Sunday, February 3, 2019

Poison


POISON

- Layout for this exercise:




1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Poison, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Poison's IP is 10.10.10.84:



- Scanning with Nmap it seems there are just 2 open ports and the Operating System is FreeBSD:





- Going deeper with ports SSH 22 and HTTP 80:




- Connecting with the browser we find a local .php scripts test application:




- Checking ini.php:









- info.php:





- phpinfo.php:








- listfiles.php lets us know that there is a promising text file called pwdbackup.txt:







- By the way, before going ahead, we detect the presence of an LFI vulnerability, though this will not be our vector attack:






- Anyway from /etc/passwd we learn the existence of a user called charix.


- Reading pwdbackup.txt we find a 13 times base64 encrypted password:




- Copying it locally to the attacking machine:



- Now, applying by 13 times the base64 decoding process we find a password:

https://codebeautify.org/base64-decode




3 - EXPLOITATION

- This password allows an SSH connection for user charix:







4 - CAPTURING THE 1st FLAG

- Reading user.txt:








5 - PRIVILEGE ESCALATION

- Aside from user.txt there is a secret.zip that we try to unzip unsuccessfully:




- A file secret is created, but it is empty and useless so it's probably a good idea to remove it:





- Let's move secret.zip to Kali:






- Unzipping secret.zip with the password found before:







- Now it seems that the file secret could be a valid password, it's not empty at least:




- Let's transfer it from Kali to Poison, so that it will be used later:









- At this point of the exploitation sockstat (FreeBSD command) lists all open sockets (option -4 for IPv4):

https://www.freebsd.org/cgi/man.cgi?query=sockstat&sektion=1&manpath=freebsd-release-ports






- Poison is listening locally at ports 5801 and 5901 for a VNC (Virtual Network Computing) connection:






- However both ports seem closed externally, so we cannot access directly to them from Kali:





- The solution would be to use S
SH Tunneling, what is explained thoroughly here:

https://www.hackingarticles.in/comprehensive-guide-on-ssh-tunneling/





- vncviewer is the client for the remote VNC virtual desktop connection:







6 - CAPTURING THE 2nd FLAG

- Reading root.txt:





- Also, root.txt can be transferred to Kali with Netcat:








- Netstat lists active connections for Poison: