Poison | HTB | Write-up

Poison is a retired machine on HackTheBox. It is an easy box, but an enjoyable one. With that said, let us get started.

SCANNING :

A quick nmap scan revealed ports 22 and 80 to be open.

Then, a default-script and service-version scan reveals OpenSSH 7.2 and Apache httpd 2.4.29 are running on ports 22 and 80. It also reveals the underlying OS is FreeBSD.

This is enough for scanning. Let us move to enumeration now.

ENUMERATION :

Since HTTP has large attack vector, let us start with that first.

If I hit the IP in my browser, the below page shows up:

It seems I can run any of the PHP scripts shown in the picture above. Among the scripts, the listfiles.php looks interesting. Let us see what we can get when I enter the script-name in the text-field and hit submit.

I am redirected to another page with the output shown above in the picture.

The pwdbackup.txt seems juicy to me. Let us see what is there.

It seems to be password of some sort, and base64 encoded (probably 13 times). Let us save and decode it.

I am using python to decode it. You can do the same or do it online on any base64 decoding site.

Seems it may be a password for SSH-user, and looking at the password, it seems there is a user named Charix.

SHELL AS CHARIX :

Since I have a username-password and SSH port open, let us first try to login as Charix.

It worked and I have shell as user. You can read the user flag.

PRIVILEGE ESCALATION :

There are two things that caught my eye.

First, there is a zip file in Charix’s home directory, owned by root. So it has something to do with root.

Second, if I take a look at listening ports, I find port 5801 and 5901 listening on localhost, which is normally used for VNC services.

Let us first deal with the zip file.

But it is encrypted. Let us transfer it to the local box and see if our friend John-the-Ripper can do some magic for us.

I am using scp for this.

Unfortunately, that did not work.

Let us see if I can unzip it with Charix’s SSH cred.

Luckily that worked! Well, reusing the same password again-and-again is really a very bad idea! =D

But the contents of the unzipped file does not seem to be useful. Well, I would not be so sure about that! =D

Remember, the remote box has VNC service running locally. The unzipped file may contain the encrypted VNC access for root.

But I can not access VNC server from the remote box. Let us tunnel the remote box’s port 5901 to my local box.

Now that SSH tunneling is done, let us try to access the server via VNC client.

vncviewer -passwd secret localhost:5901

That worked! And I get shell as root. But that looks ugly. You can reset the root password and then SSH as root.

So, that is the Poison box of HackTheBox.

Thank You for reading this far. Hope you liked the write-up. I will see you in the next one. PEACE. =)

Breaking things like a bàKà