Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Hack the Box: Poison Walkthrough

0
0

Hello everyone and welcome to yet another CTF challenge from hack the box, called ‘Poison,’ which is available online for those who want to increase their skill in penetration testing and black box testing.Poison is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges, ranging from beginner to expert level.

Level:Easy

Task:Find user.txt and root.txt in victim’s machine

Methodology:

Port scanning Using LFI to find username Gaining encrypted password file using LFI Decrypting password file Logging in to SSH using decrypted password Transferring ZIP file and extracting to find a secret file Discovery of VNC on machine VNC tunneling over SSH to get root shell Grabbing flag

Let’s get started then!

Since, these labs have a static IP, the IP address for poison is 10.10.10.84. Let us scan the VM with the most popular port scanning tool, nmap.

nmap -A 10.10.10.84
Hack the Box: Poison Walkthrough

From the result above we found two working ports on the VM, port 22 and 80 which are universal default ports for SSH and HTTP.

We immediately headed over to the webpage.


Hack the Box: Poison Walkthrough

It was crystal clear only by reading that there was an LFI vulnerability involved. We tested it by inputting /etc/passwd in the scriptname section.


Hack the Box: Poison Walkthrough

Which led us to the following output


Hack the Box: Poison Walkthrough

From here we found that the username was “ charix.” But before moving on to that part we tried all the scriptnames one by one given in the previous webpage.

It was going all monotonous until we found an interesting text file in the “ listfiles.php ” script.


Hack the Box: Poison Walkthrough

The listfiles.php was a script that enumerated an array of the files


Hack the Box: Poison Walkthrough

We found an interesting file called pwdbackup.txt. On opening it by the same process we found an encrypted password.


Hack the Box: Poison Walkthrough

But it wasn’t a normal encryption, the password was encrypted 13 times . Just by looking we could tell that it was base64 encoding. So, we copied the password in a notepad file and removed the spaces between the password’s lines (present by default) and wrote the following command to decrypt it:

cat decode | base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 -d| base64 d
Hack the Box: Poison Walkthrough

Voila! The password was found to be Charix!2#4%6&8(0

A complete logical shot in the dark was that it was the password to secure shell of the victim. So, we tried logging in to SSH.

ssh charix@10.10.10.84 ls
Hack the Box: Poison Walkthrough

And just like that we were logged in! We found the first flag (user.txt) and another file called secret.zip

We tried unzipping it on the spot but it didn’t work. So, instead we transferred the file to our system using scp (complete articlehere)

scp charix@10.10.10.84:secret.zip /root/Desktop/ cd Desktop unzip secret.zip
Hack the Box: Poison Walkthrough

We got a file “secret” which could be the password of another service.

We were far from convinced that no other service was running so we scanned the victim using socat. (To read more: https://packages.debian.org/sid/sockstat)

sockstat -4 -l
Hack the Box: Poison Walkthrough

Port number 5901 and 5908 were open which clearly are the port numbers for VNC! This could be way in.

We followed the SSH tunneling methodology (referhere)

ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84
Hack the Box: Poison Walkthrough

IT will open up a shell. In a new terminal write:

vncviewer -passwd secret 127.0.0.1:5901
Hack the Box: Poison Walkthrough

We saw authentication successful tag!

What was left now but to:

ls cat root.txt

And this is how we owned the poison VM. Hope you enjoyed because we surely did!


Hack the Box: Poison Walkthrough

Author: Harshit Rajpalis an InfoSec researcher and a left and right brain thinker. contact here


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images