Poison Box Writeup & Walkthrough – [HTB] – HackTheBox

SpZ included in categories HackTheBox Writeup

08-09-2018 08-09-2018 546 words 3 minutes

/poison-box-writeup-walkthrough-htb-hackthebox/featured-image.webp

Contents

This article shows how to hack the Poison box and get both user.txt and root.txt.

Introduction

Poison is a machine on the HackTheBox Platform.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack the Poison box and get user.txt and root.txt.

Enumeration

First, we perfrom a scan to identify the open ports.

There are two ports open. One is HTTP service (80/TCP) and another is SSH service. (22/TCP). Then, let’s move to the HTTP service.

Hack Poison Box

Obtain User.txt

We open the browser, and navigate to Poison Box website.

It seems to have LFI security issue. Let’s try a basic test. We input a script name: listfiles.php

As we can see, it lists files. There is a special file (pwdbackup.txt)!

We then replace listfiles.php to pwdbackup.txt.

The password is encoded by base64. After decoded the password, we obtained the password:

Charix!2#4%6&8(0

Next, we need to obtain the username. We replace pwdbackup.txt to ../../../../etc/passwd.

Now, we know that the Poison box username is charix!

We are able to log in via ssh as charix, and obtain user.txt!

Obtain Root.txt

We list the current folder, and we find there is a file: secret.zip

We download the secret.zip file to our local Kali Linux and exact file by using same password. After unzipped the file, we use cat command to check the content of the secret file, it is unreadable.

Now, we need to figure out where we use the secret file. We check the current network connections by using netstat command.

Yay! We find there are two more open ports (5801, 5901) that are listening on local IP address. VNC service is usually listening on these ports. Therefore, the secret file probably is the VNC Password.

After decrypt the file, we obtained the VNC Password:

VNCP@$$!

We use port forward strategy to connect to the local VNC service.

First, we navigate to /tmp folder, and create a FIFO file. If you want to know what is FIFO file, you can read this link.

1

mkfifo fifo

Then, we forward the network traffic from local 5904 to local 5901.

1

cat /tmp/fifo | nc localhost 5901 | nc -l 5904 &gt; /tmp/fifo

VNC has some features:

VNC will open other ports if more than one user connect to the VNC. For example, if Charix connects to VNC service. The VNC service opens port 5802 and 5902 for Charix. Then, when Bob connects to VNC service, the VNC service opens port 5803 and 5903 for Bob…
Port 5801 and 5901 usually is for root user connection.
For connecting to VNC service, we can use vncviwer. If we want to connect to port 5901, we just run command: vncviwer IP:1 (client 1). If we want to connect to port 5902, we run command: vncviwer IP:2 (client 2).

In this case, we need to connect to port 5904 by executing the following command:

1

vncviwer 10.10.10.84:4

Then, we log in as root user, and got root.txt on the Poison Box!