HTB Write-up: Poison (Linux)

What I learned today/Review :

Nmap Scan Result:

Nmap scan report for
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Let's check out the http while running the go buster and nikto on it.

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 amd64

Maybe we have to run scripts in this order to see the backup?

encoded 13 times...the format looks like it's in base 64 as I see the = sign

Decoded it for 13 times on the website and I got the password, I think..


I typed " ' " in the input field and it gave me this error

I think we can do directory traversal on it? Tried

user name Charlie

and pass is Charix!2#4%6&8(0

or just Charix! ?

I actually saw the account named charix, so I entered the long pass and got in!

I'm super happy that I got into the user without any help!!!

There's an zip file.


freebsd-version 11.1

Found a directory that lists all the commands we can perform on this machine.

Got stuck here.

From this point on, I watched the IPPsec's video:

Let's go back to the where we found server info.

Here, we should be looking for if the file_uploads are allowed, which we find out it is.

  • We can autally easily type /browse.php?file=/etc/passwd in burpsuite to get the password file

Since the uploaded is allowed, you can create a text file or anything by sending burp request(POST)

  • Change the request to POST /phpinfo.php

  • Add Content type: multipart/form-data; boundary-Anything

  • Content-Length: 171


Content-Disposition: form-data; name="Anything"; filename-"Unko"

Content-Type: text/plain

Some comment here


Use this script

this script uploads a file into the tmp folder before php server deletes itt.

Get the phplfi one and modify the script.

Erase the payload part and insert your own.

& adjust the request url (in this case, to browse.php?file=%s )

Run the listener,

After running it, I got the shell back

and I'm www. then find the user pass-> decode the password

Priv Esc

We need to find where we can see the apache log

look up "apache log freebsd" then we see that it's in /var/log/httpd-access.log

Now since the we found is password protected, we should downloaded with scp command.

scp .

SCP syntax:


unzip it and cat it

We cannot read it or we don't know what it is.

One thing I didn't do was to try getting a file through wget command ( I tried using python and nc but it was unsuccessful)

Got to download it but cannot execute even after I chmod +x it.

It was because it was trying to look up /bin/bash and couldn't locate it.

changed it to /bin/sh and executed it.

Couldn't find much.

netstat -an | grep LIST to see what's listening.

Executing ps aux, we see the unusual tightvnc

How can we log into it without killing out session?


~C will let us open a ssh session

if we type -D 1080, it will listen from the local, port 1080

We can verify this "netstat -anlp | grep 1080"

Configured firefox network using with both ports didn't help.

Edited the proxychains SOCKS 5 to 1080


proxychains curl http://

NEW: Manually setting up proxies

ssh -D 1080 -L6801: -L:6901: charix@

What's this?

Listen on kali on 6801, send it through ssh, at the other end of ssh, go to on port 5801

-D is an address binding, meaning that it's specifically pointing at the service.

  • By setting two variations, we can test both of them.


Now it's asking for pass. Remember the secret file?

Pass that file as -passwd argument and now we are in!

Last updated