Hack the Box: Poison Walkthrough

Hello everyone and welcome to yet another CTF challenge from hack the box, called ‘Poison,’ which is available online for those who want to increase their skill in penetration testing and black box testing. Poison is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges, ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in victim’s machine

Methodology:

  1. Port scanning
  2. Using LFI to find username
  3. Gaining encrypted password file using LFI
  4. Decrypting password file
  5. Logging in to SSH using decrypted password
  6. Transferring ZIP file and extracting to find a secret file
  7. Discovery of VNC on machine
  8. VNC tunneling over SSH to get root shell
  9. Grabbing flag

Let’s get started then!

Since, these labs have a static IP, the IP address for poison is 10.10.10.84.  Let us scan the VM with the most popular port scanning tool, nmap.

 

From the result above we found two working ports on the VM, port 22 and 80 which are universal default ports for SSH and HTTP.

We immediately headed over to the webpage.

It was crystal clear only by reading that there was an LFI vulnerability involved. We tested it by inputting /etc/passwd in the scriptname section.

Which led us to the following output

From here we found that the username was “charix.” But before moving on to that part we tried all the scriptnames one by one given in the previous webpage.

It was going all monotonous until we found an interesting text file in the “listfiles.php” script.

 

 

The listfiles.php was a script that enumerated an array of the files

We found an interesting file called pwdbackup.txt. On opening it by the same process we found an encrypted password.

But it wasn’t a normal encryption, the password was encrypted 13 times. Just by looking we could tell that it was base64 encoding. So, we copied the password in a notepad file and removed the spaces between the password’s lines (present by default) and wrote the following command to decrypt it:

 

Voila! The password was found to be Charix!2#4%6&8(0

A complete logical shot in the dark was that it was the password to secure shell of the victim. So, we tried logging in to SSH.

 

 And just like that we were logged in! We found the first flag (user.txt) and another file called secret.zip

We tried unzipping it on the spot but it didn’t work. So, instead we transferred the file to our system using scp (complete article here)

 

 We got a file “secret” which could be the password of another service.

We were far from convinced that no other service was running so we scanned the victim using socat. (To read more: https://packages.debian.org/sid/sockstat)

Port number 5901 and 5908 were open which clearly are the port numbers for VNC! This could be way in.

We followed the SSH tunneling methodology (refer here)

 

IT will open up a shell. In a new terminal write:

 

 We saw authentication successful tag!

What was left now but to:

And this is how we owned the poison VM. Hope you enjoyed because we surely did!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Related Posts Plugin for WordPress, Blogger...

5 Comments Hack the Box: Poison Walkthrough

    1. Harshit Rajpal

      Hey NOZ. I didn’t automatically use SSH tunneling. We tried multiple things but failed and it is virtually impossible to state all the lost causes in an article for obvious reasons so we publish the shortest route only. Hope you get my point.

      Used SSH tunnel because VNC was running, simple.

      Reply
    2. NeilSec

      Always good to read your write-ups Raj. Thanks.

      The reason we need to use SSH tunnelling is that whilst VNC is exposed to the net, it’s only the process owned by Charix.

      If you cross-check the services and the listening ports you’ll see that the xvnc process owned by root is only listening on the local loopback port. So we need to get access to the local port from our attacking machine and ssh tunnelling is an easy way of doing it.

      See: https://neilsec.com/penetration-testing/hackthebox-poison-walkthrough/

      Reply
  1. Azan

    Hello, nice write up.

    But I was wondering, what do you do with file secret.zip ? Did you enable to open/extract the file ?

    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *