Poison Write-up (HTB)
Please note that this was the second write-up that I ever drafted, and so some of the techniques used in this may seem different to those in some of my more recent write-ups. Anyway, this is a write-up for the recently retired Poison machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cybersecurity knowledge by hacking into a range of different machines.
TL;DR: Escalating privileges through an SSH Tunnel. | Although Poison is largely considered as one of the easier boxes on the platform, I found root fairly hard to obtain, since I spent a few hours following a dead-end. Despite this, I ended up learning more about more niche areas of VNC and SSH tunnelling that I knew very little of before.
PART ONE: USER
An initial nmap scan revealed this (click on the command to learn more about the syntax that I’m using):
# Nmap 7.70 scan initiated Mon May 28 19:01:19 2018 as: nmap -sV -sC -oN nmap.log 10.10.10.84
Nmap scan report for 10.10.10.84
Host is up (0.039s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5802/tcp open http Bacula http config
5902/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
5903/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
5904/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
6002/tcp open X11 (access denied)
6003/tcp open X11 (access denied)
6004/tcp open X11 (access denied)
6005/tcp open X11 (access denied)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsdService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 28 19:01:50 2018 -- 1 IP address (1 host up) scanned in 31.58 seconds
As shown, we have our usual SSH and HTTP ports, but also some interesting VNC ports, which is important to note for later.
Let’s take a look at the webpage:
From an enumeration standpoint, listfiles.php looks the most interesting. Viewing this file gives us the following:
We can take two valuable pieces of information from this:
- The data itself (i.e. pwdbackup.txt being a seemingly viewable file).
- The URL (http://10.10.10.84/browse.php?file=listfiles.php).
Let’s address the URL first. Since the site is passing the filename over in the URL, let’s go ahead and change this to be pwdbackup.txt instead of listfiles.php:
The string here is fairly obviously Base64 encoded, so I used CyberChef to decode it, and thus found the string “Charix!2#4%6&8(0” which looks very much like a password.
We can then abuse this LFI further, and view /etc/passwd to find the following:
The only important thing to note from this is the user charix, who seems to be the only non-system user. With this in mind, we can SSH into the server with the username charix, and the password that we discovered earlier.
PART TWO: ROOT
With the easy part done, we now have to get onto the privilege escalation. Although this admittedly took me ages, it can be done in only 2 commands.
Before we go into all the VNC stuff, I’ll begin my mentioning the secret file in the home directory.
As shown in the previous screenshot there is a secret.zip file in the home directory (the secret folder isn’t supposed to be there). Strangely, the unzip command didn’t seem to work on the server, so I SFTP’d it over to my local machine, unzipped it there, and then transferred the contents back over.
Anyway, we know from the nmap scan earlier that there must be some VNC processes running on the machine, and so I viewed them all like so:
Okay, so root has a VNC desktop running…
We know that XVNC servers usually run at the port [5900+Desktop Number], and since the desktop number for root is 1, the port must be 5901. Seeing as we can see through the ps aux output that this process is running, we should be able to connect to it, right?
So it’s clear that the service is running, but we just can’t connect.
On the other hand, we can open our own VNC connection as charix, and so the VNC server must be correctly configured.
We now have all of the tools needed to connect as root. Essentially, since we cannot directly connect to root’s VNC service, we have to set up an SSH tunnel and connect to it through that. That way, the traffic will be running through it locally, and so will be authorized. The whole process is explained far better here.
To accomplish this SSH tunnel, we use the following command:
ssh -L 5902:localhost:5901 charix@10.10.10.84We then open a separate terminal, and use this command…
vncviewer -passwd secret localhost:2…to connect. As you can see, we are using the secret file that we extracted from the zip earlier as an identity file, so that we can be authenticated as root (I first had to give the file appropriate permissions with chmod 400 secret).
And with that, the box is complete.
