Poison

Poison - 10.10.10.84

Target Enumeration:

OS: FreeBSD
IP: 10.10.10.84
User: eaacdfb2d141b72a589233063604209c
Root: 716d04b188419cf2bb99d891272361f5

Vulnerability Exploited:

LFI to read /etc/passwd
Ssh password stored in base64

Privilege Escalation:

XVNC running as root locally
Secret.zip holds password to login

Exploiting the host:

Nmap
Dirb
Index.php has LFI no RFI yet though
LFI
No RFI so log poisoning is an option however looking at the listfiles.php file gives us a few other things to look at:
Checking out this file gives us a password which is encoded 13 times
A little bit to CTF for me but we will carry on.
Once we had decoded the password we used it to login via ssh, i am sure a decent for loop or python script would have been easier than
In the users home dir was a secret.zip file so we downloaded that locally with nc and extracted the hash for cracking and while we waited we tested the existing password we had found
No idea at this point what this file does so keep enumerating the system, does not seem to work for anything like ssh keys etc..
Looking at the running services we see that root is running an xvnc service
So map the port locally with ssl -L and try to connect:
Try to login with xvncviewer and all the passwords you have:
No luck
Check the help file for other options
Try with the secret file we downloaded earlier:
Now you get a root shell via xvnc quite a fun way to pop the machine
This is not ideal so generate a reverse shell with php and set up a listener on port 444
Now you have a reasonably stable root shell to capture the flag and save you typing it out.