychains ss -tulpn
uname -a reveals this: FreeBSD Poison 11.1-RELEASE
With a first internet search it does not seem like there is a big vulnerability for that os version.
ps -aux | grep root shows this, which could be interesting:
I hosted linpeas on my machine and fetched and used it like this:
I also ran LinEnum. But I did not see more than with linpeas.
Webserver deeper enum:
Since I could not find anything interesting locally, I went back to the webserver and checked the php info file. Maybe it runs as root or something along those lines.
I could not identify any obvious vulnerability in the php configuration.
One instance of httpd seems to run as root (ps -aux)
I read that the initial access should have usually been a log poisoning. You should have gotten the www-data user with poisoning the apache log with a php executable user agent and then calling the log. From what I saw, this was not necessary. Since I made no progress here, I peaked in a walkthrough to get a hint. It was that the VNC session that I saw earlier could be connected to with a VNC viewer. So I was on the right track with the X Session I found and also the port forwarding I did was a good idea. I just have to connect to the session somehow.
Starting RealVNC Viewer with proxychains and calling 127.0.0.1 did not work.