HTB Write-up: Poison (Linux)
What I learned today/Review :
Nmap pretty bootstrap page: https://github.com/honze-net/nmap-bootstrap-xsl.git
nmap -A -sC -sV -Pn -oA goodscan --stylesheet https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl 10.129.158.145
I love this look!
Nmap Scan Result:
Let's check out the http while running the go buster and nikto on it.
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
Maybe we have to run scripts in this order to see the backup?
encoded 13 times...the format looks like it's in base 64 as I see the = sign
Decoded it for 13 times on the website and I got the password, I think..
Charix!2#4%6&8(0
I typed " ' " in the input field and it gave me this error
I think we can do directory traversal on it? Tried
user name Charlie
and pass is Charix!2#4%6&8(0
or just Charix! ?
I actually saw the account named charix, so I entered the long pass and got in!
I'm super happy that I got into the user without any help!!!
There's an zip file.
/usr/bin/fortune
freebsd-version 11.1
Found a directory that lists all the commands we can perform on this machine.
Got stuck here.
From this point on, I watched the IPPsec's video: https://www.youtube.com/watch?v=rs4zEwONzzk&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=6
Let's go back to the http://10.129.1.254/phpinfo.php where we found server info.
Here, we should be looking for if the file_uploads are allowed, which we find out it is.
We can autally easily type /browse.php?file=/etc/passwd in burpsuite to get the password file
Since the uploaded is allowed, you can create a text file or anything by sending burp request(POST)
Change the request to POST /phpinfo.php
Add Content type: multipart/form-data; boundary-Anything
Content-Length: 171
-----Anything
Content-Disposition: form-data; name="Anything"; filename-"Unko"
Content-Type: text/plain
Some comment here
----Anything
Use this script https://insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
this script uploads a file into the tmp folder before php server deletes itt.
Get the phplfi one and modify the script.
Erase the payload part and insert your own.
& adjust the request url (in this case, to browse.php?file=%s )
Run the listener,
After running it, I got the shell back
and I'm www. then find the user pass-> decode the password
Priv Esc
We need to find where we can see the apache log
look up "apache log freebsd" then we see that it's in /var/log/httpd-access.log
Now since the secret.zip we found is password protected, we should downloaded with scp command.
scp charix@IP:secret.zip .
SCP syntax:
unzip it and cat it
We cannot read it or we don't know what it is.
One thing I didn't do was to try getting a file through wget command ( I tried using python and nc but it was unsuccessful)
Got to download it but cannot execute even after I chmod +x it.
It was because it was trying to look up /bin/bash and couldn't locate it.
changed it to /bin/sh and executed it.
Couldn't find much.
netstat -an | grep LIST to see what's listening.
Executing ps aux, we see the unusual tightvnc
How can we log into it without killing out session?
Resource: https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/
~C will let us open a ssh session
if we type -D 1080, it will listen from the local, port 1080
We can verify this "netstat -anlp | grep 1080"
Configured firefox network using 127.0.0.1 with both ports didn't help.
Edited the proxychains SOCKS 5 to 1080
---
proxychains curl http:// 127.0.0.1:5901
NEW: Manually setting up proxies
ssh -D 1080 -L6801:127.0.0.1:5801 -L:6901:127.0.0.1:5901 charix@10.129.1.254
What's this?
Listen on kali on 6801, send it through ssh, at the other end of ssh, go to 127.0.0.1 on port 5801
-D is an address binding, meaning that it's specifically pointing at the service.
By setting two variations, we can test both of them.
vncviewer 127.0.0.1:6901
Now it's asking for pass. Remember the secret file?
Pass that file as -passwd argument and now we are in!
Last updated