AdSense

Sunday, February 3, 2019

Poison


POISON

- Layout for this exercise:




1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Poison, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Poison's IP is 10.10.10.84:



- Scanning with Nmap it seems there are just 2 open ports and the Operating System is FreeBSD:





- Going deeper with ports SSH 22 and HTTP 80:




- Connecting with the browser we find a local .php scripts test application:




- Checking ini.php:









- info.php:





- phpinfo.php:








- listfiles.php lets us know that there is a promising text file called pwdbackup.txt:







- By the way, before going ahead, we detect the presence of an LFI vulnerability, though this will not be our vector attack:






- Anyway from /etc/passwd we learn the existence of a user called charix.


- Reading pwdbackup.txt we find a 13 times base64 encrypted password:




- Copying it locally to the attacking machine:



- Now, applying by 13 times the base64 decoding process we find a password:

https://codebeautify.org/base64-decode




3 - EXPLOITATION

- This password allows an SSH connection for user charix:







4 - CAPTURING THE 1st FLAG

- Reading user.txt:








5 - PRIVILEGE ESCALATION

- Aside from user.txt there is a secret.zip that we try to unzip unsuccessfully:




- A file secret is created, but it is empty and useless so it's probably a good idea to remove it:





- Let's move secret.zip to Kali:






- Unzipping secret.zip with the password found before:







- Now it seems that the file secret could be a valid password, it's not empty at least:




- Let's transfer it from Kali to Poison, so that it will be used later:









- At this point of the exploitation sockstat (FreeBSD command) lists all open sockets (option -4 for IPv4):

https://www.freebsd.org/cgi/man.cgi?query=sockstat&sektion=1&manpath=freebsd-release-ports






- Poison is listening locally at ports 5801 and 5901 for a VNC (Virtual Network Computing) connection:






- However both ports seem closed externally, so we cannot access directly to them from Kali:





- The solution would be to use S
SH Tunneling, what is explained thoroughly here:

https://www.hackingarticles.in/comprehensive-guide-on-ssh-tunneling/





- vncviewer is the client for the remote VNC virtual desktop connection:







6 - CAPTURING THE 2nd FLAG

- Reading root.txt:





- Also, root.txt can be transferred to Kali with Netcat:








- Netstat lists active connections for Poison:










Legacy


LEGACY

- Layout for this exercise:





1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Legacy, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Legacy's IP is 10.10.10.4:




- Scanning with Nmap we learn that a Windows XP system is running SMB service at ports 139 and 445:




- Scanning deeper those two ports:





- Looking for vulnerabilities on port 139:




- Looking for vulnerabilities on port 445:



- To sum it up, we have discovered these potential vulnerabilities:

  • CVE-2008-4250
  • CVE-2017-0143
  • CVE-2009-3103



3 - EXPLOITATION


- There are several Metasploit modules associated to these vulnerabilities.

- For instance ms08_067_netapi is able to exploit CVE-2008-4250:









- Launching Metasploit and taking the module ms08_067_netapi:








- Once we get a System privileged Meterpreter session it is easy to spawn a shell:






4 - CAPTURING THE FLAGS

- Reading user.txt:





- Reading root.txt: