Poison Box Writeup & Walkthrough – [HTB] – HackTheBox

Introduction

Poison is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article will show how to hack Poison box and get user.txt and root.txt.

PoisonBox

Collection

Firstly, as you know, we scan the ports and figure out what can we do.

PoisonBoxScanPorts

There are two ports open. One is HTTP port (Port 80) and another is SSH port. (Port 22). Then, let’s move on hacking Poison Box.

Hack the Poison Box

Get the User.txt

We open the browser, and visit Poison Box web-site.

PoisonBoxWeb

It looks like has LFI security issue. Let’s try a basic test. We input Scriptname: listfiles.php

PoisonBoxWebListFiles

As we can see, it lists web files. There is a file that very special (pwdbackup.txt)! What does this file contain?

We replace listfiles.php to pwdbackup.txt.

Poison Box Password

As he mentioned, the password is encoded, and it uses base64 to encode password. However, base64 is not a one-way encode. It can be decode. So, we decode the “pass”. You can decode online or use burpsuit. After decode, we got the password: Charix!2#4%6&8(0

However, we still did not know the username. As I mentioned before, it has LFI issue. We replace pwdbackup.txt to ../../../../etc/passwd.

PoisonBoxEtcPasswd

Now, we know that Poison box username is charix!

We know username and password. Then, we can login via ssh. And then, got user.txt!

Poison Box SSHLogin

Poison Box UserTXT

Get Root.txt

We list the current folder, and we find there is a interest file: secret.zip

PoisonBoxSecretFile

We download the secret.zip file to our local Kali Linux.

First, we copy the secret.zip file to /tmp folder. (Because we cannot access the web folder).

Then, we use the following command to download file:

wget "http://10.10.10.84/browse.php?file=../../../../../../../tmp/secret.zip"

Then, we exact file by using same password. However, after unzip, we use cat command to check the content of secret file, it is un-readable.

Poison Box CatSecret

Now, we need to figure out where we use secret file. We check the current network connections by using netstat command.

Poison Box Netstat

Ha, we find there are 2 ports (5801, 5901) that listening on local ip address. And, these 2 ports shows that there is a VNC service on Poison Box! The secret file is VNC Password.

We use this tool to crack VPC Password File, vncpwd.

Then, we got the VNC Password: [email protected]$$!

However, the VNC listen to the local port. We need to find a way to “remote” connect it.

We use port re-direct & forward strategy.

First, we go to /tmp folder, and create FIFO file. If you want to know that is FIFO file, you can read this link.

mkfifo fifo

Then, we re-direct the network traffic from 5904 to 5901.

cat /tmp/fifo | nc localhost 5901 | nc -l 5904 > /tmp/fifo

PoisonBoxFifo

Little explain:

1. We listen to the port 5904 and then, we connect to port 5904. The traffic will re-direct from 5904 to 5901. This means we can connect 5901 remotely.

2. VNC will create another ports for other users. For example, if I login as Charix user, and create VNC server. It will open 5802 and 5902. Then, if another person login as XXX user, and create VNC server. It will open 5803 and 5903 etc…

3. Port 5801 and 5901 usually for root user. Usually, port 5901 is for communication.

4. For VNC connection, we can user vncviwer. If we want to connect 5901 port. We just run command: vncviwer IP:1 (client 1). If we want to connect 5902 user. We run command: vncviwer IP:2 (client 2).

So, we need to connect to 5904 port, which is client 4. We use following command:

vncviwer 10.10.10.84:4

Then, we login as root user, and got root.txt on Poison Box!

PoisonBoxRootTXT

Summary

This box is easy box, there is nothing hidden. Everything is just basic Security and Linux knowledge. The difficulty of this box is 4/10.

There are more HackTheBox Writeup.