Let's do a port scan to find if there are any services running.
nmap -sC -sV -oA nmap/initial 10.10.10.84 -vvv
We found Apache 2.4.29 with http is running on port 80, so let's check what is being served at 10.10.10.84:80.
If we put listfiles.php into the form and hit submit, we are greeted with some lovely information.
pwdbackup.txt look like it might hold some credentials for us to use later. Since it appears the server is outputting the contents of whatever file we pass through file parameter to browse.php, let's try setting the file parameter to pwdbackup.txt.
The encoding contains an equal sign (=), which might indicate base64. Let's try putting the string through a base64 until we get something that makes sense.
After decoding the string and feeding the output back into the decoder 13 times, we get a string what might look like a password. I also made script that takes in a base64 string and number of times to recursively decode it and outputs the result after decoding.
Now we just need to look for an account the password may belong to. Let's see if we can use browse.php to output the /etc/passwd file.
Sure enough, browse.php outputs the contains of /etc/passwd. Since the password we found earlier is Charix!2#4%6&8(0, a natural guess would be that it belongs to the account Charix. We also see that the Charix has access to csh shell and since we found that 10.10.10.84 had ssh open on port 22 during recon, let's try to ssh in with the credentials we found.
ssh email@example.com -p 22
The credentials worked! Now if we
cat user.txt, we get the flag for the user account on HTB.
- Don’t store a password anywhere
- Restrict access to /etc/passwd
Here is a list of resources I used at some point while working on Poison: