Poison CTF Writeup

Poison CTF Writeup

Writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Poison CTF from HackTheBox.

Poison CTF icon

Poison CTF

Poison CTF is a machine which focuses mainly on log poisoning and port forwarding/tunneling. The machine is running FreeBSD which presents a few challenges for novice users as many common binaries from other distros are not available.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

Introduction

This Pentest report documents the security assessment conducted on the IP address 10.10.10.84. The assessment aimed to identify vulnerabilities that could be exploited to compromise the security of the target infrastructure.

Objective

The objective of this security assessment was to identify and exploit vulnerabilities in the target's infrastructure to evaluate existing security measures and provide recommendations to mitigate the identified risks.

Requirements

  • Identify vulnerabilities in the web application hosted at IP address 10.10.10.84.
  • Exploit critical and moderate vulnerabilities to assess potential exposure to attacks.
  • Evaluate the possibility of unauthorized access to systems and data.

High-Level Summary of Found Vulnerabilities

Web Server Enumeration

  1. Local File Inclusion (Elevated): Local files of the system could be included by abusing a flaw in browse.php. To mitigate this, implement input validation and sanitize user input in the browse.php script to prevent directory traversal attacks. Additionally, restrict file access to a specific directory and implement a whitelist of allowed files that can be accessed through the script.

  2. Sensitive Information Exposure (Elevated): A file (pwdbackup.txt) containing sensitive information was identified, base64 encoded. To improve security, avoid storing sensitive information like passwords or credentials in plain text or base64 encoding. Use encryption and secure storage methods. Implement proper access controls to restrict access to sensitive files and directories.

Initial Access - Exposed SSH Credentials

  1. Exposed SSH Credentials (High): Credentials for the user "charix" were decoded, allowing unauthorized SSH access. To mitigate this, immediately change the passwords for user "charix."

Post Exploitation

  1. LPE to root (Local Privilege Escalation to root) (Extreme): Credentials for the root user's VNC session were discovered in /home/charix/secret.zip. A tool called vncpwd was used to decrypt the stored VNC password, enabling remote access to the system as root. To prevent this, use secure storage mechanisms and encryption for sensitive data, and review and restrict access to critical files like /home/charix/secret.zip.

Recommendations

  1. Implement input validation and sanitize user input in the browse.php script to prevent directory traversal attacks. Restrict file access to a specific directory and implement a whitelist of allowed files.
  2. Avoid storing sensitive information in plain text or base64 encoding. Use encryption and secure storage methods for sensitive data and implement proper access controls to restrict access to sensitive files and directories.
  3. Immediately change the passwords for user "charix" to prevent unauthorized SSH access.
  4. Securely store sensitive data such as VNC passwords using encryption. Review and restrict access to critical files to prevent unauthorized disclosure of sensitive information.

Methodology

The assessment involved service enumeration, web server enumeration, and post-exploitation activities. Vulnerabilities in local file inclusion, sensitive information exposure, exposed SSH credentials, and local privilege escalation to root were identified and exploited. Recommendations focus on improving security measures to mitigate the identified risks.

Color Legend

Console color legend:

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Risk Classification

Risk Classification from http://www.pentest-standard.org

Independent Challenge - 10.10.10.84

export IP=10.10.10.84

Service Enumeration

IP AddressPorts Open
10.10.10.84TCP: 22, 80

Web Server Enumeration

Local File Inclusion

Vulnerability Explanation: Behind Security was able to include local files of the system by abusing a flaw in browse.php.

Vulnerability Fix:

  1. Input Validation: Implement input validation and sanitize user input in the browse.php script to prevent directory traversal attacks.
  2. File Whitelisting: Restrict file access to a specific directory and implement a whitelist of allowed files that can be accessed through the script.

Severity: Elevated

Steps to Reproduce the Attack:

  1. Go to http://10.10.10.84/browse.php?file=/etc/passwd. You can change /etc/passwd for any file you want.
Include vulnerability
Reading /etc/passwd

Sensitive Information Exposure

Vulnerability Explanation: Behind Security was able to identify the presence of a file (pwdbackup.txt) containing sensitive information, base64 encoded. Base64 is not a recommended way for storing sensitive information, as it can be easily decoded.

Vulnerability Fix:

  1. Secure Sensitive Information: Avoid storing sensitive information like passwords or credentials in plain text or base64 encoding. Use encryption and secure storage methods.
  2. Access Controls: Implement proper access controls to restrict access to sensitive files and directories.

Severity: Elevated

Steps to Reproduce the Attack:

  1. Get the file at http://10.10.10.84/pwdbackup.txt
Usng the listfiles script to discover the pwdbackup.txt file

Initial Access - Exposed SSH Credentials

Vulnerability Explanation: Behind Security decoded credentials for the user "charix" and was able to log in via SSH.

Vulnerability Fix:

  1. Change Passwords: Immediately change the passwords for user "charix".

Severity: High

Steps to Reproduce the Attack:

  1. Get the contents of http://10.10.10.84/pwdbackup.txt
  2. Remove the spaces and save the encoded content to a file (in this case, named "encoded.enc").
  3. Decode the file executing the bash script below.
  4. Use the decoded password to log in as "charix" via SSH: ssh [email protected] ("charix" username can be validated by reading the /etc/passwd file and searching for users with access to csh. The entry looks like this: charix:/home/charix:/bin/csh).
Using vi to remove all spaces from the encoded text
Bash script to decode the text

Post Exploitation

LPE to root

Vulnerability Explanation: After analyzing the processes running on the machine, a VNC instance running as root stood out. Credentials for the root user's VNC session could be found when extracting the contents of /home/charix/secret.zip (the zip file is password protected, but that isn't a big deal as it is the same password we discovered for user "charix"). The use of a specific tool to decrypt the stored VNC password enables a remote attacker to log in as root via VNC, taking complete control over the system.

Vulnerability Fix:

  1. Password Storage: Use secure storage mechanisms and encryption for sensitive data.
  2. Access Controls: Review and restrict access to critical files like /home/charix/secret.zip.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Download vncpwd to your local machine and compile it (cd vncpwd && make), we'll use it to decrypt the stored VNC password.
  2. Transfer /home/charix/secret.zip to your machine and unzip it. When prompted for a password, use the password for "charix" that we discovered before.
  3. Set up an SSH port forward using the credentials for user "charix": ssh -L 5901:localhost:5901 [email protected].
  4. Use ./vncpwd /path/to/vnc/stored/password to decrypt the VNC password.
  5. Use a tool like vncviewer to connect to the VNC server using the decrypted password. Note that we have port forwarding active via SSH, so localhost:5901 will be the server address.
Discovering the vnc process (linpeas.sh output)
Decrypting the vnc stored password
Connected to vnc as root!
Proof of Exploitation: REDACTED user.txt and root.txt

Conclusion

We hope you have found our content on Poison CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top