Nmap Results
# Nmap 7.93 scan initiated Mon Apr 10 17:18:45 2023 as: nmap -Pn -p- -T4 -A -oN scan.txt 10.10.10.84
Nmap scan report for 10.10.10.84
Host is up (0.013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e33b7d3c8f4b8cf9cd7fd23ace2dffbb (RSA)
| 256 4ce8c602bdfc83ffc98001547d228172 (ECDSA)
|_ 256 0b8fd57185901385618beb34135f943b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/10%OT=22%CT=1%CU=30584%PV=Y%DS=2%DC=T%G=Y%TM=64347EB
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=22)O
OS:PS(O1=M53CNW6ST11%O2=M53CNW6ST11%O3=M280NW6NNT11%O4=M53CNW6ST11%O5=M218N
OS:W6ST11%O6=M109ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)E
OS:CN(R=Y%DF=Y%T=40%W=FFFF%O=M53CNW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=FFFF%S=O%A=S+%F=AS%O=M109NW6ST11%R
OS:D=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=38%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 11.71 ms 10.10.14.1
2 11.92 ms 10.10.10.84
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 10 17:25:15 2023 -- 1 IP address (1 host up) scanned in 390.89 seconds
Service Enumeration
TCP/80
The page clearly says the data has been encoded at least 13 times, so let's recursively decode it.
The final resulting string is Charix!2#4%6&8(0
, which seems like a possible password. Or the username is Charix
and the password is !2#4%6&8(0
.
Testing for File Inclusion
Local File Inclusion
Confirmed, the username is charix
.
Remote File Inclusion
allow_url_include
is disabled on the server.
Exploit
The developer made publicly available an application that does not properly sanitize user inputs and allows for local file inclusion. Beyond that, the developer included in the test path a file that contains a base64-encoded user password. The password, combined with the file inclusion, allows the attacker to enumerate a valid credential and SSH into the target.
The developer should sanitize user inputs and discontinue base64-encoding sensitive data. Additionally, the developer should use SSH key authentication in place of password authentication.
Post-Exploit Enumeration
Operating Environment
OS & Kernel
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
Current User
uid=1001(charix) gid=1001(charix) groups=1001(charix)
Users and Groups
Local Users
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
charix:*:1001:1001:charix:/home/charix:/bin/csh
Local Groups
wheel:*:0:root
operator:*:5:root
charix:*:1001:
Network Configurations
Interfaces
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:50:56:b9:fb:26
hwaddr 00:50:56:b9:fb:26
inet 10.10.10.84 netmask 0xffffff00 broadcast 10.10.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
Open Ports
netstat -an4SRWTa | grep 127
tcp4 0 0 0 127.0.0.1.25 *.* 00000000 0
tcp4 0 0 0 127.0.0.1.5801 *.* 00000000 0
tcp4 0 0 0 127.0.0.1.5901 *.* 00000000 0
Processes and Services
Interesting Processes
root 529 0.0 0.7 23620 7472 v0- I 23:16 0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -l
root 657 0.0 0.4 20636 4392 - Ss 23:18 0:00.56 sendmail: accepting connections (sendmail)
Interesting Services
/etc/rc.d/virecover
/usr/local/etc/rc.d/vncserver
/usr/local/etc/rc.d/apache24
/etc/rc.d/sendmail
Interesting Files
/home/charix/secret.zip
The zip file is password protected. I'll use the SSH credential and scp
to copy the file to Kali for analysis.
scp charix@10.10.10.84:/home/charix/secret.zip secret.zip
I am able to unzip it on Kali with unzip
and the same password used for SSH, but the file secret
just seems garbled; possibly encrypted.
Privilege Escalation
Port Forwarding
There are some interesting ports bound to the loopback address that warrant further investigation.
TCP/25
TCP/5801
TCP/5901
I'll use the existing SSH credential to set up the local port forwarding.
ssh -f -N -L 127.0.0.1:25:127.0.0.1:25 -L 127.0.0.1:5801:127.0.0.1:5801 -L 127.0.0.1:5901:127.0.0.1:5901 charix@10.10.10.84
You can see the ports attached to the SSH process. So, now to reach those ports on the target, I'll tunnel through 127.0.0.1
locally and hit the ports on the other side of the SSH connection.
Service Enumeration
TCP/5801, TCP/5901
Initial Enumeration
Doing some Googling on TCP/5801
, it looks like it's VNC over HTTP, whcih nmap
reports. TCP/5901
is for the VNC server.
This particular part from the HackTrick article stuck out at me:
Default password is stored in: ~/.vnc/passwdIf you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using https://github.com/jeroennijhof/vncpwd
This sounds exactly like the description of the file I saw in secret.zip
. Let's see what happens if we try the suggested steps:
Decrypting the VNC Passwd File
git clone https://github.com/jeroennijhof/vncpwd
cd vncpwd
make
./vncpwd <file>
Well, well, well... what a pleasant surprise.
Connecting to VNC
Using the Decrypted Password
Using the Passwd File Alone
I found out after the fact that you can just pass in the passwd
file without decrypting it.
vncviewer passwd=./secret 127.0.0.1:5901
Flags
User
eaacdfb2d141b72a589233063604209c
Root
716d04b188419cf2bb99d891272361f5