Poison - 10.10.10.84

Target Enumeration:

OS: FreeBSD

IP: 10.10.10.84

User: eaacdfb2d141b72a589233063604209c

Root: 716d04b188419cf2bb99d891272361f5

Vulnerability Exploited:

LFI to read /etc/passwd

Ssh password stored in base64

Privilege Escalation:

XVNC running as root locally

Secret.zip holds password to login

Exploiting the host:

Nmap

Dirb

Index.php has LFI no RFI yet though

LFI

No RFI so log poisoning is an option however looking at the listfiles.php file gives us a few other things to look at:

Checking out this file gives us a password which is encoded 13 times

A little bit to CTF for me but we will carry on.

Once we had decoded the password we used it to login via ssh, i am sure a decent for loop or python script would have been easier than

In the users home dir was a secret.zip file so we downloaded that locally with nc and extracted the hash for cracking and while we waited we tested the existing password we had found

No idea at this point what this file does so keep enumerating the system, does not seem to work for anything like ssh keys etc..

Looking at the running services we see that root is running an xvnc service

So map the port locally with ssl -L and try to connect:

Try to login with xvncviewer and all the passwords you have:

No luck

Check the help file for other options

Try with the secret file we downloaded earlier:

Now you get a root shell via xvnc quite a fun way to pop the machine

This is not ideal so generate a reverse shell with php and set up a listener on port 444

Now you have a reasonably stable root shell to capture the flag and save you typing it out.