Poison WriteUp

Chackal
Chackal
Sep 8, 2018 · 4 min read

Hi everybody, I will do my best to show you the way that I used to be root on the Poison machine from Hackthebox at 10.10.10.84 . This is my first official WriteUp so …

First of all, let’s do a scan to see if there is some open ports and services on it, by using nmap like this:

We can see that there is two ports open (ssh, http) so let’s see what about the website and is there some informations able to help us.

10.10.10.84

After having tried all options (ini.php , info.php, listfile.php etc.), we can see a backupfile (pwdbackup.txt) which seems interesting when we entered listfiles.php on the Scriptname field.

10.10.10.84/browse.php?file=listfiles.php

Let’s see the content of this file :

http://10.10.10.84/pwdbackup.txt

The file inform us that there is a password encoded 13 times encoded in base64,to do so we have to decode it also 13 times. We did it and we obtained the following password : Charix!2#4%6&8(0 .

At this point, we could remember that there is an open ssh port. So, after some guessing we found that the username is charix and the password is Charix!2#4%6&8(0 . Let’s connect with this credential and catch the user flag:

After having found it, we can see a file (secret.zip) which can potentialy help us to be “root” . Let’s get it by using python HTTPServer listening on port 1234 on the remote machine and download the file with wget command on our machine.

It’s required a password for unzip it, again after some guessing the password is the same as charix password. Then, we have checked its content and see that it’s incomprehensible.

content of secret

Come back on Poison machine, let’s see if something could help us. After having checked the kernel version and usual other things to check (nothing over there), let see which service(s) are been running by root and which one are vulnerable or accessible by using some tricks.

Only one service hold our attention, it means there is a VNC desktop launched by root so there is a VNC server running but invisible from the outside because there is only two ports open on this machine and none of them is the port for this service. So we have to find a way to transfer our connection request from our machine to the remote one. Let’s activate our genius brain to find a way to do so(in reality to search on google :D ).

We found that we can established a connection to the VNC server by using ssh remote port forwarding, I found this technique here. So with the following command we linked our localhost listening on 5555 to the port 5901 from the remote machine:

ssh charix@10.10.10.84 -L 5555:localhost:5901

Then by using a VNC client like vncviewer we can try to connect to the remote desktop via localhost and the associate port (5555) we designated.

We remembered our secret file we unzipped earlier and after search about different connection mode of VNC we found it’s possible to use a password file as password argument to connect to the remote desktop. So let’s try this with using the secret file:

ssh tunnel and vnc client connection demand

Et voilà, we are root.

Hope it’s comprehensible and clearly for everyone, feel free to correct me if I made a mistake I am an eternal learner.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade