Edward Qiu

Computer Science Student

Hack The Box - Poison User Walkthrough

Scope

HTB Poison Scope

Tools

Walkthrough

Let's do a port scan to find if there are any services running.

nmap -sC -sV -oA nmap/initial 10.10.10.84 -vvv

HTB Poison nmap scan

We found Apache 2.4.29 with http is running on port 80, so let's check what is being served at 10.10.10.84:80.

HTB Poison - Landing web page

If we put listfiles.php into the form and hit submit, we are greeted with some lovely information.

HTB Poison - Landing web page

pwdbackup.txt look like it might hold some credentials for us to use later. Since it appears the server is outputting the contents of whatever file we pass through file parameter to browse.php, let's try setting the file parameter to pwdbackup.txt.

HTB Poison - pwdbackup.txt

The encoding contains an equal sign (=), which might indicate base64. Let's try putting the string through a base64 until we get something that makes sense.

After decoding the string and feeding the output back into the decoder 13 times, we get a string what might look like a password. I also made script that takes in a base64 string and number of times to recursively decode it and outputs the result after decoding.

HTB Poison - decoded base64 pwdbackup

Now we just need to look for an account the password may belong to. Let's see if we can use browse.php to output the /etc/passwd file.

HTB Poison - /etc/passwd

Sure enough, browse.php outputs the contains of /etc/passwd. Since the password we found earlier is Charix!2#4%6&8(0, a natural guess would be that it belongs to the account Charix. We also see that the Charix has access to csh shell and since we found that 10.10.10.84 had ssh open on port 22 during recon, let's try to ssh in with the credentials we found.

ssh charix@10.10.10.84 -p 22

HTB Poison - User SSH success HTB Poison - Owned user charix

The credentials worked! Now if we cat user.txt, we get the flag for the user account on HTB.

Lessons

  • Don’t store a password anywhere
  • Restrict access to /etc/passwd

Resources

Here is a list of resources I used at some point while working on Poison:

Similar Posts