Valentine HackTheBox Walkthrough

Matthew

1. Enumeration

Looks like i have to simply fill in the scriptname and it should read some files… Let’s try info.php

Oh. Info.php is out… listfiles.php seems helpful for us, let’s see what files they got for us to view

Looks like a clue, but we have a pwdbackup.txt. Probably some form of password stored there. Let’s try to open it in the scriptname

Ah.. indeed a password. Encoded 13 times.. with a == at the back indicating a base64 enconding. I guess we can decode 13 times to see the output. Let’s create a python code to do that for us and save the file, just in case we need again in future!

So here we made a script. In order to make it more modular, we simply allow a user to give input string to encode, and even specify the number of times he/she wants to decode the string!

And we get out output after 13 loops!

Now, I noticed we could read pwdbackup.txt, meaning LFI vulnerability could be present. In order to test it, we try to read /etc/passwd file, as we would need a username to tie with the password we just obtained.

Ahh, LFI indeed works and looks like our target user is charix since the password contains that name (Or at least it is similar to the name)

2. Exploitation

To exploit it, we simply SSH into the machine using the password and user charix

And it works!

And here we have user.txt

So as we are not root, we have to escalate our privileges

3. Privilege Escalation

First let’s try to unzip secret.zip to see its content

Oh it needs a passphrase, perhaps the password is the same?

Hmmm event not found. Perhaps we need to unzip in our host machine. Since we could ssh in, we could retrieve the file using scp

Now we unzip and it prompts for a password, and thankfully our reused password works

And secret is just a bunch of characters… but we might need this file, hence we transfer it back using wget

No sudo -l. Let’s try linuxprivchecker.py. Not sure if python scripts can run though we cannot use our favourite python -c ‘import ….’ to upgrade our shell

Oh it works! Great!

Hmmm nothing special in linuxprivchecker though.

Alright, after a few hours of enumerating, i decided to look at other walkthroughs to see how privilege escalation works here, and according to Walkthroughs i have seen, it appears that the next step was to check running process, specifically look for XVNC which was running as root

This is reflected in linuxprivchecker as well along with many others

Using ps -aux, you will be able to see that XVNC is running, and there is a long line of string

And you can see that it is running on TCP port 5901, and the way to get root is through tunneling from SSH to VNC

https://0xdf.gitlab.io/2018/06/10/intro-to-ssh-tunneling.html

First I used ssh local port forwarding to forward all connections from local port 5904 to Poison’s localhost port 5901.

Next, we simply use vncviewer and the first time i did it there was a password field. I tried charix password but it failed, then it hit me that the secret we had earlier could be a password.

And a new window will pop out and we are root!

Well, for this machine i have thus learn about SSH tunneling, this is something i have not been exposed before. So i will put this difficulty as 5/10 for root.txt. The user.txt was fairly easy though, probably 1/10 difficulty!

Till next box then! Cya!

Published by Matthew

Currently a final (fourth) year student in NUS (National University of Singapore) and an intern in GOVTECH Singapore. (Will be ending in early Dec sobs. T_T) , major in Information Security and thinking about whether or not to minor in Forensic Science. (YES. It's a vast difference) [EDIT: I decided not to minor in Forensic Science for no particular reason. Really.]