🟡poison

LFI | LFI TO RCE | RACE CONDITION VULNERABILITY | LOG POISONING |

Recon & Enum

port scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

Directory scan

/info.php             (Status: 200) [Size: 157]
/index.php            (Status: 200) [Size: 289]
/.html                (Status: 403) [Size: 214]
/browse.php           (Status: 200) [Size: 321]
/.html                (Status: 403) [Size: 214]
/phpinfo.php          (Status: 200) [Size: 68141]
/ini.php              (Status: 200) [Size: 20456]

WEB (80)

we can read any file mention above , so when i read the file "listfiles.php" i get this :-

Array ( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt ) Not only this , the parameter is also vulnerable to LFI

Initial access points

there are 3 ways through which we can get inside the machine :-

1. ssh as charix

2. race condition in phpinfo

3. log poisoning

shell as charix

pwdbackup.txt

After reading the file i got a password which is 13 times base64 encoded , so after decoding it i got it and i used it for ssh as "charix" user , as this user is also listed in "/etc/passwd" and also the password also start with the name , so i just gave SSH a try

Charix!2#4%6&8(0

privesc charix => root

i got a secret.zip file in home directory of charix , after transfer it to my machine i try to read it but i fot this :-

unzip secret.zip

cat secret
��[|Ֆz!%

file secret
secret: Non-ISO extended-ASCII text, with no line terminators

ps auxw

i check services on target machine , and this got my attention

root   529   0.0  1.1 31668 11364 v0- I    14:16    0:00.14 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -

VNC is running on target , on port 5901 and as root Let’s examine the command line options:

• :1 - display number 1

• -rfbauth /root/.vnc/passwd - specifies the file containing the password used to auth viewers

• -rfbport 5901 - tells us which port to connect to

• localhost - only listen locally

confirming the service (on target machine)

i just want to confirm the vnc service

netstat -an | grep 5901

tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

ssh local port forwarding

we can't access vnc server , as it is running on localhost so we have to forward this server on our localhost :-

ssh -L 5000:127.0.0.1:5901 charix@10.10.10.84

confirming the service (on my machine)

netstat -an | grep 5000

tcp6       0      0  ::1.5000               *.*                    LISTEN
tcp4       0      0  127.0.0.1.5000         *.*                    LISTEN
tcp6       0      0  *.5000                 *.*                    LISTEN
tcp4       0      0  *.5000                 *.*                    LISTEN

i downloaded vncviewer on my machine , but when i try to access , it ask for password

secret

Maybe , the secret file conatain the vnc server password i downloaded a py script to decrypt the password and i got successfull script :-

GitHub - jeroennijhof/vncpwd: VNC Password DecrypterGitHub

./vncpwd ~/hack\ the\ box/poison/secret
Password: VNCP@$$!

we got the password VNCP@$$!

shell