NeilSec: Security Learning Blog

Pentesting, infosec, hacking, learning.

  • Home
  • Knowledgebase
You are here: Home / CTF / Hackthebox: Poison – Walkthrough

Hackthebox: Poison – Walkthrough

2018-09-06 by Neil 1 Comment

Initial Enumeration

Whilst more extensive scans are run, let’s look at what we’ve got so far

22/TCP

standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force

80/HTTP

A script testing app. If that doesn’t shout LFI, I don’t know what does.

Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful:

But let’s check for the obvious LFI:

In phpinfo we see this script is in this location:  /usr/local/www/apache24/data/browse.php. Just for fun let’s see what code the php file contains using the filter wrapper trick:

By using the base64-encode we base64 output instead of the raw, executable PHP and decoding it offers up the most fundamental file inclusion example possible.

Also from the phpinfo file we see that allow_url_include is not turned on, so a simple RFI is not possible.

Neither dirb, dirbuster or nikto find anything particularly interesting despite using several lists so I went back to the site to take a closer look and (not for the first time) turned out I’d browsed over something important. The listfiles.php script reveals an additional file I’d not noticed – pwdbackup.txt

Getting this file shows some base64 encoding, pointlessly and unrealistically, done 13 times. I really should write a script to automate these things as CTF writers seems to be obsessed with base64 tricks but that would only encourage them:

anyway, after decoding it you get: Charix!2#4%6&8(0

We already have a username Charix with login abilities so let’s see if we can ssh in directly with these creds:

And look, there’s some suspicious looking files in there too:

I’ll check those out in a minute but first I’ll run a privesc checker to get some more info.

charix@Poison:/tmp % python linuxprivchecker.py
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================
[*] GETTING BASIC SYSTEM INFO...
[+] Kernel
[+] Hostname
    Poison
[+] Operating System
[*] GETTING NETWORKING INFO...
[+] Interfaces
    le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 00:50:56:b9:96:34
    hwaddr 00:50:56:b9:96:34
    inet 10.10.10.84 netmask 0xffffff00 broadcast 10.10.10.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect
    status: active
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
[+] Netstat
[+] Route
[*] GETTING FILESYSTEM INFO...
[+] Mount results
    /dev/da0s1a on / (ufs, local, journaled soft-updates)
    devfs on /dev (devfs, local, multilabel)
[+] fstab entries
    # Device	Mountpoint	FStype	Options	Dump	Pass#
    /dev/da0s1a	/		ufs	rw	1	1
    /dev/da0s1b	none		swap	sw	0	0
[+] Scheduled cron jobs
    -rw-r--r--  1 root  wheel  730 Jul 21  2017 /etc/crontab
    /etc/cron.d:
    total 8
    drwxr-xr-x   2 root  wheel   512 Jul 21  2017 .
    drwxr-xr-x  27 root  wheel  2560 Mar 19 16:21 ..
[+] Writable cron dirs

[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] Logged in User Activity
    12:01PM  up 33 mins, 14 users, load averages: 0.65, 0.31, 0.26
    USER       TTY      FROM                                      LOGIN@  IDLE WHAT
    charix     pts/1    10.10.14.251                             11:29AM     9 -csh (csh)
    charix     pts/2    :2                                       11:47AM    13 -csh (csh)
    charix     pts/3    10.10.14.201                             11:29AM    15 -csh (csh)
    charix     pts/4    10.10.15.161                             11:30AM    13 -csh (csh)
    charix     pts/5    10.10.15.246                             11:31AM     - -csh (csh)
    charix     pts/6    10.10.14.58                              11:52AM     - w
    charix     pts/7    10.10.15.214                             11:48AM     6 -csh (csh)
    charix     pts/8    10.10.14.214                             11:34AM    14 -csh (csh)
    charix     pts/9    10.10.14.37                              11:50AM     - nc 10.10.14.37
    charix     pts/10   10.10.14.232                             11:50AM     9 -csh (csh)
    charix     pts/11   10.10.15.21                              11:52AM     1 -csh (csh)
    charix     pts/12   :3                                       11:53AM     7 -csh (csh)
    charix     pts/13   10.10.14.139                             11:58AM     - -csh (csh)
    charix     pts/14   10.10.14.200                             12:00PM     - netstat
[+] Super Users Found:
    root
    toor
[+] Environment
    VENDOR=amd
    SSH_CLIENT=10.10.14.58 50532 22
    LOGNAME=charix
    PAGER=more
    OSTYPE=FreeBSD
    MACHTYPE=x86_64
    MAIL=/var/mail/charix
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/charix/bin
    EDITOR=vi
    HOST=Poison
    REMOTEHOST=10.10.14.58
    PWD=/tmp
    GROUP=charix
    TERM=xterm-256color
    SSH_TTY=/dev/pts/6
    HOME=/home/charix
    USER=charix
    SSH_CONNECTION=10.10.14.58 50532 10.10.10.84 22
    HOSTTYPE=FreeBSD
    SHELL=/bin/csh
    BLOCKSIZE=K
    SHLVL=1
[+] Root and current user history (depends on privs)
[+] Sudoers (privileged)
[+] All users
    # $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
    #
    root:*:0:0:Charlie &:/root:/bin/csh
    toor:*:0:0:Bourne-again Superuser:/root:
    daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
    operator:*:2:5:System &:/:/usr/sbin/nologin
    bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
    tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
    kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
    games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
    news:*:8:8:News Subsystem:/:/usr/sbin/nologin
    man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
    sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
    smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
    mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
    bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
    unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
    proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
    _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
    _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
    uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
    pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
    auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
    www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
    _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
    hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
    nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
    _tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
    messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
    avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
    cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
    charix:*:1001:1001:charix:/home/charix:/bin/csh
[+] Current User
    charix
[+] Current User ID
    uid=1001(charix) gid=1001(charix) groups=1001(charix)
[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...
[+] World Writeable Directories for User/Group 'Root'
    drwxrwxrwt  6 root  wheel  1536 Sep  7 11:59 /tmp
    drwxrwxrwt  2 root  wheel  512 Sep  7 11:53 /tmp/.X11-unix
    drwxrwxrwt  2 root  wheel  512 Sep  7 11:28 /tmp/.XIM-unix
    drwxrwxrwt  2 root  wheel  512 Sep  7 11:28 /tmp/.ICE-unix
    drwxrwxrwt  2 root  wheel  512 Sep  7 11:28 /tmp/.font-unix
    drwxrwxrwt  3 root  wheel  512 Jul 21  2017 /var/tmp
    drwxrwxrwt  2 root  wheel  512 Mar 19 13:04 /var/tmp/vi.recover
[+] World Writeable Directories for Users other than Root
[+] World Writable Files
[+] Checking if root's home folder is accessible
    total 0
[+] SUID/SGID Files and Directories
    -r-xr-sr-x  1 root  kmem  11800 Jul 21  2017 /usr/sbin/trpt
    -r-sr-xr-x  1 root  wheel  26736 Jul 21  2017 /usr/sbin/traceroute6
    -r-sr-sr-x  2 root  authpf  24312 Jul 21  2017 /usr/sbin/authpf-noip
    -r-sr-xr-x  1 root  wheel  32808 Jul 21  2017 /usr/sbin/traceroute
    -r-sr-xr-x  1 root  wheel  21512 Jul 21  2017 /usr/sbin/timedc
    -r-sr-sr-x  2 root  authpf  24312 Jul 21  2017 /usr/sbin/authpf
    -r-sr-xr--  1 root  network  433872 Jul 21  2017 /usr/sbin/ppp
    -r-xr-sr-x  1 root  daemon  59800 Jul 21  2017 /usr/sbin/lpc
    -r-xr-sr-x  1 root  smmsp  729800 Jul 21  2017 /usr/libexec/sendmail/sendmail
    -r-sr-xr--  1 root  mail  7424 Jul 21  2017 /usr/libexec/dma-mbox-create
    -r-sr-xr-x  1 root  wheel  6232 Jul 21  2017 /usr/libexec/ulog-helper
    -r-sr-xr-x  1 root  wheel  49152 Jul 21  2017 /usr/libexec/ssh-keysign
    -r-xr-sr-x  1 root  mail  63088 Jul 21  2017 /usr/libexec/dma
    -r-sr-sr-x  1 root  daemon  34368 Jul 21  2017 /usr/bin/lpq
    -r-sr-xr-x  1 root  wheel  16216 Jul 21  2017 /usr/bin/rlogin
    -r-sr-sr-x  1 root  daemon  33072 Jul 21  2017 /usr/bin/lprm
    -r-xr-sr-x  1 root  kmem  13840 Jul 21  2017 /usr/bin/btsockstat
    -r-sr-sr-x  1 root  daemon  41248 Jul 21  2017 /usr/bin/lpr
    -r-sr-xr-x  4 root  wheel  29016 Jul 21  2017 /usr/bin/at
    -r-sr-xr-x  1 root  wheel  33288 Jul 21  2017 /usr/bin/crontab
    -r-sr-xr-x  4 root  wheel  29016 Jul 21  2017 /usr/bin/atrm
    -r-sr-xr-x  4 root  wheel  29016 Jul 21  2017 /usr/bin/atq
    -r-sr-xr-x  1 root  wheel  17584 Jul 21  2017 /usr/bin/su
    -r-sr-xr-x  1 root  wheel  25488 Jul 21  2017 /usr/bin/chpass
    -r-sr-xr-x  1 root  wheel  16264 Jul 21  2017 /usr/bin/quota
    -r-sr-xr-x  1 root  wheel  9856 Jul 21  2017 /usr/bin/passwd
    -r-xr-sr-x  1 root  tty  12280 Jul 21  2017 /usr/bin/write
    -r-sr-xr-x  1 root  wheel  7256 Jul 21  2017 /usr/bin/opieinfo
    -r-xr-sr-x  1 root  kmem  154448 Jul 21  2017 /usr/bin/netstat
    -r-sr-xr-x  1 root  wheel  26040 Jul 21  2017 /usr/bin/login
    -r-sr-xr-x  4 root  wheel  29016 Jul 21  2017 /usr/bin/batch
    -r-xr-sr-x  1 root  tty  15984 Jul 21  2017 /usr/bin/wall
    -r-sr-xr-x  1 root  wheel  14304 Jul 21  2017 /usr/bin/opiepasswd
    -r-sr-xr-x  1 root  wheel  11600 Jul 21  2017 /usr/bin/lock
    -r-sr-xr-x  1 root  wheel  12192 Jul 21  2017 /usr/bin/rsh
    -r-sr-xr-x  1 root  wheel  2191384 Jan  2  2018 /usr/local/bin/Xorg
    -rwsr-x---  1 root  messagebus  49416 Jan  2  2018 /usr/local/libexec/dbus-daemon-launch-helper
    -r-sr-xr-x  1 root  wheel  20912 Jul 21  2017 /bin/rcp
    -r-sr-xr-x  1 root  wheel  40752 Jul 21  2017 /sbin/ping6
    -r-sr-xr--  2 root  operator  15904 Jul 21  2017 /sbin/poweroff
    -r-sr-xr--  1 root  operator  10600 Jul 21  2017 /sbin/mksnap_ffs
    -r-sr-xr--  2 root  operator  15904 Jul 21  2017 /sbin/shutdown
    -r-sr-xr-x  1 root  wheel  32488 Jul 21  2017 /sbin/ping
[+] Logs containing keyword 'password'
[+] Config files containing keyword 'password'
[+] Shadow File (Privileged)
[*] ENUMERATING PROCESSES AND APPLICATIONS...
[+] Installed Packages
[+] Current processes
    USER PID STARTED TIME COMMAND
    root 11 11:28 32:28.29 [idle]
    root 12 11:28 0:11.88 [intr]
    root 4 11:28 0:01.26 [cam]
    root 23 11:28 0:00.72 [vnlru]
    root 0 11:28 0:00.01 [kernel]
    root 1 11:28 0:00.02 /sbin/init
    root 2 11:28 0:00.00 [crypto]
    root 3 11:28 0:00.00 [crypto
    root 5 11:28 0:00.00 [mpt_recovery0]
    root 6 11:28 0:00.00 [sctp_iterator]
    root 7 11:28 0:00.88 [rand_harvestq]
    root 8 11:28 0:00.00 [soaiod1]
    root 9 11:28 0:00.00 [soaiod2]
    root 10 11:28 0:00.00 [audit]
    root 13 11:28 0:00.01 [geom]
    root 14 11:28 0:00.15 [usb]
    root 15 11:28 0:00.00 [soaiod3]
    root 16 11:28 0:00.00 [soaiod4]
    root 17 11:28 0:00.16 [pagedaemon]
    root 18 11:28 0:00.00 [vmdaemon]
    root 19 11:28 0:00.00 [pagezero]
    root 20 11:28 0:00.13 [bufdaemon]
    root 21 11:28 0:00.01 [bufspacedaemon]
    root 22 11:28 0:00.27 [syncer]
    root 319 11:28 0:00.19 /sbin/devd
    root 390 11:28 0:00.08 /usr/sbin/syslogd
    root 543 11:28 0:01.63 /usr/local/bin/vmtoolsd
    root 620 11:28 0:00.05 /usr/sbin/sshd
    root 626 11:28 0:00.03 sshd:
    root 628 11:28 0:00.02 sshd:
    charix 638 11:29 0:00.22 sshd:
    root 645 11:29 0:00.02 sshd:
    charix 660 11:29 0:00.06 sshd:
    root 669 11:29 0:00.59 /usr/local/sbin/httpd
    charix 686 11:29 0:00.41 sshd:
    root 706 11:30 0:00.02 sshd:
    charix 729 11:30 0:00.01 sshd:
    charix 730 11:30 0:00.01 csh
    charix 732 11:30 0:00.01 /usr/libexec/sftp-server
    root 733 11:30 0:00.02 sshd:
    root 735 11:30 0:00.04 sendmail:
    charix 855 11:30 0:00.08 sshd:
    smmsp 963 11:30 0:00.00 sendmail:
    root 967 11:30 0:00.01 /usr/sbin/cron
    root 1033 11:31 0:00.02 sshd:
    charix 1043 11:31 0:00.29 sshd:
    root 1075 11:32 0:00.03 sshd:
    charix 1144 11:34 0:00.03 sshd:
    www 1256 11:42 0:00.69 /usr/local/sbin/httpd
    www 1265 11:42 0:00.65 /usr/local/sbin/httpd
    www 1271 11:42 0:00.63 /usr/local/sbin/httpd
    www 1355 11:42 0:00.78 /usr/local/sbin/httpd
    www 1463 11:44 0:00.68 /usr/local/sbin/httpd
    www 1493 11:44 0:00.81 /usr/local/sbin/httpd
    www 1497 11:44 0:00.59 /usr/local/sbin/httpd
    www 1528 11:44 0:00.71 /usr/local/sbin/httpd
    www 1537 11:44 0:00.54 /usr/local/sbin/httpd
    root 1634 11:47 0:00.02 sshd:
    charix 1654 11:48 0:00.01 sshd:
    root 1659 11:48 0:00.03 sshd:
    root 1693 11:50 0:00.02 sshd:
    charix 1700 11:50 0:00.07 sshd:
    charix 1706 11:50 0:00.02 sshd:
    root 1725 11:51 0:00.03 sshd:
    charix 1736 11:52 0:00.15 sshd:
    root 1749 11:52 0:00.03 sshd:
    charix 1766 11:52 0:00.06 sshd:
    www 1784 11:53 0:00.44 /usr/local/sbin/httpd
    root 1908 11:58 0:00.03 sshd:
    charix 1960 11:58 0:00.03 sshd:
    root 2031 12:00 0:00.02 sshd:
    charix 2041 12:00 0:00.01 sshd:
    root 529 11:28 0:00.23 Xvnc
    root 540 11:28 0:00.12 xterm
    root 541 11:28 0:00.02 twm
    root 1014 11:30 0:00.00 /usr/libexec/getty
    root 1015 11:30 0:00.00 /usr/libexec/getty
    root 1016 11:30 0:00.00 /usr/libexec/getty
    root 1017 11:30 0:00.00 /usr/libexec/getty
    root 1018 11:30 0:00.00 /usr/libexec/getty
    root 1019 11:30 0:00.00 /usr/libexec/getty
    root 1020 11:30 0:00.00 /usr/libexec/getty
    root 1021 11:30 0:00.00 /usr/libexec/getty
    root 554 11:28 0:00.04 -csh
    charix 639 11:29 0:00.13 -csh
    charix 1623 11:47 0:00.02 -csh
    charix 662 11:29 0:00.05 -csh
    charix 856 11:30 0:00.07 -csh
    charix 1044 11:31 0:00.27 -csh
    root 1465 11:44 0:00.37 Xorg
    charix 1613 11:47 0:00.82 Xvnc
    charix 1620 11:47 0:00.04 xterm
    charix 1621 11:47 0:00.01 twm
    charix 1788 11:53 0:00.06 Xvnc
    charix 1795 11:53 0:00.04 xterm
    charix 1796 11:53 0:00.01 twm
    charix 1737 11:52 0:00.08 -csh
    charix 2049 12:01 0:00.09 python
    charix 2157 12:02 0:00.00 /bin/sh
    charix 2158 12:02 0:00.00 ps
    charix 2159 12:02 0:00.00 awk
    charix 1655 11:48 0:00.01 -csh
    charix 1145 11:34 0:00.03 -csh
    charix 1701 11:50 0:00.07 -csh
    charix 1707 11:50 0:00.02 -csh
    charix 1767 11:52 0:00.06 -csh
    charix 1798 11:53 0:00.02 -csh
    charix 1961 11:58 0:00.03 -csh
    charix 2042 12:00 0:00.01 -csh
    charix 2047 12:00 0:00.09 netstat
[+] Apache Version and Modules
    Server version: Apache/2.4.29 (FreeBSD)
    Server built:   unknown
    Compiled in modules:
    core.c
    mod_so.c
    http_core.c
[+] Apache Config File
[+] Sudo Version (Check out https://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)
[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...
    root 543 11:28 0:01.63 /usr/local/bin/vmtoolsd
    root 1749 11:52 0:00.03 sshd:
    root 319 11:28 0:00.19 /sbin/devd
    root 1020 11:30 0:00.00 /usr/libexec/getty
    root 1019 11:30 0:00.00 /usr/libexec/getty
    root 1033 11:31 0:00.02 sshd:
    root 628 11:28 0:00.02 sshd:
    root 554 11:28 0:00.04 -csh
    root 19 11:28 0:00.00 [pagezero]
    root 12 11:28 0:11.88 [intr]
    root 733 11:30 0:00.02 sshd:
    root 2031 12:00 0:00.02 sshd:
    root 21 11:28 0:00.01 [bufspacedaemon]
    root 735 11:30 0:00.04 sendmail:
    root 6 11:28 0:00.00 [sctp_iterator]
    root 1017 11:30 0:00.00 /usr/libexec/getty
    root 5 11:28 0:00.00 [mpt_recovery0]
    root 16 11:28 0:00.00 [soaiod4]
    root 1725 11:51 0:00.03 sshd:
    root 1693 11:50 0:00.02 sshd:
    root 1075 11:32 0:00.03 sshd:
    root 2 11:28 0:00.00 [crypto]
    root 669 11:29 0:00.59 /usr/local/sbin/httpd
    root 626 11:28 0:00.03 sshd:
    root 0 11:28 0:00.01 [kernel]
    root 967 11:30 0:00.01 /usr/sbin/cron
    root 17 11:28 0:00.16 [pagedaemon]
    root 390 11:28 0:00.08 /usr/sbin/syslogd
    root 8 11:28 0:00.00 [soaiod1]
    root 620 11:28 0:00.05 /usr/sbin/sshd
    root 22 11:28 0:00.27 [syncer]
    root 13 11:28 0:00.01 [geom]
    root 18 11:28 0:00.00 [vmdaemon]
    root 1634 11:47 0:00.02 sshd:
    root 1908 11:58 0:00.03 sshd:
    root 4 11:28 0:01.26 [cam]
    root 9 11:28 0:00.00 [soaiod2]
    root 15 11:28 0:00.00 [soaiod3]
    root 1016 11:30 0:00.00 /usr/libexec/getty
    root 10 11:28 0:00.00 [audit]
    root 645 11:29 0:00.02 sshd:
    root 1014 11:30 0:00.00 /usr/libexec/getty
    root 11 11:28 32:28.29 [idle]
    root 3 11:28 0:00.00 [crypto
    root 23 11:28 0:00.72 [vnlru]
    root 14 11:28 0:00.15 [usb]
    root 1 11:28 0:00.02 /sbin/init
    root 7 11:28 0:00.88 [rand_harvestq]
    root 706 11:30 0:00.02 sshd:
    root 541 11:28 0:00.02 twm
    root 529 11:28 0:00.23 Xvnc
    root 1021 11:30 0:00.00 /usr/libexec/getty
    root 1015 11:30 0:00.00 /usr/libexec/getty
    root 1659 11:48 0:00.03 sshd:
    root 1465 11:44 0:00.37 Xorg
    root 540 11:28 0:00.12 xterm
    root 1018 11:30 0:00.00 /usr/libexec/getty
    root 20 11:28 0:00.13 [bufdaemon]
[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...
[+] Installed Tools
    /usr/bin/awk
    /usr/local/bin/perl
    /usr/local/bin/python
    /usr/local/bin/ruby
    /usr/bin/cc
    /usr/bin/vi
    /usr/local/bin/vim
    /usr/bin/find
    /usr/bin/nc
    /usr/local/bin/wget
    /usr/bin/tftp
    /usr/bin/ftp
[+] Related Shell Escape Sequences...
    vi-->	:!bash
    vi-->	:set shell=/bin/bash:shell
    vi-->	:!bash
    vi-->	:set shell=/bin/bash:shell
    awk-->	awk 'BEGIN {system("/bin/bash")}'
    find-->	find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
    perl-->	perl -e 'exec "/bin/bash";'
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Traceback (most recent call last):
  File "linuxprivchecker.py", line 310, in <module>
    version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]
IndexError: list index out of range
charix@Poison:/tmp % 

The machine has python’s SimpleHTTPServer module available to serve up files so it’s trivial to get the files.

So I have the files. Looking at the dates i think it’s only user.txt (the HTB user token) and secret.zip I’m supposed to be seeing, with the other files being created by other users on the HackTheBox network. The secret.zip needs a password but that’s not a problem as the Charix login password reused:

So I have a password that looks very strange.

Privilege Escalation

Looking through the LinEnum output it’s apparent that xVNC service is running as root. Services running as root are a common privesc target. Usually you’re looking for services installed by the admin user (as opposed to standard services designed to be run as root) and which have the capability run commands or otherwise interact with the OS. This can be tricky but VNC is a remote desktop application which of course is designed to run commands and just about anything else. So if we can access that we should be able to get root. If the secret is the password for VNC that is.

Taking a closer look at the xVNC service:

(sockstat is FreeBSD’s version of netstat – I had to look it up)

What we’re interested in is the services owned by root. ps is telling us PID 529 is the one we want and googling around for that output, apparently the :1 -desktop means it’s referring to which desktop it’s running (if you had multiple remote desktop connections, each has a unique number). Sockstat for that process tells us that it’s running on port 5901. However, it’s listening on the loopback (local to the server) address only.

Just to cross-check that here’s an nmap scan from my kali box of a port range covering the VNC:

Notice how the EXTERNAL VNC port is 5902 So we only have external access to the Xvnc ports owned by charix. That’s no use at all since we already have Charix access. So we’re going to need a way to get access to 5901 from outside.

I happen to have done this exact things before. fairly recently. I run a Linux server for my company and, for security reasons, I’ve hidden vnc from the public and I use ssh to to access it via an ssh tunnel. The way this works is that you use your existing ssh capabilities to forward a local port on your own box to a local port on the server. You then connect your vnc client to the local port on your own box, SSH then routes that to the server’s local port. When i set up my own VNC I used this guide to do it: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04 note “Step 3” which gives you the ssh command for setting up the local port forwarding, used here:

This command tells SSH to create a tunnel from our local IP (not specified as it’s assumed) on port 5901 to port 5901 at the other end of the tunnel on ip address 127.0.0.1 (the server’s own local loopback address). Anything we send to port 5901 on our local machine will end up  on port 5901 on the remote machine. See here for explanation of port forwarding.

We have that weird password and some searching reveals that VNC passwords are encrypted and there are some decrypters around but also that you can just pass the encrypted password to the command as an argument, see the man page:

Trying it out:

Box. Rooted.

What did I learn from this one?

  1. Read the outputs more carefully. I messed the password text file for a whole day by simply not reading the list of files.
  2. Check for services running on internal ports that aren’t on external ports. I didn’t initially do this carefully enough and as they were quite similar numbers it passed my by for longer than it should have.

Filed Under: CTF, Penetration Testing Tagged With: Boot-to-Root, CTF, Hack The Box, Penetration Testing

Comments

  1. rowbot says

    2018-09-10 at 1:16 pm

    hey nice write up too. The tunnel part took me a while to get my head around

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

© 2023 · NeilSec;