OSCP Notes

HTB Write-up: Poison (Linux)

What I learned today/Review :
Nmap Scan Result:
Nmap scan report for
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Let's check out the http while running the go buster and nikto on it.
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
Maybe we have to run scripts in this order to see the backup?
encoded 13 times...the format looks like it's in base 64 as I see the = sign
Decoded it for 13 times on the website and I got the password, I think..
I typed " ' " in the input field and it gave me this error
I think we can do directory traversal on it? Tried
user name Charlie
and pass is Charix!2#4%6&8(0
or just Charix! ?
I actually saw the account named charix, so I entered the long pass and got in!
I'm super happy that I got into the user without any help!!!
There's an zip file.
freebsd-version 11.1
Found a directory that lists all the commands we can perform on this machine.
Got stuck here.
Let's go back to the where we found server info.
Here, we should be looking for if the file_uploads are allowed, which we find out it is.
  • We can autally easily type /browse.php?file=/etc/passwd in burpsuite to get the password file
Since the uploaded is allowed, you can create a text file or anything by sending burp request(POST)
  • Change the request to POST /phpinfo.php
  • Add Content type: multipart/form-data; boundary-Anything
  • Content-Length: 171
Content-Disposition: form-data; name="Anything"; filename-"Unko"
Content-Type: text/plain
Some comment here
this script uploads a file into the tmp folder before php server deletes itt.
Get the phplfi one and modify the script.
Erase the payload part and insert your own.
& adjust the request url (in this case, to browse.php?file=%s )
Run the listener,
After running it, I got the shell back
and I'm www. then find the user pass-> decode the password

Priv Esc

We need to find where we can see the apache log
look up "apache log freebsd" then we see that it's in /var/log/httpd-access.log
Now since the secret.zip we found is password protected, we should downloaded with scp command.
scp charix@IP:secret.zip .
SCP syntax:
unzip it and cat it
We cannot read it or we don't know what it is.
One thing I didn't do was to try getting a file through wget command ( I tried using python and nc but it was unsuccessful)
Got to download it but cannot execute even after I chmod +x it.
It was because it was trying to look up /bin/bash and couldn't locate it.
changed it to /bin/sh and executed it.
Couldn't find much.
netstat -an | grep LIST to see what's listening.
Executing ps aux, we see the unusual tightvnc
How can we log into it without killing out session?
~C will let us open a ssh session
if we type -D 1080, it will listen from the local, port 1080
We can verify this "netstat -anlp | grep 1080"
Configured firefox network using with both ports didn't help.
Edited the proxychains SOCKS 5 to 1080
proxychains curl http://
NEW: Manually setting up proxies
ssh -D 1080 -L6801: -L:6901: [email protected]
What's this?
Listen on kali on 6801, send it through ssh, at the other end of ssh, go to on port 5801
-D is an address binding, meaning that it's specifically pointing at the service.
  • By setting two variations, we can test both of them.
Now it's asking for pass. Remember the secret file?
Pass that file as -passwd argument and now we are in!