HTB Write-up: Poison (Linux)

What I learned today/Review : 
Nmap pretty bootstrap page: https://github.com/honze-net/nmap-bootstrap-xsl.git 
nmap -A -sC -sV -Pn -oA goodscan --stylesheet https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl 10.129.158.145
I love this look! 
​
Nmap Scan Result:
Nmap scan report for 10.129.1.254
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
​
​
Let's check out the http while running the go buster and nikto on it. 
 
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
Maybe we have to run scripts in this order to see the backup? 
encoded 13 times...the format looks like it's in base 64 as I see the = sign 
Decoded it for 13 times on the website and I got the password, I think..
 
Charix!2#4%6&8(0
​
I typed " ' " in the input field and it gave me this error
 
I think we can do directory traversal on it? Tried
http://10.129.1.254/browse.php?file=/../../../../../etc/passwd
 
user name Charlie 
and pass is Charix!2#4%6&8(0 
or just Charix! ? 
I actually saw the account named charix, so I entered the long pass and got in! 
I'm super happy that I got into the user without any help!!! 
There's an zip file. 
/usr/bin/fortune 
​
freebsd-version 11.1 
Found a directory that lists all the commands we can perform on this machine. 
​
Got stuck here. 
From this point on, I watched the IPPsec's video: https://www.youtube.com/watch?v=rs4zEwONzzk&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=6 
Let's go back to the http://10.129.1.254/phpinfo.php where we found server info. 
Here, we should be looking for if the file_uploads are allowed, which we find out it is. 
​
​
We can autally easily type /browse.php?file=/etc/passwd in burpsuite to get the password file 
Since the uploaded is allowed, you can create a text file or anything by sending burp request(POST) 
Change the request to POST /phpinfo.php 
Add Content type: multipart/form-data; boundary-Anything
Content-Length: 171 
-----Anything 
Content-Disposition: form-data; name="Anything"; filename-"Unko"
Content-Type: text/plain 
​
Some comment here
----Anything 
​
Use this script  https://insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf 
this script uploads a file into the tmp folder before php server deletes itt.
GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
GitHub
Get the phplfi one and modify the script. 
Erase the payload part and insert your own. 
& adjust the request url (in this case, to browse.php?file=%s ) 
Run the listener, 
After running it, I got the shell back 
 
and I'm www. then find the user pass-> decode the password 
​
​
Priv Esc 
We need to find where we can see the apache log 
look up "apache log freebsd"  then we see that it's in /var/log/httpd-access.log 
​
Now since the secret.zip we found is password protected, we should downloaded with scp command.
scp charix@IP:secret.zip . 
Linux SCP command
IONOS Digitalguide
SCP syntax: 
<user>@<host>:<directory/file.extension> 
​
unzip it and cat it
 
We cannot read it or we don't know what it is. 
​
One thing I didn't do was to try getting a file through wget command ( I tried using python and nc but it was unsuccessful) 
 
Got to download it but cannot execute even after I chmod +x it. 
 
It was because it was trying to look up /bin/bash and couldn't locate it.
changed it to /bin/sh and executed it.  
​
Couldn't find much. 
netstat -an | grep LIST  to see what's listening. 
 
 Executing ps aux, we see the unusual tightvnc 
How can we log into it without killing out session? 
Resource: https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/ 
~C will let us open a ssh session 
if we type -D 1080, it will listen from the local, port 1080 
We can verify this "netstat -anlp | grep 1080" 
Configured firefox network using 127.0.0.1 with both ports didn't help. 
 Edited the proxychains SOCKS 5 to 1080 
​
--- 
proxychains curl http:// 127.0.0.1:5901 
​
NEW: Manually setting up proxies 
ssh -D 1080 -L6801:127.0.0.1:5801 -L:6901:127.0.0.1:5901 [email protected] 
What's this? 
Listen on kali on 6801, send it through ssh, at the other end of ssh, go to 127.0.0.1 on port 5801 
-D is an address binding, meaning that it's specifically pointing at the service. 
By setting two variations, we can test both of them. 
​
vncviewer 127.0.0.1:6901 
  
Now it's asking for pass. Remember the secret file? 
Pass that file as -passwd argument and now we are in! 
 
Blue (Windows)
HTB Optimum Write-up (Windows) - Powershell Download String, HFS File Server 2.3 Vuln, Sherlock
Last modified 1yr ago