Initial Enumeration
Whilst more extensive scans are run, let’s look at what we’ve got so far
22/TCP
standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force
80/HTTP
A script testing app. If that doesn’t shout LFI, I don’t know what does.
Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful:
But let’s check for the obvious LFI:
In phpinfo we see this script is in this location: /usr/local/www/apache24/data/browse.php. Just for fun let’s see what code the php file contains using the filter wrapper trick:
By using the base64-encode we base64 output instead of the raw, executable PHP and decoding it offers up the most fundamental file inclusion example possible.
Also from the phpinfo file we see that allow_url_include is not turned on, so a simple RFI is not possible.
Neither dirb, dirbuster or nikto find anything particularly interesting despite using several lists so I went back to the site to take a closer look and (not for the first time) turned out I’d browsed over something important. The listfiles.php script reveals an additional file I’d not noticed – pwdbackup.txt
Getting this file shows some base64 encoding, pointlessly and unrealistically, done 13 times. I really should write a script to automate these things as CTF writers seems to be obsessed with base64 tricks but that would only encourage them:
anyway, after decoding it you get: Charix!2#4%6&8(0
We already have a username Charix with login abilities so let’s see if we can ssh in directly with these creds:
And look, there’s some suspicious looking files in there too:
I’ll check those out in a minute but first I’ll run a privesc checker to get some more info.
charix@Poison:/tmp % python linuxprivchecker.py
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================
[*] GETTING BASIC SYSTEM INFO...
[+] Kernel
[+] Hostname
Poison
[+] Operating System
[*] GETTING NETWORKING INFO...
[+] Interfaces
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:50:56:b9:96:34
hwaddr 00:50:56:b9:96:34
inet 10.10.10.84 netmask 0xffffff00 broadcast 10.10.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
[+] Netstat
[+] Route
[*] GETTING FILESYSTEM INFO...
[+] Mount results
/dev/da0s1a on / (ufs, local, journaled soft-updates)
devfs on /dev (devfs, local, multilabel)
[+] fstab entries
# Device Mountpoint FStype Options Dump Pass#
/dev/da0s1a / ufs rw 1 1
/dev/da0s1b none swap sw 0 0
[+] Scheduled cron jobs
-rw-r--r-- 1 root wheel 730 Jul 21 2017 /etc/crontab
/etc/cron.d:
total 8
drwxr-xr-x 2 root wheel 512 Jul 21 2017 .
drwxr-xr-x 27 root wheel 2560 Mar 19 16:21 ..
[+] Writable cron dirs
[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] Logged in User Activity
12:01PM up 33 mins, 14 users, load averages: 0.65, 0.31, 0.26
USER TTY FROM LOGIN@ IDLE WHAT
charix pts/1 10.10.14.251 11:29AM 9 -csh (csh)
charix pts/2 :2 11:47AM 13 -csh (csh)
charix pts/3 10.10.14.201 11:29AM 15 -csh (csh)
charix pts/4 10.10.15.161 11:30AM 13 -csh (csh)
charix pts/5 10.10.15.246 11:31AM - -csh (csh)
charix pts/6 10.10.14.58 11:52AM - w
charix pts/7 10.10.15.214 11:48AM 6 -csh (csh)
charix pts/8 10.10.14.214 11:34AM 14 -csh (csh)
charix pts/9 10.10.14.37 11:50AM - nc 10.10.14.37
charix pts/10 10.10.14.232 11:50AM 9 -csh (csh)
charix pts/11 10.10.15.21 11:52AM 1 -csh (csh)
charix pts/12 :3 11:53AM 7 -csh (csh)
charix pts/13 10.10.14.139 11:58AM - -csh (csh)
charix pts/14 10.10.14.200 12:00PM - netstat
[+] Super Users Found:
root
toor
[+] Environment
VENDOR=amd
SSH_CLIENT=10.10.14.58 50532 22
LOGNAME=charix
PAGER=more
OSTYPE=FreeBSD
MACHTYPE=x86_64
MAIL=/var/mail/charix
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/charix/bin
EDITOR=vi
HOST=Poison
REMOTEHOST=10.10.14.58
PWD=/tmp
GROUP=charix
TERM=xterm-256color
SSH_TTY=/dev/pts/6
HOME=/home/charix
USER=charix
SSH_CONNECTION=10.10.14.58 50532 10.10.10.84 22
HOSTTYPE=FreeBSD
SHELL=/bin/csh
BLOCKSIZE=K
SHLVL=1
[+] Root and current user history (depends on privs)
[+] Sudoers (privileged)
[+] All users
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh
[+] Current User
charix
[+] Current User ID
uid=1001(charix) gid=1001(charix) groups=1001(charix)
[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...
[+] World Writeable Directories for User/Group 'Root'
drwxrwxrwt 6 root wheel 1536 Sep 7 11:59 /tmp
drwxrwxrwt 2 root wheel 512 Sep 7 11:53 /tmp/.X11-unix
drwxrwxrwt 2 root wheel 512 Sep 7 11:28 /tmp/.XIM-unix
drwxrwxrwt 2 root wheel 512 Sep 7 11:28 /tmp/.ICE-unix
drwxrwxrwt 2 root wheel 512 Sep 7 11:28 /tmp/.font-unix
drwxrwxrwt 3 root wheel 512 Jul 21 2017 /var/tmp
drwxrwxrwt 2 root wheel 512 Mar 19 13:04 /var/tmp/vi.recover
[+] World Writeable Directories for Users other than Root
[+] World Writable Files
[+] Checking if root's home folder is accessible
total 0
[+] SUID/SGID Files and Directories
-r-xr-sr-x 1 root kmem 11800 Jul 21 2017 /usr/sbin/trpt
-r-sr-xr-x 1 root wheel 26736 Jul 21 2017 /usr/sbin/traceroute6
-r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf-noip
-r-sr-xr-x 1 root wheel 32808 Jul 21 2017 /usr/sbin/traceroute
-r-sr-xr-x 1 root wheel 21512 Jul 21 2017 /usr/sbin/timedc
-r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf
-r-sr-xr-- 1 root network 433872 Jul 21 2017 /usr/sbin/ppp
-r-xr-sr-x 1 root daemon 59800 Jul 21 2017 /usr/sbin/lpc
-r-xr-sr-x 1 root smmsp 729800 Jul 21 2017 /usr/libexec/sendmail/sendmail
-r-sr-xr-- 1 root mail 7424 Jul 21 2017 /usr/libexec/dma-mbox-create
-r-sr-xr-x 1 root wheel 6232 Jul 21 2017 /usr/libexec/ulog-helper
-r-sr-xr-x 1 root wheel 49152 Jul 21 2017 /usr/libexec/ssh-keysign
-r-xr-sr-x 1 root mail 63088 Jul 21 2017 /usr/libexec/dma
-r-sr-sr-x 1 root daemon 34368 Jul 21 2017 /usr/bin/lpq
-r-sr-xr-x 1 root wheel 16216 Jul 21 2017 /usr/bin/rlogin
-r-sr-sr-x 1 root daemon 33072 Jul 21 2017 /usr/bin/lprm
-r-xr-sr-x 1 root kmem 13840 Jul 21 2017 /usr/bin/btsockstat
-r-sr-sr-x 1 root daemon 41248 Jul 21 2017 /usr/bin/lpr
-r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/at
-r-sr-xr-x 1 root wheel 33288 Jul 21 2017 /usr/bin/crontab
-r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/atrm
-r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/atq
-r-sr-xr-x 1 root wheel 17584 Jul 21 2017 /usr/bin/su
-r-sr-xr-x 1 root wheel 25488 Jul 21 2017 /usr/bin/chpass
-r-sr-xr-x 1 root wheel 16264 Jul 21 2017 /usr/bin/quota
-r-sr-xr-x 1 root wheel 9856 Jul 21 2017 /usr/bin/passwd
-r-xr-sr-x 1 root tty 12280 Jul 21 2017 /usr/bin/write
-r-sr-xr-x 1 root wheel 7256 Jul 21 2017 /usr/bin/opieinfo
-r-xr-sr-x 1 root kmem 154448 Jul 21 2017 /usr/bin/netstat
-r-sr-xr-x 1 root wheel 26040 Jul 21 2017 /usr/bin/login
-r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/batch
-r-xr-sr-x 1 root tty 15984 Jul 21 2017 /usr/bin/wall
-r-sr-xr-x 1 root wheel 14304 Jul 21 2017 /usr/bin/opiepasswd
-r-sr-xr-x 1 root wheel 11600 Jul 21 2017 /usr/bin/lock
-r-sr-xr-x 1 root wheel 12192 Jul 21 2017 /usr/bin/rsh
-r-sr-xr-x 1 root wheel 2191384 Jan 2 2018 /usr/local/bin/Xorg
-rwsr-x--- 1 root messagebus 49416 Jan 2 2018 /usr/local/libexec/dbus-daemon-launch-helper
-r-sr-xr-x 1 root wheel 20912 Jul 21 2017 /bin/rcp
-r-sr-xr-x 1 root wheel 40752 Jul 21 2017 /sbin/ping6
-r-sr-xr-- 2 root operator 15904 Jul 21 2017 /sbin/poweroff
-r-sr-xr-- 1 root operator 10600 Jul 21 2017 /sbin/mksnap_ffs
-r-sr-xr-- 2 root operator 15904 Jul 21 2017 /sbin/shutdown
-r-sr-xr-x 1 root wheel 32488 Jul 21 2017 /sbin/ping
[+] Logs containing keyword 'password'
[+] Config files containing keyword 'password'
[+] Shadow File (Privileged)
[*] ENUMERATING PROCESSES AND APPLICATIONS...
[+] Installed Packages
[+] Current processes
USER PID STARTED TIME COMMAND
root 11 11:28 32:28.29 [idle]
root 12 11:28 0:11.88 [intr]
root 4 11:28 0:01.26 [cam]
root 23 11:28 0:00.72 [vnlru]
root 0 11:28 0:00.01 [kernel]
root 1 11:28 0:00.02 /sbin/init
root 2 11:28 0:00.00 [crypto]
root 3 11:28 0:00.00 [crypto
root 5 11:28 0:00.00 [mpt_recovery0]
root 6 11:28 0:00.00 [sctp_iterator]
root 7 11:28 0:00.88 [rand_harvestq]
root 8 11:28 0:00.00 [soaiod1]
root 9 11:28 0:00.00 [soaiod2]
root 10 11:28 0:00.00 [audit]
root 13 11:28 0:00.01 [geom]
root 14 11:28 0:00.15 [usb]
root 15 11:28 0:00.00 [soaiod3]
root 16 11:28 0:00.00 [soaiod4]
root 17 11:28 0:00.16 [pagedaemon]
root 18 11:28 0:00.00 [vmdaemon]
root 19 11:28 0:00.00 [pagezero]
root 20 11:28 0:00.13 [bufdaemon]
root 21 11:28 0:00.01 [bufspacedaemon]
root 22 11:28 0:00.27 [syncer]
root 319 11:28 0:00.19 /sbin/devd
root 390 11:28 0:00.08 /usr/sbin/syslogd
root 543 11:28 0:01.63 /usr/local/bin/vmtoolsd
root 620 11:28 0:00.05 /usr/sbin/sshd
root 626 11:28 0:00.03 sshd:
root 628 11:28 0:00.02 sshd:
charix 638 11:29 0:00.22 sshd:
root 645 11:29 0:00.02 sshd:
charix 660 11:29 0:00.06 sshd:
root 669 11:29 0:00.59 /usr/local/sbin/httpd
charix 686 11:29 0:00.41 sshd:
root 706 11:30 0:00.02 sshd:
charix 729 11:30 0:00.01 sshd:
charix 730 11:30 0:00.01 csh
charix 732 11:30 0:00.01 /usr/libexec/sftp-server
root 733 11:30 0:00.02 sshd:
root 735 11:30 0:00.04 sendmail:
charix 855 11:30 0:00.08 sshd:
smmsp 963 11:30 0:00.00 sendmail:
root 967 11:30 0:00.01 /usr/sbin/cron
root 1033 11:31 0:00.02 sshd:
charix 1043 11:31 0:00.29 sshd:
root 1075 11:32 0:00.03 sshd:
charix 1144 11:34 0:00.03 sshd:
www 1256 11:42 0:00.69 /usr/local/sbin/httpd
www 1265 11:42 0:00.65 /usr/local/sbin/httpd
www 1271 11:42 0:00.63 /usr/local/sbin/httpd
www 1355 11:42 0:00.78 /usr/local/sbin/httpd
www 1463 11:44 0:00.68 /usr/local/sbin/httpd
www 1493 11:44 0:00.81 /usr/local/sbin/httpd
www 1497 11:44 0:00.59 /usr/local/sbin/httpd
www 1528 11:44 0:00.71 /usr/local/sbin/httpd
www 1537 11:44 0:00.54 /usr/local/sbin/httpd
root 1634 11:47 0:00.02 sshd:
charix 1654 11:48 0:00.01 sshd:
root 1659 11:48 0:00.03 sshd:
root 1693 11:50 0:00.02 sshd:
charix 1700 11:50 0:00.07 sshd:
charix 1706 11:50 0:00.02 sshd:
root 1725 11:51 0:00.03 sshd:
charix 1736 11:52 0:00.15 sshd:
root 1749 11:52 0:00.03 sshd:
charix 1766 11:52 0:00.06 sshd:
www 1784 11:53 0:00.44 /usr/local/sbin/httpd
root 1908 11:58 0:00.03 sshd:
charix 1960 11:58 0:00.03 sshd:
root 2031 12:00 0:00.02 sshd:
charix 2041 12:00 0:00.01 sshd:
root 529 11:28 0:00.23 Xvnc
root 540 11:28 0:00.12 xterm
root 541 11:28 0:00.02 twm
root 1014 11:30 0:00.00 /usr/libexec/getty
root 1015 11:30 0:00.00 /usr/libexec/getty
root 1016 11:30 0:00.00 /usr/libexec/getty
root 1017 11:30 0:00.00 /usr/libexec/getty
root 1018 11:30 0:00.00 /usr/libexec/getty
root 1019 11:30 0:00.00 /usr/libexec/getty
root 1020 11:30 0:00.00 /usr/libexec/getty
root 1021 11:30 0:00.00 /usr/libexec/getty
root 554 11:28 0:00.04 -csh
charix 639 11:29 0:00.13 -csh
charix 1623 11:47 0:00.02 -csh
charix 662 11:29 0:00.05 -csh
charix 856 11:30 0:00.07 -csh
charix 1044 11:31 0:00.27 -csh
root 1465 11:44 0:00.37 Xorg
charix 1613 11:47 0:00.82 Xvnc
charix 1620 11:47 0:00.04 xterm
charix 1621 11:47 0:00.01 twm
charix 1788 11:53 0:00.06 Xvnc
charix 1795 11:53 0:00.04 xterm
charix 1796 11:53 0:00.01 twm
charix 1737 11:52 0:00.08 -csh
charix 2049 12:01 0:00.09 python
charix 2157 12:02 0:00.00 /bin/sh
charix 2158 12:02 0:00.00 ps
charix 2159 12:02 0:00.00 awk
charix 1655 11:48 0:00.01 -csh
charix 1145 11:34 0:00.03 -csh
charix 1701 11:50 0:00.07 -csh
charix 1707 11:50 0:00.02 -csh
charix 1767 11:52 0:00.06 -csh
charix 1798 11:53 0:00.02 -csh
charix 1961 11:58 0:00.03 -csh
charix 2042 12:00 0:00.01 -csh
charix 2047 12:00 0:00.09 netstat
[+] Apache Version and Modules
Server version: Apache/2.4.29 (FreeBSD)
Server built: unknown
Compiled in modules:
core.c
mod_so.c
http_core.c
[+] Apache Config File
[+] Sudo Version (Check out https://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)
[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...
root 543 11:28 0:01.63 /usr/local/bin/vmtoolsd
root 1749 11:52 0:00.03 sshd:
root 319 11:28 0:00.19 /sbin/devd
root 1020 11:30 0:00.00 /usr/libexec/getty
root 1019 11:30 0:00.00 /usr/libexec/getty
root 1033 11:31 0:00.02 sshd:
root 628 11:28 0:00.02 sshd:
root 554 11:28 0:00.04 -csh
root 19 11:28 0:00.00 [pagezero]
root 12 11:28 0:11.88 [intr]
root 733 11:30 0:00.02 sshd:
root 2031 12:00 0:00.02 sshd:
root 21 11:28 0:00.01 [bufspacedaemon]
root 735 11:30 0:00.04 sendmail:
root 6 11:28 0:00.00 [sctp_iterator]
root 1017 11:30 0:00.00 /usr/libexec/getty
root 5 11:28 0:00.00 [mpt_recovery0]
root 16 11:28 0:00.00 [soaiod4]
root 1725 11:51 0:00.03 sshd:
root 1693 11:50 0:00.02 sshd:
root 1075 11:32 0:00.03 sshd:
root 2 11:28 0:00.00 [crypto]
root 669 11:29 0:00.59 /usr/local/sbin/httpd
root 626 11:28 0:00.03 sshd:
root 0 11:28 0:00.01 [kernel]
root 967 11:30 0:00.01 /usr/sbin/cron
root 17 11:28 0:00.16 [pagedaemon]
root 390 11:28 0:00.08 /usr/sbin/syslogd
root 8 11:28 0:00.00 [soaiod1]
root 620 11:28 0:00.05 /usr/sbin/sshd
root 22 11:28 0:00.27 [syncer]
root 13 11:28 0:00.01 [geom]
root 18 11:28 0:00.00 [vmdaemon]
root 1634 11:47 0:00.02 sshd:
root 1908 11:58 0:00.03 sshd:
root 4 11:28 0:01.26 [cam]
root 9 11:28 0:00.00 [soaiod2]
root 15 11:28 0:00.00 [soaiod3]
root 1016 11:30 0:00.00 /usr/libexec/getty
root 10 11:28 0:00.00 [audit]
root 645 11:29 0:00.02 sshd:
root 1014 11:30 0:00.00 /usr/libexec/getty
root 11 11:28 32:28.29 [idle]
root 3 11:28 0:00.00 [crypto
root 23 11:28 0:00.72 [vnlru]
root 14 11:28 0:00.15 [usb]
root 1 11:28 0:00.02 /sbin/init
root 7 11:28 0:00.88 [rand_harvestq]
root 706 11:30 0:00.02 sshd:
root 541 11:28 0:00.02 twm
root 529 11:28 0:00.23 Xvnc
root 1021 11:30 0:00.00 /usr/libexec/getty
root 1015 11:30 0:00.00 /usr/libexec/getty
root 1659 11:48 0:00.03 sshd:
root 1465 11:44 0:00.37 Xorg
root 540 11:28 0:00.12 xterm
root 1018 11:30 0:00.00 /usr/libexec/getty
root 20 11:28 0:00.13 [bufdaemon]
[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...
[+] Installed Tools
/usr/bin/awk
/usr/local/bin/perl
/usr/local/bin/python
/usr/local/bin/ruby
/usr/bin/cc
/usr/bin/vi
/usr/local/bin/vim
/usr/bin/find
/usr/bin/nc
/usr/local/bin/wget
/usr/bin/tftp
/usr/bin/ftp
[+] Related Shell Escape Sequences...
vi--> :!bash
vi--> :set shell=/bin/bash:shell
vi--> :!bash
vi--> :set shell=/bin/bash:shell
awk--> awk 'BEGIN {system("/bin/bash")}'
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
perl--> perl -e 'exec "/bin/bash";'
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Traceback (most recent call last):
File "linuxprivchecker.py", line 310, in <module>
version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]
IndexError: list index out of range
charix@Poison:/tmp %
The machine has python’s SimpleHTTPServer module available to serve up files so it’s trivial to get the files.
So I have the files. Looking at the dates i think it’s only user.txt (the HTB user token) and secret.zip I’m supposed to be seeing, with the other files being created by other users on the HackTheBox network. The secret.zip needs a password but that’s not a problem as the Charix login password reused:
So I have a password that looks very strange.
Privilege Escalation
Looking through the LinEnum output it’s apparent that xVNC service is running as root. Services running as root are a common privesc target. Usually you’re looking for services installed by the admin user (as opposed to standard services designed to be run as root) and which have the capability run commands or otherwise interact with the OS. This can be tricky but VNC is a remote desktop application which of course is designed to run commands and just about anything else. So if we can access that we should be able to get root. If the secret is the password for VNC that is.
Taking a closer look at the xVNC service:
(sockstat is FreeBSD’s version of netstat – I had to look it up)
What we’re interested in is the services owned by root. ps is telling us PID 529 is the one we want and googling around for that output, apparently the :1 -desktop means it’s referring to which desktop it’s running (if you had multiple remote desktop connections, each has a unique number). Sockstat for that process tells us that it’s running on port 5901. However, it’s listening on the loopback (local to the server) address only.
Just to cross-check that here’s an nmap scan from my kali box of a port range covering the VNC:
Notice how the EXTERNAL VNC port is 5902 So we only have external access to the Xvnc ports owned by charix. That’s no use at all since we already have Charix access. So we’re going to need a way to get access to 5901 from outside.
I happen to have done this exact things before. fairly recently. I run a Linux server for my company and, for security reasons, I’ve hidden vnc from the public and I use ssh to to access it via an ssh tunnel. The way this works is that you use your existing ssh capabilities to forward a local port on your own box to a local port on the server. You then connect your vnc client to the local port on your own box, SSH then routes that to the server’s local port. When i set up my own VNC I used this guide to do it: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04 note “Step 3” which gives you the ssh command for setting up the local port forwarding, used here:
This command tells SSH to create a tunnel from our local IP (not specified as it’s assumed) on port 5901 to port 5901 at the other end of the tunnel on ip address 127.0.0.1 (the server’s own local loopback address). Anything we send to port 5901 on our local machine will end up on port 5901 on the remote machine. See here for explanation of port forwarding.
We have that weird password and some searching reveals that VNC passwords are encrypted and there are some decrypters around but also that you can just pass the encrypted password to the command as an argument, see the man page:
Trying it out:
Box. Rooted.
What did I learn from this one?
- Read the outputs more carefully. I messed the password text file for a whole day by simply not reading the list of files.
- Check for services running on internal ports that aren’t on external ports. I didn’t initially do this carefully enough and as they were quite similar numbers it passed my by for longer than it should have.
hey nice write up too. The tunnel part took me a while to get my head around