Hello everyone and welcome to yet another CTF challenge
from hack the box, called ‘Poison,’ which is available online for those who want to increase
their skill in penetration testing and black box testing. Poison is a
retired vulnerable lab presented by Hack the Box for making online penetration
testing practice suitable to your experience level; they have a large collection
of vulnerable labs as challenges, ranging from beginner to expert level.
Level: Easy
Task: Find user.txt and root.txt in
victim’s machine
Methodology:
1. Port scanning
2. Using LFI to find username
3. Gaining encrypted password file
using LFI
4. Decrypting password file
5. Logging in to SSH using decrypted
password
6. Transferring ZIP file and
extracting to find a secret file
7. Discovery of VNC on machine
8. VNC tunneling over SSH to get root
shell
9. Grabbing flag
Let’s
get started then!
Since,
these labs have a static IP, the IP address for poison is 10.10.10.84.
Let
us scan the VM with the most popular port scanning tool, nmap.
Nmap –A 10.10.10.84
From the result above we found two working ports on the
VM, port 22 and 80 which are
universal default ports for SSH and HTTP.
We immediately headed over to the webpage.
It was crystal clear only by reading that there was an
LFI vulnerability involved. We tested it by inputting /etc/passwd in the scriptname section.
Which led us to the following output
From here we found that the username was “charix.” But before moving on to that
part we tried all the scriptnames one by one given in the previous webpage.
It was going all monotonous until we found an interesting
textfile in the “listfiles.php” script.
The listfiles.php was a script that enumerated an array
of the files
We found an interesting file called pwdbackup.txt. On opening it by the same process we found an
encrypted password.
But it wasn’t a normal encryption, the password was
encrypted 13 times. Just by looking we could tell that it was base64 encoding.
So, we copied the password in a notepad file and removed the spaces between the
password’s lines (present by default) and wrote the following command to
decrypt it:
cat decode |
base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d|
base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 –d
Voila! The password was found to be Charix!2#4%6&8(0.
A complete logical shot in the dark was that it was the
password to secure shell of the victim. So, we tried logging in to SSH.
ls
And just like that we were logged in! We found the first
flag (user.txt) and another file called secret.zip
We tried unzipping it on the spot but it didn’t work. So,
instead we transferred the file to our system using scp (complete article here)
scp
charix@10.10.10.84:secret.zip /root/Desktop/
cd Desktop
unzip
secret.zip
We got a file “secret” which could be the password of
another service.
We were far from convinced that no other service was
running so we scanned the victim using socat. (To read more: https://packages.debian.org/sid/sockstat)
Socat -4 -l
Port number 5901 and 5908 were open which clearly are the
port numbers for VNC! This could be way in.
IT will open up a shell. In a new terminal write:
vncviewer
-passwd secret 127.0.0.1:5901
We
saw authentication successful tag!
What was left now but to:
Ls
Cat
root.txt
0 comments:
Post a Comment