Poison Box Writeup & Walkthrough – [HTB] – HackTheBox
This article shows how to hack the Poison box and get both user.txt and root.txt.
Poison is a machine on the HackTheBox Platform.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article shows how to hack the Poison box and get user.txt and root.txt.
First, we perfrom a scan to identify the open ports.
There are two ports open. One is HTTP service (80/TCP) and another is SSH service. (22/TCP). Then, let’s move to the HTTP service.
We open the browser, and navigate to Poison Box website.
It seems to have LFI security issue. Let’s try a basic test. We input a script name:
As we can see, it lists files. There is a special file (pwdbackup.txt)!
We then replace
The password is encoded by base64. After decoded the password, we obtained the password:
Next, we need to obtain the username. We replace pwdbackup.txt to
Now, we know that the Poison box username is
We are able to log in via ssh as charix, and obtain user.txt!
We list the current folder, and we find there is a file:
We download the secret.zip file to our local Kali Linux and exact file by using same password. After unzipped the file, we use
cat command to check the content of the secret file, it is unreadable.
Now, we need to figure out where we use the secret file. We check the current network connections by using
Yay! We find there are two more open ports (5801, 5901) that are listening on local IP address. VNC service is usually listening on these ports. Therefore, the secret file probably is the VNC Password.
After decrypt the file, we obtained the VNC Password:
We use port forward strategy to connect to the local VNC service.
First, we navigate to
/tmp folder, and create a FIFO file. If you want to know what is FIFO file, you can read this link.
Then, we forward the network traffic from local 5904 to local 5901.
VNC has some features:
VNC will open other ports if more than one user connect to the VNC. For example, if Charix connects to VNC service. The VNC service opens port 5802 and 5902 for Charix. Then, when Bob connects to VNC service, the VNC service opens port 5803 and 5903 for Bob…
Port 5801 and 5901 usually is for root user connection.
For connecting to VNC service, we can use
vncviwer. If we want to connect to port 5901, we just run command:
vncviwer IP:1(client 1). If we want to connect to port 5902, we run command:
vncviwer IP:2(client 2).
In this case, we need to connect to port 5904 by executing the following command:
Then, we log in as root user, and got root.txt on the Poison Box!