Poison
Personal Rating: Easy
The initial access was incredibly easy, but the privilege escalation required some tools and concepts that I was not well versed in, which made it difficult for me to spot.
Initial Enumeration
sudo nmap -sV -sC <IP>
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).Theres a webpage at http://10.10.10.84/
LFI Exploit
The scriptname field allow to read local files, which raises LFI suspicions :)
And indeed:
We got the user charix and its FreeBSD.
Password Extraction
If you open the php files shown in the info text one by one, the listfiles.php stands out:
Opening the pwdbackup.txt shows something interesting:
base64-decoding the string 13 times using cyberchef results in this:
ssh-ing to the box with charix:Charix!2#4%6&8(0 worked.
Internal Enumeration
I should exfiltrate the zip file.
Typing ‘python’ and pressing tab I found out that python2 was installed on the host, so I used a Python webserver to exfiltrate the file via wget:
python -m SimpleHTTPServer 8000
It is password protected:
Using zip2john I could extract the password:
Putting the hash in a file and attempting to crack it with john did not work
john --wordlist=/usr/share/seclists/Passwords/rockyou.txt hash.tmp
Wow Okay, the password Charix!2#4%6&8(0 worked to open the zip.
The content of the secret file is odd:
[|Ֆz!
Internal Enumeration 2
I established a dynamic reverse proxy connection to the host with ssh:
ssh -D 9050 charix@10.10.10.84
This does not seem to work.
charix@Poison:~ % cat /etc/ssh/sshd_config | grep TcpForwarding
TcpForwarding is not explicitly prohibited, but it might be a firewall issue
This does only show 22 and 9050, which is odd:
proxychains ss -tulpn
uname -a reveals this: FreeBSD Poison 11.1-RELEASE
With a first internet search it does not seem like there is a big vulnerability for that os version.
ps -aux | grep root shows this, which could be interesting:
I hosted linpeas on my machine and fetched and used it like this:
I also ran LinEnum. But I did not see more than with linpeas.
Webserver deeper enum:
Since I could not find anything interesting locally, I went back to the webserver and checked the php info file. Maybe it runs as root or something along those lines.
http://10.10.10.84/browse.php?file=phpinfo.php
I could not identify any obvious vulnerability in the php configuration.
One instance of httpd seems to run as root (ps -aux)
I read that the initial access should have usually been a log poisoning. You should have gotten the www-data user with poisoning the apache log with a php executable user agent and then calling the log. From what I saw, this was not necessary. Since I made no progress here, I peaked in a walkthrough to get a hint. It was that the VNC session that I saw earlier could be connected to with a VNC viewer. So I was on the right track with the X Session I found and also the port forwarding I did was a good idea. I just have to connect to the session somehow.
Starting RealVNC Viewer with proxychains and calling 127.0.0.1 did not work.
I googled how to find listening ports on BSD:
sockstat -l
Okay, I will try connecting again, using the ports 5901 and 5801.
It works, but it asks for a password. The strings I collected so far did not work.
The string from the file looks very weird and didnt work. I downloaded tigervnc, which is a CLI vnc viewer. It can use a file as password input:
proxychains vncviewer passwd=/HTBfolder/Boxes/HTB-Poison/secret 127.0.0.1:5901
This worked to connect to the VNC session!
Last updated