HTB Write-up: Poison (Linux)

What I learned today/Review :

Nmap pretty bootstrap page: https://github.com/honze-net/nmap-bootstrap-xsl.git
- nmap -A -sC -sV -Pn -oA goodscan --stylesheet https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl 10.129.158.145
I love this look!

Nmap Scan Result:

Nmap scan report for 10.129.1.254
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Let's check out the http while running the go buster and nikto on it.

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

Maybe we have to run scripts in this order to see the backup?

encoded 13 times...the format looks like it's in base 64 as I see the = sign

Decoded it for 13 times on the website and I got the password, I think..

Charix!2#4%6&8(0

I typed " ' " in the input field and it gave me this error

I think we can do directory traversal on it? Tried

http://10.129.1.254/browse.php?file=/../../../../../etc/passwd

user name Charlie

and pass is Charix!2#4%6&8(0

or just Charix! ?

I actually saw the account named charix, so I entered the long pass and got in!

I'm super happy that I got into the user without any help!!!

There's an zip file.

/usr/bin/fortune

freebsd-version 11.1

Found a directory that lists all the commands we can perform on this machine.

Got stuck here.

From this point on, I watched the IPPsec's video: https://www.youtube.com/watch?v=rs4zEwONzzk&list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf&index=6

Let's go back to the http://10.129.1.254/phpinfo.php where we found server info.

Here, we should be looking for if the file_uploads are allowed, which we find out it is.

We can autally easily type /browse.php?file=/etc/passwd in burpsuite to get the password file

Since the uploaded is allowed, you can create a text file or anything by sending burp request(POST)

Change the request to POST /phpinfo.php
Add Content type: multipart/form-data; boundary-Anything
Content-Length: 171

-----Anything

Content-Disposition: form-data; name="Anything"; filename-"Unko"

Content-Type: text/plain

Some comment here

----Anything

Use this script https://insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf

this script uploads a file into the tmp folder before php server deletes itt.

GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTFGitHub

Get the phplfi one and modify the script.

Erase the payload part and insert your own.

& adjust the request url (in this case, to browse.php?file=%s )

Run the listener,

After running it, I got the shell back

and I'm www. then find the user pass-> decode the password

Priv Esc

We need to find where we can see the apache log

look up "apache log freebsd" then we see that it's in /var/log/httpd-access.log

Now since the secret.zip we found is password protected, we should downloaded with scp command.

scp charix@IP:secret.zip .

Linux SCP commandIONOS Digitalguide

SCP syntax:

<user>@<host>:<directory/file.extension>

unzip it and cat it

We cannot read it or we don't know what it is.

One thing I didn't do was to try getting a file through wget command ( I tried using python and nc but it was unsuccessful)

Got to download it but cannot execute even after I chmod +x it.

It was because it was trying to look up /bin/bash and couldn't locate it.

changed it to /bin/sh and executed it.

Couldn't find much.

netstat -an | grep LIST to see what's listening.

Executing ps aux, we see the unusual tightvnc

How can we log into it without killing out session?

Resource: https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/

~C will let us open a ssh session

if we type -D 1080, it will listen from the local, port 1080

We can verify this "netstat -anlp | grep 1080"

Configured firefox network using 127.0.0.1 with both ports didn't help.

Edited the proxychains SOCKS 5 to 1080

---

proxychains curl http:// 127.0.0.1:5901

NEW: Manually setting up proxies

ssh -D 1080 -L6801:127.0.0.1:5801 -L:6901:127.0.0.1:5901 charix@10.129.1.254

What's this?

Listen on kali on 6801, send it through ssh, at the other end of ssh, go to 127.0.0.1 on port 5801

-D is an address binding, meaning that it's specifically pointing at the service.

By setting two variations, we can test both of them.

vncviewer 127.0.0.1:6901

Now it's asking for pass. Remember the secret file?

Pass that file as -passwd argument and now we are in!

PreviousBlue (Windows)NextHTB Optimum Write-up (Windows) - Powershell Download String, HFS File Server 2.3 Vuln, Sherlock

Last updated 2 years ago