0xEdward

Hack The Box - Poison User Walkthrough

Scope

Tools

Walkthrough

Let’s do a port scan to find if there are any services running.

nmap -sC -sV -oA nmap/initial 10.10.10.84 -vvv

We found Apache 2.4.29 with http is running on port 80, so let’s check what is being served at 10.10.10.84:80.

If we put listfiles.php into the form and hit submit, we are greeted with some lovely information.

pwdbackup.txt look like it might hold some credentials for us to use later. Since it appears the server is outputting the contents of whatever file we pass through file parameter to browse.php, let’s try setting the file parameter to pwdbackup.txt.

The encoding contains an equal sign (=), which might indicate base64. Let’s try putting the string through a base64 until we get something that makes sense.

I made script that takes in a base64 string and number of times to recursively decode it and outputs the result after decoding:

#! /usr/bin/python
# Allows for repeated decoding of base64 string

import argparse
import sys
import base64

def decode(encoded, times):
    for i in range(0, times):
        encoded = base64.b64decode(encoded)
    print(encoded.decode())

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('base64_string', type=str)
    parser.add_argument('num_times_to_decode', nargs='?', type=int, default=1)
    args = parser.parse_args()

    decode(args.base64_string, args.num_times_to_decode)

python decode.py Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo= 13

Charix!2#4%6&8(0

After decoding the string and feeding the output back into the decoder 13 times, we get a string what might look like a password - Charix!2#4%6&8(0.

Now we just need to look for an account the password may belong to. Let’s see if we can use browse.php to output the /etc/passwd file.

Sure enough, browse.php outputs the contains of /etc/passwd. Since the password we found earlier is Charix!2#4%6&8(0, a natural guess would be that it belongs to the account Charix. We also see that the Charix has access to csh shell and since we found that 10.10.10.84 had ssh open on port 22 during recon, let’s try to ssh in with the credentials we found.

ssh charix@10.10.10.84 -p 22

The credentials worked! Now if we cat user.txt, we get the flag for the user account on HTB.

Lessons