O
O
OSCP Notes
Search
K

HTB Write-up: Poison (Linux)

What I learned today/Review :
Nmap Scan Result:
Nmap scan report for 10.129.1.254
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Let's check out the http while running the go buster and nikto on it.
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
Maybe we have to run scripts in this order to see the backup?
encoded 13 times...the format looks like it's in base 64 as I see the = sign
Decoded it for 13 times on the website and I got the password, I think..
Charix!2#4%6&8(0
I typed " ' " in the input field and it gave me this error
I think we can do directory traversal on it? Tried
http://10.129.1.254/browse.php?file=/../../../../../etc/passwd
user name Charlie
and pass is Charix!2#4%6&8(0
or just Charix! ?
I actually saw the account named charix, so I entered the long pass and got in!
I'm super happy that I got into the user without any help!!!
There's an zip file.
/usr/bin/fortune
freebsd-version 11.1
Found a directory that lists all the commands we can perform on this machine.
Got stuck here.
Let's go back to the http://10.129.1.254/phpinfo.php where we found server info.
Here, we should be looking for if the file_uploads are allowed, which we find out it is.
  • We can autally easily type /browse.php?file=/etc/passwd in burpsuite to get the password file
Since the uploaded is allowed, you can create a text file or anything by sending burp request(POST)
  • Change the request to POST /phpinfo.php
  • Add Content type: multipart/form-data; boundary-Anything
  • Content-Length: 171
-----Anything
Content-Disposition: form-data; name="Anything"; filename-"Unko"
Content-Type: text/plain
Some comment here
----Anything
this script uploads a file into the tmp folder before php server deletes itt.
Get the phplfi one and modify the script.
Erase the payload part and insert your own.
& adjust the request url (in this case, to browse.php?file=%s )
Run the listener,
After running it, I got the shell back
and I'm www. then find the user pass-> decode the password

Priv Esc

We need to find where we can see the apache log
look up "apache log freebsd" then we see that it's in /var/log/httpd-access.log
Now since the secret.zip we found is password protected, we should downloaded with scp command.
scp charix@IP:secret.zip .
SCP syntax:
<user>@<host>:<directory/file.extension>
unzip it and cat it
We cannot read it or we don't know what it is.
One thing I didn't do was to try getting a file through wget command ( I tried using python and nc but it was unsuccessful)
Got to download it but cannot execute even after I chmod +x it.
It was because it was trying to look up /bin/bash and couldn't locate it.
changed it to /bin/sh and executed it.
Couldn't find much.
netstat -an | grep LIST to see what's listening.
Executing ps aux, we see the unusual tightvnc
How can we log into it without killing out session?
~C will let us open a ssh session
if we type -D 1080, it will listen from the local, port 1080
We can verify this "netstat -anlp | grep 1080"
Configured firefox network using 127.0.0.1 with both ports didn't help.
Edited the proxychains SOCKS 5 to 1080
---
proxychains curl http:// 127.0.0.1:5901
NEW: Manually setting up proxies
ssh -D 1080 -L6801:127.0.0.1:5801 -L:6901:127.0.0.1:5901 [email protected]
What's this?
Listen on kali on 6801, send it through ssh, at the other end of ssh, go to 127.0.0.1 on port 5801
-D is an address binding, meaning that it's specifically pointing at the service.
  • By setting two variations, we can test both of them.
vncviewer 127.0.0.1:6901
Now it's asking for pass. Remember the secret file?
Pass that file as -passwd argument and now we are in!