Hack The Box — Poison
Poison is a Medium difficulty rated Linux machine on Hack The Box and a part of OSCP prep list of TJ Null.In this box we mainly perform log poisoning attack for getting LFI to RCE and privilege escaalate using vnc.
port 22 and 80 are open.Port 80 seems to host some .php files as listed below.You can visit them one by one
listfiles.php seems to show a file within the server called pwdbackup.txt
Lets access pwdbackup.txt by using file=pwdbackup.txt in the url.It seems base64 encoded and in the firsy line, it is clearly mentioned that it is base64 encoded 13 times and thus we need to decode it.
To do so, it is suggest to use a script that does this task.You can also try looking fir a python/bash script or create your own.
We can base64 decode a string using base64 -d option what if we do this 13 times
We used ( | ) pipeline to transfer the output to the next command and i found this interesting trick from a random writeup of this box.
cat base64.txt | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
We can also use a simple bash script to do this task.
data=$(cat base64.txt); for i in $(seq 1 13); do data=$(echo $data | tr -d ‘ ‘ | base64 -d); done; echo $data
Here seq(1 13) is used to loop 13 times.
Now there are 2 ways to solve this machine and i will cover both of them.
1) USING SSH
We have already found a password above and ssh is open in our target.Moreover there is Local File Inclusion vulnerablity on the machine and we are able to read the /etc/passwd file.
There seems to be a user called charix, even the password contained charix and the guy who made this box also has a username called charix.We can simply ssh to charix and use the password we had found above.
Now i will cover the second method “log poisoning” which is the intended way to solve this machine since the name of this machine is “poison”
2) LOG POISONING
Very simply said, log poisoning is a method of getting LFI to RCE.The way it works is that the attacker attempts to inject malicious input to the server log. Then using the LFI vulnerability, the attacker calls the server log thereby executing the injected malicious code which gives reverse shell.For more info, you can refer this article-https://dheerajdeshmukh.medium.com/get-reverse-shell-through-log-poisoning-with-the-vulnerability-of-lfi-local-file-inclusion-e504e2d41f69
As we can see below, a LFI exists and we can view etc/passwd
Using google, we find that the location of log files in freebsd is
and we are also able to access the log file through LFI.
In the image given below, do Notice that the user agent “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0” is being logged. Since the user agent is something that is completely in our control, we can simply change it to send a reverse shell back to our machine.All you have to do is intercept the request using burp
and now change the “User-Agent” field to a one liner reverse shell.Always put the reverse shell within the cmd field.
Here we are using exec() instead of shell_exec() you can also try using system()
Now after editng the user agent, forward the request and in the response(on right side of burp)you will clearly see that we have injected code
Now all we have to do is start a netcat listener and run the log file by accessing it.This will execute the command in the log file and give us reverse shell
NOW, FINALLY SINCE WE HAVE A LOW LEVEL SHELL, LETS CONTINUE
We find a zipped file called secret.zip on the target,We can unzip it using the unzip command however we get nothing.
Lets transfer the secret.zip file to our kali so we can take a deeper look at it.For transferring file from linux to linux, we can use scp. Now if we unzip it and run the command file secret (to find what type of file is secret)it shows us that it is encoded (Non-ISO extended-ASCII text, with no line terminator)
Lets run ps aux command on the target to see what processes are running
and we immediately see a process called Xvnc running as root
Vnc is a graphical Remote Access Software,if we can connect to it, we can graphically access our target. Below, we run the ps aux | grep vnc to make sure that vnc indeed is running and pull it out of all the results.
we run the netstat -an command to look for local listening ports and see that the target is listening on port 5801 and 5901
A simple google search shows us that VNC uses port 5900+ The results above show that our target is listening on port 5901.
We want to connect to VNC running on our target BUT we cannot do it directly due to firewall which can block us. Lets use Local port forwarding to forward our target’s vnc port 5901 to our kali’s port 5000. To do so we run the following command
ssh -L [local-port]:[remote-ip]:[remote-port]
ssh -L 5000:127.0.0.1:5901 firstname.lastname@example.org
LOCAL PORT FORWARDING USING SSH
The above command allocates a socket to listen to port 5000 on localhost from my attack machine (kali). Whenever a connection is made to port 5000, the connection is forwarded over a secure channel and is made to port 5901 on localhost on the target machine (poison).
Lets run the netstat -an command again on our target and we see that it is listening on port 5000 .We did this just to check that our work is done.
Finally lets connect to vnc running in our kali’s port 5000.To access vnc, we use vncviewer which comes pre installed in kali.When it asks for password, we try using our previous charix password(which we also used in ssh) however it fails!
If you google vnc password,you will find that in the vncviewer tool, we can specify a password by using -passwd option
Lets use the secret file which we had found earlier as the password and it works!!! (i found this very tricky as well)
and we are finally connected to VNC and can grab the root flag
BONUS (Decrypting VNC Password)
Since we know that the secret file contains the hidden password, why not find whats inside the secret file and uncover the password in plain text.To crack the secret file, we can use a python script on github. This script can decrypt vnc password files
GitHub - trinitronx/vncpasswd.py: A Python implementation of vncpasswd, w/decryption abilities &…
Python implementation of vncpasswd, w/decryption abilities & extra features ;-) Tested on Python 2.7.3. (Does not…
Once downloaded, just run it with the -d (decrypt) and -f (file) options
The vnc password is VNCP@$$!
I hope you learned a lot from this writeup.This machine was really informative. We learned about LFI to RFI using Log Poisoning attack, Local port forwarding and connecting to vnc and decrypting vnc password.I would like to give credits to Rana Khalil for here informative writeup.
Make sure you follow me here on Medium for more such oscp like writeups and articles.Until next time -ZEUS