Poison Box Writeup & Walkthrough – [HTB] – HackTheBox

This article shows how to hack the Poison box and get both user.txt and root.txt.

Poison is a machine on the HackTheBox Platform.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack the Poison box and get user.txt and root.txt.

First, we perfrom a scan to identify the open ports.

ScanPorts
Ports Scan

There are two ports open. One is HTTP service (80/TCP) and another is SSH service. (22/TCP). Then, let’s move to the HTTP service.

We open the browser, and navigate to Poison Box website.

Poison Website
Poison Website

It seems to have LFI security issue. Let’s try a basic test. We input a script name: listfiles.php

listfiles.php
listfiles.php

As we can see, it lists files. There is a special file (pwdbackup.txt)!

We then replace listfiles.php to pwdbackup.txt.

Pwdbackup File
Pwdbackup File

The password is encoded by base64. After decoded the password, we obtained the password:

Charix!2#4%6&8(0

Next, we need to obtain the username. We replace pwdbackup.txt to ../../../../etc/passwd.

Poison /etc/Passwd File
Poison /etc/Passwd File

Now, we know that the Poison box username is charix!

We are able to log in via ssh as charix, and obtain user.txt!

SSH Login
SSH Login

We list the current folder, and we find there is a file: secret.zip

Poison Secret File
Poison Secret File

We download the secret.zip file to our local Kali Linux and exact file by using same password. After unzipped the file, we use cat command to check the content of the secret file, it is unreadable.

Secret File Content
Secret File Content

Now, we need to figure out where we use the secret file. We check the current network connections by using netstat command.

Poison Netstat
Poison Netstat

Yay! We find there are two more open ports (5801, 5901) that are listening on local IP address. VNC service is usually listening on these ports. Therefore, the secret file probably is the VNC Password.

After decrypt the file, we obtained the VNC Password:

[email protected]$$!

We use port forward strategy to connect to the local VNC service.

First, we navigate to /tmp folder, and create a FIFO file. If you want to know what is FIFO file, you can read this link.

1
mkfifo fifo

Then, we forward the network traffic from local 5904 to local 5901.

1
cat /tmp/fifo | nc localhost 5901 | nc -l 5904 > /tmp/fifo
Port Forward
Port Forward

VNC has some features:

  1. VNC will open other ports if more than one user connect to the VNC. For example, if Charix connects to VNC service. The VNC service opens port 5802 and 5902 for Charix. Then, when Bob connects to VNC service, the VNC service opens port 5803 and 5903 for Bob…

  2. Port 5801 and 5901 usually is for root user connection.

  3. For connecting to VNC service, we can use vncviwer. If we want to connect to port 5901, we just run command: vncviwer IP:1 (client 1). If we want to connect to port 5902, we run command: vncviwer IP:2 (client 2).

In this case, we need to connect to port 5904 by executing the following command:

1
vncviwer 10.10.10.84:4

Then, we log in as root user, and got root.txt on the Poison Box!

Poison Root.txt
Poison Root.txt