As I continue to post my notes for retired boxes you will likely notice a drastic increase in detail. A few boxes were completed when I was just getting into cyber security and since then I have learned a lot in regards to documentation.
Simply based off of the name here we can determine this is gonna suck. At least it starts off easy, hop on over to the web browser and go to the ip. I’m going to assume you ran a port scan and noticed the web server. Anyhow, we see here that we can enter php scripts to run and gain information. The one that is most appealing would be listfiles.php and for good reason. If we type that in the query and hit enter we can see a list of files one of which is “pwdbackup.txt”. In the url if we just set file=pwdbackup.txt we can see the text files contents. Here contains the encoded password and a hint (it has been encoded at least 13times). Don’t be fooled, this is not ROT13 it is infact a base64 encoding a lot of times. I know… pretty dumb.
So now we need the username. Let’s do some more investigating… info.php might have some info ;). Here we can see a path for a file.Lets do http://10.10.10.84/browse.php?file=/etc/passwd and get some user info.Tada! List of users. Just so happens to be this username is the same as the creators.
Now we can ssh as Charix with the password found in the beginning. Notice the secret.zip file, probably surrounded by clutter from other users. Basically this is a zip file that is password protected. Unfortunately you cannot simply unzip the file on this box as the application is so outdated it does not support unzipping with password protection. So we have to scp it over to our box and unzip it on our local machine. The password is the same as the user but the symbols create issues. This means we have to use the command as so “unzip -P ‘Charix!2#4%6&8(0’ secret.zip” in order for it to work. Make sure you use single quotes!
Next we continue searching for ways to access root. Pay attention to the services running on the machine and one in particular should stick out. VNC may be just what we are looking for. Running sockstatus on the victim machine we can see VNC running on port 5901. Issue is when we do a port scan on that port we get nothing. Therefore we must have to connect to the vncserver locally. Unfortunately there is no vncconnect on the machine itself but maybe we can do it through our terminal on the kali box. We can do this using SSH.
Let’s try initiating the SSH to the vncserver port and forwarding data from our port to the vncserver port on the remote machine.
ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84
This is going to create the remote vncserver on our localhost on the same port. So now what we can do is “vncviewer :1” This will connect us to port 5901, however it is password protected. Lucky for us we have the secret file! So in the end all it takes is “vncviewer :1 -passwd secret” and there you go, root access.