OSCP PREPROTİONS – HTB Poison

Poison machine is a vulnerable machine with BSD operating system which is among the retired machines. Using these vulnerabilities, user and root flags are waiting to be obtained.
Let’s perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of network scanning, 22/tcp ssh OpenSSH 7.2, 80/tcp http Apache httpd 2.4.29 and 514/udp open|filtered syslog ports are open. Since there is no vulnerability on the ssh port, let’s perform enumeration on port 80.
Since the http protocol is running on this port, we perform enumeration via browser.

We run a directory scan with Gobuster for hidden files and directories.

As a result of file and directory scanning, /browse.php, /index.php, /info.php, /ini.php, /phpinfo.php pages were detected.
It mentions that ini.php, info.php, listfiles.php, phpinfo.php, phpinfo.php written on the browser will be tested, we were able to detect most of these sites with gobuster. We could not find only the listfiles.php page, and it told us on the main page, let’s take notes and continue.

pwdbackup.txt site exists

Here we see that This password is secure, it’s encoded atleast 13 times… what could go wrong really… 13 times could be base64 (we figured it out because of the = sign at the end)
We decoded it 13 times using Cybercheff.

Charix!2#4%6&8(0
Conclusion.
We continue with web enumeration.
We are trying to break something by entering inputs in the script test section.

He changed the entries here. We realized there was a directory traversal vulnerability

We were able to read the /etc/paswwd file. Here we have the charix user, can we ssh with the password we obtained from the agent?

We were able to log in
Here we obtained my user flag and did not access the root directory.

Here we provide local enmueration to get the root flag.

We have listed the network listened ports here 127.0.0.0.1.5801, 127.0.0.1.5901 These draw our attention, is there anyone using these ports? Let’s look at the processes
ps -aux

Here “Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280×800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1”
Port 5901 uses vnc.
(Xvnc is the X VNC (Virtual Network Computing) server) It is based on a standard X server but has a “virtual” screen instead of a physical screen. X applications display themselves as if they were a normal X screen, but can only be accessed through a VNC viewer, vncviewer ref: https://tigervnc.org/doc/Xvnc.html)
Here we could not run vncviewer on the target machine. Therefore, we will do port forwarding with ssh and use vncviewer from our attack machine.
First we do port forwarding

Then log in with vncviwer

We could not log in successfully because it asked us for a password
So let’s continue to provide local enumeration
Let’s take a look at the script.zip file in the Home file and see what it contains

Here we could not open the secret file, let’s transfer it to our machine with scp and unzip it.

It asked us for a password and we could not log in because we did not know the password.
We tried to crack this zip file with John the ripper tool without success. When we used the password we obtained, we successfully unzip

The secret file is a binary file, could this binary file be the password of vncviewr?

Let’s try it here

Connection provided
It appears to be under root privileges.

Here we got our root flag