AdSense

Sunday, February 3, 2019

Poison


POISON

 - Layout for this exercise:


1 - INTRODUCTION

 The goal of this exercise is to develop a hacking process for the vulnerable machine Poison, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Poison's IP is 10.10.10.84:
- Scanning with Nmap it seems there are just 2 open ports and the Operating System is FreeBSD:



- Going deeper with ports SSH 22 and HTTP 80:


- Connecting with the browser we find a local .php scripts test application:


- Checking ini.php:






- info.php:



- phpinfo.php:





- listfiles.php lets us know that there is a promising text file called pwdbackup.txt:


- By the way, before going ahead, we detect the presence of an LFI vulnerability, though this will not be our vector attack:




- Anyway from /etc/passwd we learn the existence of a user called charix.

 - Reading pwdbackup.txt we find a 13 times base64 encrypted password:


- Copying it locally to the attacking machine:

- Now, applying by 13 times the base64 decoding process we find a password:

 https://codebeautify.org/base64-decode


3 - EXPLOITATION

 - This password allows an SSH connection for user charix:





4 - CAPTURING THE 1st FLAG

 - Reading user.txt:






5 - PRIVILEGE ESCALATION

 - Aside from user.txt there is a secret.zip that we try to unzip unsuccessfully:


- A file secret is created, but it is empty and useless so it's probably a good idea to remove it:



- Let's move secret.zip to Kali:




- Unzipping secret.zip with the password found before:





- Now it seems that the file secret could be a valid password, it's not empty at least:


- Let's transfer it from Kali to Poison, so that it will be used later:






- At this point of the exploitation sockstat (FreeBSD command) lists all open sockets (option -4 for IPv4):

 https://www.freebsd.org/cgi/man.cgi?query=sockstat&sektion=1&manpath=freebsd-release-ports




- Poison is listening locally at ports 5801 and 5901 for a VNC (Virtual Network Computing) connection:




- However both ports seem closed externally, so we cannot access directly to them from Kali:



- The solution would be to use SSH Tunneling, what is explained thoroughly here:

 https://www.hackingarticles.in/comprehensive-guide-on-ssh-tunneling/



- vncviewer is the client for the remote VNC virtual desktop connection:




6 - CAPTURING THE 2nd FLAG

 - Reading root.txt:



- Also, root.txt can be transferred to Kali with Netcat:




- Netstat lists active connections for Poison:








Posted by at
Labels: