Initial Enumeration
Whilst more extensive scans are run, let’s look at what we’ve got so far
22/TCP
standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force
80/HTTP
A script testing app. If that doesn’t shout LFI, I don’t know what does.
Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful:
But let’s check for the obvious LFI:
In phpinfo we see this script is in this location: /usr/local/www/apache24/data/browse.php. Just for fun let’s see what code the php file contains using the filter wrapper trick:
By using the base64-encode we base64 output instead of the raw, executable PHP and decoding it offers up the most fundamental file inclusion example possible.
Also from the phpinfo file we see that allow_url_include is not turned on, so a simple RFI is not possible.
Neither dirb, dirbuster or nikto find anything particularly interesting despite using several lists so I went back to the site to take a closer look and (not for the first time) turned out I’d browsed over something important. The listfiles.php script reveals an additional file I’d not noticed – pwdbackup.txt
Getting this file shows some base64 encoding, pointlessly and unrealistically, done 13 times. I really should write a script to automate these things as CTF writers seems to be obsessed with base64 tricks but that would only encourage them:
anyway, after decoding it you get: Charix!2#4%6&8(0
We already have a username Charix with login abilities so let’s see if we can ssh in directly with these creds:
And look, there’s some suspicious looking files in there too:
I’ll check those out in a minute but first I’ll run a privesc checker to get some more info.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 |
charix@Poison:/tmp % python linuxprivchecker.py ================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel [+] Hostname Poison [+] Operating System [*] GETTING NETWORKING INFO... [+] Interfaces le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:50:56:b9:96:34 hwaddr 00:50:56:b9:96:34 inet 10.10.10.84 netmask 0xffffff00 broadcast 10.10.10.255 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo [+] Netstat [+] Route [*] GETTING FILESYSTEM INFO... [+] Mount results /dev/da0s1a on / (ufs, local, journaled soft-updates) devfs on /dev (devfs, local, multilabel) [+] fstab entries # Device Mountpoint FStype Options Dump Pass# /dev/da0s1a / ufs rw 1 1 /dev/da0s1b none swap sw 0 0 [+] Scheduled cron jobs -rw-r--r-- 1 root wheel 730 Jul 21 2017 /etc/crontab /etc/cron.d: total 8 drwxr-xr-x 2 root wheel 512 Jul 21 2017 . drwxr-xr-x 27 root wheel 2560 Mar 19 16:21 .. [+] Writable cron dirs [*] ENUMERATING USER AND ENVIRONMENTAL INFO... [+] Logged in User Activity 12:01PM up 33 mins, 14 users, load averages: 0.65, 0.31, 0.26 USER TTY FROM LOGIN@ IDLE WHAT charix pts/1 10.10.14.251 11:29AM 9 -csh (csh) charix pts/2 :2 11:47AM 13 -csh (csh) charix pts/3 10.10.14.201 11:29AM 15 -csh (csh) charix pts/4 10.10.15.161 11:30AM 13 -csh (csh) charix pts/5 10.10.15.246 11:31AM - -csh (csh) charix pts/6 10.10.14.58 11:52AM - w charix pts/7 10.10.15.214 11:48AM 6 -csh (csh) charix pts/8 10.10.14.214 11:34AM 14 -csh (csh) charix pts/9 10.10.14.37 11:50AM - nc 10.10.14.37 charix pts/10 10.10.14.232 11:50AM 9 -csh (csh) charix pts/11 10.10.15.21 11:52AM 1 -csh (csh) charix pts/12 :3 11:53AM 7 -csh (csh) charix pts/13 10.10.14.139 11:58AM - -csh (csh) charix pts/14 10.10.14.200 12:00PM - netstat [+] Super Users Found: root toor [+] Environment VENDOR=amd SSH_CLIENT=10.10.14.58 50532 22 LOGNAME=charix PAGER=more OSTYPE=FreeBSD MACHTYPE=x86_64 MAIL=/var/mail/charix PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/charix/bin EDITOR=vi HOST=Poison REMOTEHOST=10.10.14.58 PWD=/tmp GROUP=charix TERM=xterm-256color SSH_TTY=/dev/pts/6 HOME=/home/charix USER=charix SSH_CONNECTION=10.10.14.58 50532 10.10.10.84 22 HOSTTYPE=FreeBSD SHELL=/bin/csh BLOCKSIZE=K SHLVL=1 [+] Root and current user history (depends on privs) [+] Sudoers (privileged) [+] All users # $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin _tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin charix:*:1001:1001:charix:/home/charix:/bin/csh [+] Current User charix [+] Current User ID uid=1001(charix) gid=1001(charix) groups=1001(charix) [*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS... [+] World Writeable Directories for User/Group 'Root' drwxrwxrwt 6 root wheel 1536 Sep 7 11:59 /tmp drwxrwxrwt 2 root wheel 512 Sep 7 11:53 /tmp/.X11-unix drwxrwxrwt 2 root wheel 512 Sep 7 11:28 /tmp/.XIM-unix drwxrwxrwt 2 root wheel 512 Sep 7 11:28 /tmp/.ICE-unix drwxrwxrwt 2 root wheel 512 Sep 7 11:28 /tmp/.font-unix drwxrwxrwt 3 root wheel 512 Jul 21 2017 /var/tmp drwxrwxrwt 2 root wheel 512 Mar 19 13:04 /var/tmp/vi.recover [+] World Writeable Directories for Users other than Root [+] World Writable Files [+] Checking if root's home folder is accessible total 0 [+] SUID/SGID Files and Directories -r-xr-sr-x 1 root kmem 11800 Jul 21 2017 /usr/sbin/trpt -r-sr-xr-x 1 root wheel 26736 Jul 21 2017 /usr/sbin/traceroute6 -r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf-noip -r-sr-xr-x 1 root wheel 32808 Jul 21 2017 /usr/sbin/traceroute -r-sr-xr-x 1 root wheel 21512 Jul 21 2017 /usr/sbin/timedc -r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf -r-sr-xr-- 1 root network 433872 Jul 21 2017 /usr/sbin/ppp -r-xr-sr-x 1 root daemon 59800 Jul 21 2017 /usr/sbin/lpc -r-xr-sr-x 1 root smmsp 729800 Jul 21 2017 /usr/libexec/sendmail/sendmail -r-sr-xr-- 1 root mail 7424 Jul 21 2017 /usr/libexec/dma-mbox-create -r-sr-xr-x 1 root wheel 6232 Jul 21 2017 /usr/libexec/ulog-helper -r-sr-xr-x 1 root wheel 49152 Jul 21 2017 /usr/libexec/ssh-keysign -r-xr-sr-x 1 root mail 63088 Jul 21 2017 /usr/libexec/dma -r-sr-sr-x 1 root daemon 34368 Jul 21 2017 /usr/bin/lpq -r-sr-xr-x 1 root wheel 16216 Jul 21 2017 /usr/bin/rlogin -r-sr-sr-x 1 root daemon 33072 Jul 21 2017 /usr/bin/lprm -r-xr-sr-x 1 root kmem 13840 Jul 21 2017 /usr/bin/btsockstat -r-sr-sr-x 1 root daemon 41248 Jul 21 2017 /usr/bin/lpr -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/at -r-sr-xr-x 1 root wheel 33288 Jul 21 2017 /usr/bin/crontab -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/atrm -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/atq -r-sr-xr-x 1 root wheel 17584 Jul 21 2017 /usr/bin/su -r-sr-xr-x 1 root wheel 25488 Jul 21 2017 /usr/bin/chpass -r-sr-xr-x 1 root wheel 16264 Jul 21 2017 /usr/bin/quota -r-sr-xr-x 1 root wheel 9856 Jul 21 2017 /usr/bin/passwd -r-xr-sr-x 1 root tty 12280 Jul 21 2017 /usr/bin/write -r-sr-xr-x 1 root wheel 7256 Jul 21 2017 /usr/bin/opieinfo -r-xr-sr-x 1 root kmem 154448 Jul 21 2017 /usr/bin/netstat -r-sr-xr-x 1 root wheel 26040 Jul 21 2017 /usr/bin/login -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/batch -r-xr-sr-x 1 root tty 15984 Jul 21 2017 /usr/bin/wall -r-sr-xr-x 1 root wheel 14304 Jul 21 2017 /usr/bin/opiepasswd -r-sr-xr-x 1 root wheel 11600 Jul 21 2017 /usr/bin/lock -r-sr-xr-x 1 root wheel 12192 Jul 21 2017 /usr/bin/rsh -r-sr-xr-x 1 root wheel 2191384 Jan 2 2018 /usr/local/bin/Xorg -rwsr-x--- 1 root messagebus 49416 Jan 2 2018 /usr/local/libexec/dbus-daemon-launch-helper -r-sr-xr-x 1 root wheel 20912 Jul 21 2017 /bin/rcp -r-sr-xr-x 1 root wheel 40752 Jul 21 2017 /sbin/ping6 -r-sr-xr-- 2 root operator 15904 Jul 21 2017 /sbin/poweroff -r-sr-xr-- 1 root operator 10600 Jul 21 2017 /sbin/mksnap_ffs -r-sr-xr-- 2 root operator 15904 Jul 21 2017 /sbin/shutdown -r-sr-xr-x 1 root wheel 32488 Jul 21 2017 /sbin/ping [+] Logs containing keyword 'password' [+] Config files containing keyword 'password' [+] Shadow File (Privileged) [*] ENUMERATING PROCESSES AND APPLICATIONS... [+] Installed Packages [+] Current processes USER PID STARTED TIME COMMAND root 11 11:28 32:28.29 [idle] root 12 11:28 0:11.88 [intr] root 4 11:28 0:01.26 [cam] root 23 11:28 0:00.72 [vnlru] root 0 11:28 0:00.01 [kernel] root 1 11:28 0:00.02 /sbin/init root 2 11:28 0:00.00 [crypto] root 3 11:28 0:00.00 [crypto root 5 11:28 0:00.00 [mpt_recovery0] root 6 11:28 0:00.00 [sctp_iterator] root 7 11:28 0:00.88 [rand_harvestq] root 8 11:28 0:00.00 [soaiod1] root 9 11:28 0:00.00 [soaiod2] root 10 11:28 0:00.00 [audit] root 13 11:28 0:00.01 [geom] root 14 11:28 0:00.15 [usb] root 15 11:28 0:00.00 [soaiod3] root 16 11:28 0:00.00 [soaiod4] root 17 11:28 0:00.16 [pagedaemon] root 18 11:28 0:00.00 [vmdaemon] root 19 11:28 0:00.00 [pagezero] root 20 11:28 0:00.13 [bufdaemon] root 21 11:28 0:00.01 [bufspacedaemon] root 22 11:28 0:00.27 [syncer] root 319 11:28 0:00.19 /sbin/devd root 390 11:28 0:00.08 /usr/sbin/syslogd root 543 11:28 0:01.63 /usr/local/bin/vmtoolsd root 620 11:28 0:00.05 /usr/sbin/sshd root 626 11:28 0:00.03 sshd: root 628 11:28 0:00.02 sshd: charix 638 11:29 0:00.22 sshd: root 645 11:29 0:00.02 sshd: charix 660 11:29 0:00.06 sshd: root 669 11:29 0:00.59 /usr/local/sbin/httpd charix 686 11:29 0:00.41 sshd: root 706 11:30 0:00.02 sshd: charix 729 11:30 0:00.01 sshd: charix 730 11:30 0:00.01 csh charix 732 11:30 0:00.01 /usr/libexec/sftp-server root 733 11:30 0:00.02 sshd: root 735 11:30 0:00.04 sendmail: charix 855 11:30 0:00.08 sshd: smmsp 963 11:30 0:00.00 sendmail: root 967 11:30 0:00.01 /usr/sbin/cron root 1033 11:31 0:00.02 sshd: charix 1043 11:31 0:00.29 sshd: root 1075 11:32 0:00.03 sshd: charix 1144 11:34 0:00.03 sshd: www 1256 11:42 0:00.69 /usr/local/sbin/httpd www 1265 11:42 0:00.65 /usr/local/sbin/httpd www 1271 11:42 0:00.63 /usr/local/sbin/httpd www 1355 11:42 0:00.78 /usr/local/sbin/httpd www 1463 11:44 0:00.68 /usr/local/sbin/httpd www 1493 11:44 0:00.81 /usr/local/sbin/httpd www 1497 11:44 0:00.59 /usr/local/sbin/httpd www 1528 11:44 0:00.71 /usr/local/sbin/httpd www 1537 11:44 0:00.54 /usr/local/sbin/httpd root 1634 11:47 0:00.02 sshd: charix 1654 11:48 0:00.01 sshd: root 1659 11:48 0:00.03 sshd: root 1693 11:50 0:00.02 sshd: charix 1700 11:50 0:00.07 sshd: charix 1706 11:50 0:00.02 sshd: root 1725 11:51 0:00.03 sshd: charix 1736 11:52 0:00.15 sshd: root 1749 11:52 0:00.03 sshd: charix 1766 11:52 0:00.06 sshd: www 1784 11:53 0:00.44 /usr/local/sbin/httpd root 1908 11:58 0:00.03 sshd: charix 1960 11:58 0:00.03 sshd: root 2031 12:00 0:00.02 sshd: charix 2041 12:00 0:00.01 sshd: root 529 11:28 0:00.23 Xvnc root 540 11:28 0:00.12 xterm root 541 11:28 0:00.02 twm root 1014 11:30 0:00.00 /usr/libexec/getty root 1015 11:30 0:00.00 /usr/libexec/getty root 1016 11:30 0:00.00 /usr/libexec/getty root 1017 11:30 0:00.00 /usr/libexec/getty root 1018 11:30 0:00.00 /usr/libexec/getty root 1019 11:30 0:00.00 /usr/libexec/getty root 1020 11:30 0:00.00 /usr/libexec/getty root 1021 11:30 0:00.00 /usr/libexec/getty root 554 11:28 0:00.04 -csh charix 639 11:29 0:00.13 -csh charix 1623 11:47 0:00.02 -csh charix 662 11:29 0:00.05 -csh charix 856 11:30 0:00.07 -csh charix 1044 11:31 0:00.27 -csh root 1465 11:44 0:00.37 Xorg charix 1613 11:47 0:00.82 Xvnc charix 1620 11:47 0:00.04 xterm charix 1621 11:47 0:00.01 twm charix 1788 11:53 0:00.06 Xvnc charix 1795 11:53 0:00.04 xterm charix 1796 11:53 0:00.01 twm charix 1737 11:52 0:00.08 -csh charix 2049 12:01 0:00.09 python charix 2157 12:02 0:00.00 /bin/sh charix 2158 12:02 0:00.00 ps charix 2159 12:02 0:00.00 awk charix 1655 11:48 0:00.01 -csh charix 1145 11:34 0:00.03 -csh charix 1701 11:50 0:00.07 -csh charix 1707 11:50 0:00.02 -csh charix 1767 11:52 0:00.06 -csh charix 1798 11:53 0:00.02 -csh charix 1961 11:58 0:00.03 -csh charix 2042 12:00 0:00.01 -csh charix 2047 12:00 0:00.09 netstat [+] Apache Version and Modules Server version: Apache/2.4.29 (FreeBSD) Server built: unknown Compiled in modules: core.c mod_so.c http_core.c [+] Apache Config File [+] Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo) [*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER... root 543 11:28 0:01.63 /usr/local/bin/vmtoolsd root 1749 11:52 0:00.03 sshd: root 319 11:28 0:00.19 /sbin/devd root 1020 11:30 0:00.00 /usr/libexec/getty root 1019 11:30 0:00.00 /usr/libexec/getty root 1033 11:31 0:00.02 sshd: root 628 11:28 0:00.02 sshd: root 554 11:28 0:00.04 -csh root 19 11:28 0:00.00 [pagezero] root 12 11:28 0:11.88 [intr] root 733 11:30 0:00.02 sshd: root 2031 12:00 0:00.02 sshd: root 21 11:28 0:00.01 [bufspacedaemon] root 735 11:30 0:00.04 sendmail: root 6 11:28 0:00.00 [sctp_iterator] root 1017 11:30 0:00.00 /usr/libexec/getty root 5 11:28 0:00.00 [mpt_recovery0] root 16 11:28 0:00.00 [soaiod4] root 1725 11:51 0:00.03 sshd: root 1693 11:50 0:00.02 sshd: root 1075 11:32 0:00.03 sshd: root 2 11:28 0:00.00 [crypto] root 669 11:29 0:00.59 /usr/local/sbin/httpd root 626 11:28 0:00.03 sshd: root 0 11:28 0:00.01 [kernel] root 967 11:30 0:00.01 /usr/sbin/cron root 17 11:28 0:00.16 [pagedaemon] root 390 11:28 0:00.08 /usr/sbin/syslogd root 8 11:28 0:00.00 [soaiod1] root 620 11:28 0:00.05 /usr/sbin/sshd root 22 11:28 0:00.27 [syncer] root 13 11:28 0:00.01 [geom] root 18 11:28 0:00.00 [vmdaemon] root 1634 11:47 0:00.02 sshd: root 1908 11:58 0:00.03 sshd: root 4 11:28 0:01.26 [cam] root 9 11:28 0:00.00 [soaiod2] root 15 11:28 0:00.00 [soaiod3] root 1016 11:30 0:00.00 /usr/libexec/getty root 10 11:28 0:00.00 [audit] root 645 11:29 0:00.02 sshd: root 1014 11:30 0:00.00 /usr/libexec/getty root 11 11:28 32:28.29 [idle] root 3 11:28 0:00.00 [crypto root 23 11:28 0:00.72 [vnlru] root 14 11:28 0:00.15 [usb] root 1 11:28 0:00.02 /sbin/init root 7 11:28 0:00.88 [rand_harvestq] root 706 11:30 0:00.02 sshd: root 541 11:28 0:00.02 twm root 529 11:28 0:00.23 Xvnc root 1021 11:30 0:00.00 /usr/libexec/getty root 1015 11:30 0:00.00 /usr/libexec/getty root 1659 11:48 0:00.03 sshd: root 1465 11:44 0:00.37 Xorg root 540 11:28 0:00.12 xterm root 1018 11:30 0:00.00 /usr/libexec/getty root 20 11:28 0:00.13 [bufdaemon] [*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING... [+] Installed Tools /usr/bin/awk /usr/local/bin/perl /usr/local/bin/python /usr/local/bin/ruby /usr/bin/cc /usr/bin/vi /usr/local/bin/vim /usr/bin/find /usr/bin/nc /usr/local/bin/wget /usr/bin/tftp /usr/bin/ftp [+] Related Shell Escape Sequences... vi--> :!bash vi--> :set shell=/bin/bash:shell vi--> :!bash vi--> :set shell=/bin/bash:shell awk--> awk 'BEGIN {system("/bin/bash")}' find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \; perl--> perl -e 'exec "/bin/bash";' [*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS... Traceback (most recent call last): File "linuxprivchecker.py", line 310, in <module> version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0] IndexError: list index out of range charix@Poison:/tmp % |
The machine has python’s SimpleHTTPServer module available to serve up files so it’s trivial to get the files.
So I have the files. Looking at the dates i think it’s only user.txt (the HTB user token) and secret.zip I’m supposed to be seeing, with the other files being created by other users on the HackTheBox network. The secret.zip needs a password but that’s not a problem as the Charix login password reused:
So I have a password that looks very strange.
Privilege Escalation
Looking through the LinEnum output it’s apparent that xVNC service is running as root. Services running as root are a common privesc target. Usually you’re looking for services installed by the admin user (as opposed to standard services designed to be run as root) and which have the capability run commands or otherwise interact with the OS. This can be tricky but VNC is a remote desktop application which of course is designed to run commands and just about anything else. So if we can access that we should be able to get root. If the secret is the password for VNC that is.
Taking a closer look at the xVNC service:
(sockstat is FreeBSD’s version of netstat – I had to look it up)
What we’re interested in is the services owned by root. ps is telling us PID 529 is the one we want and googling around for that output, apparently the :1 -desktop means it’s referring to which desktop it’s running (if you had multiple remote desktop connections, each has a unique number). Sockstat for that process tells us that it’s running on port 5901. However, it’s listening on the loopback (local to the server) address only.
Just to cross-check that here’s an nmap scan from my kali box of a port range covering the VNC:
Notice how the EXTERNAL VNC port is 5902 So we only have external access to the Xvnc ports owned by charix. That’s no use at all since we already have Charix access. So we’re going to need a way to get access to 5901 from outside.
I happen to have done this exact things before. fairly recently. I run a Linux server for my company and, for security reasons, I’ve hidden vnc from the public and I use ssh to to access it via an ssh tunnel. The way this works is that you use your existing ssh capabilities to forward a local port on your own box to a local port on the server. You then connect your vnc client to the local port on your own box, SSH then routes that to the server’s local port. When i set up my own VNC I used this guide to do it: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04 note “Step 3” which gives you the ssh command for setting up the local port forwarding, used here:
This command tells SSH to create a tunnel from our local IP (not specified as it’s assumed) on port 5901 to port 5901 at the other end of the tunnel on ip address 127.0.0.1 (the server’s own local loopback address). Anything we send to port 5901 on our local machine will end up on port 5901 on the remote machine. See here for explanation of port forwarding.
We have that weird password and some searching reveals that VNC passwords are encrypted and there are some decrypters around but also that you can just pass the encrypted password to the command as an argument, see the man page:
Trying it out:
Box. Rooted.
What did I learn from this one?
- Read the outputs more carefully. I messed the password text file for a whole day by simply not reading the list of files.
- Check for services running on internal ports that aren’t on external ports. I didn’t initially do this carefully enough and as they were quite similar numbers it passed my by for longer than it should have.
rowbot says
2018-09-10 at 1:16 pmhey nice write up too. The tunnel part took me a while to get my head around