Poison — HackTheBox Writeup

c1oud
6 min readNov 10, 2019

NOTE: This machine is rated Medium and is similar to that of the OSCP machines according to https://www.reddit.com/r/oscp/comments/alf4nf/oscp_like_boxes_on_hack_the_box_credit_tj_null_on/

Let’s begin with our usual nmap scan of this box at 10.10.10.84:

nmap -sV -T4 -A -p- 10.10.10.84

If you would like to know what these nmap flags are that I’ve chosen, then look back to my first blog post !

We’re presented with OpenSSH on port 22 and an Apache server on port 80 which is also notably running PHP.

Let’s run our web scans with Nikto and Dirbuster to see if there’s anything we can further work with:

I stopped my Nikto scan at this point for the reason being that while this was running, I decided to manually scope out the website — I further found out that web scans and directory enumeration were of no use and everything we needed was in front of us. Let’s move forward and view this together !

So we now see for ourselves why nmap told us the web server was utilising PHP. The ‘*.php’ sites are scripts pre-made and we can navigate to. The one that sticks out the most is the ‘listfiles.php’, if we enter this is the text box as shown above, we find something valuable :

What’s this we have ?

seems to be disclosure of Local Files aka LFI. We can navigate to 10.10.10.84/pwdbackup.txt and find a large piece of base64 encoded text, but encoded exactly 13 times which is mentioned above this base64.

At this point, there was two simple ways to get a shell. We could decode this (which is the approach I took first) and find a password and use it to login to SSH by simply taking a very logical guess at what the username is, or a more reasonable approach would be to take advantage of LFI and view /etc/passwd, OR we could do what the box name suggests and exploit the Apache Log Poison vulnerability :)

I’ll give a quick show of how this log poison method works and then we can proceed onto the exciting root aspect of this. Open up BurpSuite on your machine, proceed to the base URL and intercept the traffic and let’s start from there :

The way this method works is by altering the User-Agent string into malicious PHP code. The theory behind this is that the apache-access.log file escapes double quotes (“), but it doesn’t with single quotes (‘) and nor does it escape or have any sort of filtering for PHP tags — which essentially means it’s allowing PHP code to be executed!

Next step would be to simply navigate to :

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id

Lovely code execution. Use your imagination and you’ll have a reverse shell on your listener. Time to enum the system and get root access

On the system shell as Charix, there’s two files presented to us.

One being user.txt, and the other being secret.zip. We have issues with unzipping the .zip because we have a “csh” which differs from the standard bash shell, and it became a pain and quite evident that unzipping on the user session wasn’t the correct method, so I chose this technique to get the file onto my kali system :

Fantastic, now we’re able to unzip this file and see the contents.

Lovely. We’ve extracted something written in a language no human will ever be able to understand. Let’s avoid the rabbit hole of digging into this and trying to convert it to ASCI and move forward

After doing some enumeration as the Charix user, nothing seems to be sticking out as “PRIV ESC”. I remembered again how useful it was to check running processes as it slipped my mind, so doing some network commands I was returned with this :

ps -aux | grep root

Some process called “Xvnc” is running as root. I knew this was something out of the ordinary so further investigations revealed more information. :1 was also bugging me as I had a gut feeling this was some process listening on a port but I knew it can’t be port “1”..

Yes! We’ve found this listening port service. Research on Xvnc revealed to me it was basically (in very simple terms) a GUI terminal. To me, this meant GUI Terminal = root terminal prompt

The :1 we saw earlier revealed to be Xvnc language for port 5901 or 5801

I’ll skip a little bit and tell you that port 5901 is the real port we want to connect to. We can’t connect to the VNC from Charix, so this next step involves Port Forwarding, something I haven’t came across yet but is vital to have in your arsenal of skills.

Let’s talk through some small theory and end this blog soon

With port forwarding/SSH tunnelling from my quick analysis and understanding, is that we’re setting up a sort of SSH tunnel to Charix@10.10.10.84 via root@rain (me) on the same port (5901) and on localhost, with the flags I’m going to use you’ll see why I’ve gathered these thoughts and I’ll explain further:

Successful login ! Keep this SSH tab session open (ignore the 3x wrong password inputs)

If you look at the command I’ve wrote, we’re setting up an ssh tunnel by listening on port 5901 on our localhost and we’re tunnelling through to charix@10.10.10.84, so if we open up a new tab and try to access the VNC on localhost:5901, it will act as if we’re trying to access the localhost on CHARIX’s machine. That’s my understanding. Let’s get root now!

Open a new tab and connect to the VNC with the following commands:

Rooted!

Remember the random non-human readable file we found under secret.zip? Specify that file after the -passwd flag and we can open up the VNC session!

This box was really fun in my opinion, I spent a good while falling into some rabbit holes but I did learn about Log Poisoning and some other php vulnerabilities. There’s actually a vulnerability on phpinfo.php as seen on one of the very first screenshots of the pages we can visit on port 80

Thank you for taking your time out to read my second blog, I have more ideas for better layouts to make reading my blog nicer to look at and not a pain with no subheadings. I think my next blog will be on a much easier and shorter box and will release in the near future.

--

--